{
"stig": {
"date": "2014-01-14",
"description": "This STIG include the Database Installation checks for an Oracle 11G database installation.",
"findings": {
"V-15102": {
"checkid": "C-29190r1_chk",
"checktext": "If the database being reviewed is not a production database, this check is Not a Finding.\n\nInterview the auditor or IAO to determine if an automated tool or procedure is used to report audit trail data. If an automated tool or procedure is not used, this is a Finding.",
"description": "Audit record collection may quickly overwhelm storage resources and an auditor's ability to review it in a productive manner. Automated tools can provide the means to manage the audit data collected as well as present it to an auditor in an efficient way.",
"fixid": "F-26206r1_fix",
"fixtext": "Develop, document and implement database or host system procedures to report audit trail data in a form usable to detect unauthorized access to or usage of DBMS privileges, procedures or data.\n\nYou may also want to consider procuring a third-party auditing tool like Oracle Audit Vault with support for Oracle and other DBMS products within your environment.\n\nNOTE: Audit data may contain sensitive information. The use of a single repository for audit data should be protected at the highest level based on the sensitivity of the databases being audited.",
"iacontrols": [
"ECRG-1"
],
"id": "V-15102",
"ruleID": "SV-24670r1_rule",
"severity": "medium",
"title": "Automated notification of suspicious activity detected in the audit trail should be implemented.",
"version": "DG0083-ORACLE11"
},
"V-15103": {
"checkid": "C-29379r1_chk",
"checktext": "Review evidence or operation of an automated, continuous on-line monitoring and audit trail creation capability for the DBMS is deployed with the capability to immediately alert personnel of any unusual or inappropriate activity with potential IA implications, and with a user-configurable capability to automatically disable the system if serious IA violations are detected.\n\nIf the requirements listed above are not fully met, this is a Finding.",
"description": "Audit logs only capture information on suspicious events. Without an automated monitoring and alerting tool, malicious activity may go undetected and without response until compromise of the database or data is severe.",
"fixid": "F-26404r1_fix",
"fixtext": "Develop or procure, document and implement an automated, continuous on-line monitoring and audit trail creation capability for the DBMS is deployed with the capability to immediately alert personnel of any unusual or inappropriate activity with potential IA implications, and with a user-configurable capability to automatically disable the system if serious IA violations are detected.",
"iacontrols": [
"ECAT-2"
],
"id": "V-15103",
"ruleID": "SV-24815r1_rule",
"severity": "medium",
"title": "An automated tool that monitors audit data and immediately reports suspicious activity should be employed for the DBMS.",
"version": "DG0161-ORACLE11"
},
"V-15104": {
"checkid": "C-29385r1_chk",
"checktext": "If no data is identified as being sensitive or classified by the Information Owner, in the System Security Plan or in the AIS Functional Architecture documentation, this check is Not a Finding.\n\nIf no identified sensitive or classified data requires encryption by the Information Owner in the System Security Plan and/or AIS Functional Architecture documentation, this check is Not a Finding.\n\nIf encryption requirements are listed and specify configuration at the host system or network device level, then review evidence that the configuration meets the specification.\n\nIt may be necessary to review network device configuration evidence or host communications configuration evidence.\n\nIf the evidence review does not meet the requirement or specification as listed in the System Security Plan, this is a Finding.",
"description": "Sensitive data served by the DBMS and transmitted across the network in clear text is vulnerable to unauthorized capture and review.",
"fixid": "F-26410r1_fix",
"fixtext": "Configure encryption of sensitive data served by the DBMS in accordance with the specifications provided in the System Security Plan and AIS Functional Architecture documentation.\n\nDocument acceptance of risk by the Information Owner where sensitive or classified data is not encrypted.\n\nHave the IAO document assurance that the unencrypted sensitive or classified information is otherwise inaccessible to those who do not have Need-to-Know access to the data.",
"iacontrols": [
"ECCT-1",
"ECCT-2"
],
"id": "V-15104",
"ruleID": "SV-24821r1_rule",
"severity": "high",
"title": "Sensitive data served by the DBMS should be protected by encryption when transmitted across the network.",
"version": "DG0167-ORACLE11"
},
"V-15105": {
"checkid": "C-24315r1_chk",
"checktext": "Review definitions and access restrictions to objects stored outside of DBMS control.\n\nView object application data types defined in the database, but stored outside of the DBMS.\n\nView data objects that include host file and directory references in their definitions.\n\nIf any external objects exist that are not referenced and authorized in the System Security Plan, this is a Finding.",
"description": "Access to objects stored and/or executed outside of the DBMS security context may provide an avenue of attack to host system resources not controlled by the DBMS. Any access to external resources from the DBMS can lead to a compromise of the host system or its resources.",
"fixid": "F-25686r1_fix",
"fixtext": "Evaluate the associated risk in allowing access to external objects.\n\nConsider the security context under which the object is accessed or whether the privileges required to access the object are available for assignment based on job function.\n\nWhere feasible, modify the application to use only objects stored internally to the database.\n\nWhere not feasible, note the risk assessment and acceptance in the System Security Plan for access to external objects.",
"iacontrols": [
"ECLP-1"
],
"id": "V-15105",
"ruleID": "SV-24750r1_rule",
"severity": "medium",
"title": "Unauthorized access to external database objects should be removed from application user roles.",
"version": "DG0120-ORACLE11"
},
"V-15106": {
"checkid": "C-29192r1_chk",
"checktext": "Review documented procedures and implementation evidence of DBA role privilege monitoring.\n\nIf procedures are not documented or noted in the System Security Plan or are not complete, this is a Finding.\n\nIf evidence of implementation for monitoring does not exist, this is a Finding.\n\nIf monitoring does not occur monthly (~30 days) or more often, this is a Finding.",
"description": "Excess privilege assignment can lead to intentional or unintentional unauthorized actions. Such actions may compromise the operation or integrity of the DBMS and its data. Monitoring assigned privileges assists in the detection of unauthorized privilege assignment. The DBA role is assigned privileges that allow DBAs to modify privileges assigned to them. Ensure that the DBA Role is monitored for any unauthorized changes.",
"fixid": "F-26208r1_fix",
"fixtext": "Design, document and implement procedures for monitoring DBA role privilege assignments.\n\nGrant the DBA role the minimum privileges required to perform administrative functions.\n\nEstablish monitoring of DBA role privileges monthly or more often.",
"iacontrols": [
"ECLP-1"
],
"id": "V-15106",
"ruleID": "SV-24675r1_rule",
"severity": "medium",
"title": "DBA roles should be periodically monitored to detect assignment of unauthorized or excess privileges.",
"version": "DG0086-ORACLE11"
},
"V-15107": {
"checkid": "C-24212r1_chk",
"checktext": "Review DBMS accounts with elevated permissions (accounts granted ROLE permissions, DBA accounts, SCHEMA accounts, etc.).\n\nIf any accounts are not documented and authorized for RESTORE permissions, this is a Finding.",
"description": "Unauthorized restoration of database data, objects, or other configuration or features can result in a loss of data integrity, unauthorized configuration, or other DBMS interruption or compromise.",
"fixid": "F-20422r1_fix",
"fixtext": "Utilize DBMS roles that are authorized for database restore functions.\n\nRestrict assignment of restore privileges.\n\nAssign DBMS restoration roles only to authorized DBMS accounts.\n\nDocument assignments in the System Security Plan.",
"iacontrols": [
"ECLP-1"
],
"id": "V-15107",
"ruleID": "SV-24635r1_rule",
"severity": "medium",
"title": "DBMS privileges to restore database data or other DBMS configurations, features or objects should be restricted to authorized DBMS accounts.",
"version": "DG0063-ORACLE11"
},
"V-15108": {
"checkid": "C-29401r1_chk",
"checktext": "If the DBMS or DBMS host is not shared by production and development activities, this check is Not a Finding.\n\nReview policy and procedures documented or noted in the System Security Plan and evidence of monitoring of developer privileges on shared development and production DBMS and DBMS host systems.\n\nIf developer privileges are not monitored every three months or more frequently, this is a Finding.\n\nNOTE: Though shared production/non-production DBMS installations was allowed under previous database STIG guidance, doing so may place it in violation of OS, Application, Network or Enclave STIG guidance. Ensure that any shared production/non-production DBMS installations meets STIG guidance requirements at all levels or mitigate any conflicts in STIG guidance with your DAA.",
"description": "The developer role does not include need-to-know or administrative privileges to production databases. Assigning excess privileges can lead to unauthorized access to sensitive data or compromise of database operations.",
"fixid": "F-26426r1_fix",
"fixtext": "Develop, document and implement procedures to monitor DBMS and DBMS host privileges assigned to developers on shared production and development systems to detect unauthorized assignments every three months or more often.\n\nRecommend establishing a dedicated DBMS host for production DBMS installations (See Checks DG0109 and DG0110). A dedicated host system in this case refers to an instance of the operating system at a minimum. The operating system may reside on a virtual host machine where supported by the DBMS vendor.",
"iacontrols": [
"ECPC-1",
"ECPC-2"
],
"id": "V-15108",
"ruleID": "SV-24840r1_rule",
"severity": "medium",
"title": "Privileges assigned to developers on shared production and development DBMS hosts and the DBMS should be monitored every three months or more frequently for unauthorized changes.",
"version": "DG0194-ORACLE11"
},
"V-15109": {
"checkid": "C-29403r1_chk",
"checktext": "If the DBMS or DBMS host is not shared by production and development activities, this check is Not a Finding.\n\nReview OS DBA group membership.\n\nIf any developer accounts as identified in the System Security Plan have been assigned DBA privileges, this is a Finding.\n\nNOTE: Though shared production/non-production DBMS installations was allowed under previous database STIG guidance, doing so may place it in violation of OS, Application, Network or Enclave STIG guidance. Ensure that any shared production/non-production DBMS installations meets STIG guidance requirements at all levels or mitigate any conflicts in STIG guidance with your DAA.",
"description": "Developer roles should not be assigned DBMS administrative privileges to production DBMS application and data directories. The separation of production DBA and developer roles helps protect the production system from unauthorized, malicious or unintentional interruption due to development activities.",
"fixid": "F-26428r1_fix",
"fixtext": "Create separate DBMS host OS groups for developer and production DBAs.\n\nDo not assign production DBA OS group membership to accounts used for development.\n\nRemove development accounts from production DBA OS group membership.\n\nRecommend establishing a dedicated DBMS host for production DBMS installations (See Checks DG0109 and DG0110). A dedicated host system in this case refers to an instance of the operating system at a minimum. The operating system may reside on a virtual host machine where supported by the DBMS vendor.",
"iacontrols": [
"ECPC-1",
"ECPC-2"
],
"id": "V-15109",
"ruleID": "SV-24842r1_rule",
"severity": "medium",
"title": "DBMS production application and data directories should be protected from developers on shared production/development DBMS host systems.\n",
"version": "DG0195-ORACLE11"
},
"V-15110": {
"checkid": "C-29143r1_chk",
"checktext": "Review documented and implemented procedures for monitoring the use of the DBMS software installation account in the System Security Plan.\n\nIf use of this account is not monitored or procedures for monitoring its use do not exist or are incomplete, this is a Finding.\n \nNOTE: On Windows systems, The Oracle DBMS software is installed using an account with administrator privileges. Ownership should be reassigned to a dedicated OS account used to operate the DBMS software. If monitoring does not include all accounts with administrator privileges on the DBMS host, this is a Finding.",
"description": "The DBMS installation account may be used by any authorized user to perform DBMS installation or maintenance. Without logging, accountability for actions attributed to the account is lost.",
"fixid": "F-26152r1_fix",
"fixtext": "Develop, document and implement a logging procedure for use of the DBMS software installation account that provides accountability to individuals for any actions taken by the account.\n\nHost system audit logs should be included in the DBMS account usage log along with an indication of the person who accessed the account and an explanation for the access.\n\nEnsure all accounts with administrator privileges are monitored for DBMS host on Windows OS platforms.",
"iacontrols": [
"ECLP-1"
],
"id": "V-15110",
"ruleID": "SV-24377r1_rule",
"severity": "medium",
"title": "Use of the DBMS installation account should be logged.",
"version": "DG0041-ORACLE11"
},
"V-15111": {
"checkid": "C-29145r1_chk",
"checktext": "Review the DBMS account usage log for use of the Oracle DBMS software installation account.\n\nInterview personnel authorized to access the DBMS software installation account to ask how the account is used.\n\nIf any usage of the account is to support daily operations or general DBA responsibilities, this is a Finding.\n \nNOTE: On Windows systems, the Oracle DBMS software is installed using an account with administrator privileges. Ownership should be reassigned to a dedicated OS account used to operate the DBMS software. Except where a change in ownership is made to files/directories during a software update, any check results are not a Finding.",
"description": "The DBMS software installation account is granted privileges not required for DBA or other functions. Use of accounts configured with excess privileges may result in unauthorized or unintentional compromise of the DBMS.",
"fixid": "F-26154r1_fix",
"fixtext": "Develop, document, implement procedures, and train authorized users to restrict usage of the DBMS software installation account for DBMS software installation, upgrade and maintenance only where applicable.\n\nFor Windows systems, reapplication of the fix for Check DG0019 may be necessary to reestablish correct file/directory ownership.",
"iacontrols": [
"ECLP-1"
],
"id": "V-15111",
"ruleID": "SV-24379r1_rule",
"severity": "medium",
"title": "Use of the DBMS software installation account should be restricted to DBMS software installation, upgrade and maintenance actions.",
"version": "DG0042-ORACLE11"
},
"V-15112": {
"checkid": "C-29194r1_chk",
"checktext": "Review procedures and evidence of implementation for DBMS IA and vulnerability management compliance.\n\nThis should include periodic, unannounced, in-depth monitoring and provide for specific penetration testing to ensure compliance with all vulnerability mitigation procedures such as the DoD IAVA or other DoD IA practices is planned, scheduled and conducted.\n\nTesting is intended to ensure that the system's IA capabilities continue to provide adequate assurance against constantly evolving threats and vulnerabilities.\n\nThe results for Classified systems are required to be independently validated.\n\nIf the requirments listed above are not being met, this is a Finding.",
"description": "The DBMS security configuration may be altered either intentionally or unintentionally over time. The DBMS may also be the subject of published vulnerabilities that require the installation of a security patch or a reconfiguration to mitigate the vulnerability. If the DBMS is not monitored for required or unintentional changes that render it not compliant with requirements, then it can be vulnerable to attack or compromise.",
"fixid": "F-26210r1_fix",
"fixtext": "Develop, document and implement procedures for periodic testing of the DBMS for current vulnerability management and security configuration compliance as stated in the check.\n\nCoordinate 3rd-party validation testing for Classified systems.",
"iacontrols": [
"ECMT-1",
"ECMT-2"
],
"id": "V-15112",
"ruleID": "SV-24678r1_rule",
"severity": "low",
"title": "The DBMS should be periodically tested for vulnerability management and IA compliance.",
"version": "DG0088-ORACLE11"
},
"V-15116": {
"checkid": "C-29388r1_chk",
"checktext": "If the DBMS host being reviewed is not a production DBMS host, this check is Not a Finding.\n\nReview evidence of security hardening and auditing of the DBMS host platform with the IAO.\n\nIf the DBMS host platform has not been hardened and received a security audit, this is a Finding.\n\nReview evidence of security hardening and auditing for all application(s) that store data in the database and all other separately configured components that access the database including web servers, application servers, report servers, etc.\n\nIf any have not been hardened and received a security audit, this is a Finding.\n\nReview evidence of security hardening and auditing for all application(s) installed on the local DBMS host where security hardening and auditing guidance exists.\n\nIf any have not been hardened and received a security audit, this is a Finding.",
"description": "The security of the data stored in the DBMS is also vulnerable to attacks against the host platform, calling applications, and other application or optional components.",
"fixid": "F-26414r1_fix",
"fixtext": "Configure all related application components and the DBMS host platform in accordance with the applicable DoD STIG.\n\nRegularly audit the security configuration of related applications and the host platform to confirm continued compliance with security requirements.",
"iacontrols": [
"ECSC-1"
],
"id": "V-15116",
"ruleID": "SV-24823r1_rule",
"severity": "medium",
"title": "The DBMS host platform and other dependent applications should be configured in compliance with applicable STIG requirements.",
"version": "DG0175-ORACLE11"
},
"V-15117": {
"checkid": "C-29390r1_chk",
"checktext": "Oracle audit events are logged to error logs, trace files, host system logs and may be stored in database tables.\n\nFor each Oracle database on the host, determine the location of the database audit trail.\n\nFrom SQL*Plus:\n\n select value from v$parameter where name = 'audit_trail';\n\nIf the audit trail is directed to database tables (DB*), ensure the audit table data is included in the database backups.\n\nBackups of host system log files are covered in host system security reviews and are not covered here.\n\nOther Oracle log files include:\n\n- Listener trace file (specified in the listener.ora file)\n- SQLNet trace file (specified in the sqlnet.ora file)\n- Oracle database alert and trace files (specified in Oracle parameters):\n -- audit_file_dest\n -- db_recovery_file_dest\n -- diagnostic_dest \u2013 11.1 and higher\n -- log_archive_dest\n -- log_archive_dest_n\n\nIf evidence of inclusion of all audit log files in regular DBMS or host backups does not exist, this is a Finding.",
"description": "DBMS audit logs are essential to the investigation and prosecution of unauthorized access to the DBMS data. Unless audit logs are available for review, the extent of data compromise may not be determined and the vulnerability exploited may not be discovered. Undiscovered vulnerabilities could lead to additional or prolonged compromise of the data.",
"fixid": "F-26416r1_fix",
"fixtext": "Document and implement locations of trace, log and alert locations in the System Security Plan.\n\nInclude all trace, log and alert files in regular backups.",
"iacontrols": [
"ECTB-1"
],
"id": "V-15117",
"ruleID": "SV-24825r1_rule",
"severity": "medium",
"title": "The DBMS audit logs should be included in backup operations.",
"version": "DG0176-ORACLE11"
},
"V-15118": {
"checkid": "C-29377r1_chk",
"checktext": "If remote administrative access to the database is prohibited and is disabled (See Check DG0093), this check is Not a Finding.\n\nReview policy, procedure and evidence of implementation for monitoring of remote administrative access to the database.\n\nIf monitoring procedures for remote administrative access are not documented or implemented, this is a Finding.",
"description": "Remote administrative access to systems provides a path for access to and exploit of DBA privileges. Where the risk has been accepted to allow remote administrative access, it is imperative to instate increased monitoring of this access to detect any abuse or compromise.",
"fixid": "F-26402r1_fix",
"fixtext": "Develop, document and implement policy and procedures to monitor remote administrative access to the DBMS.\n\nThe automated generation of a log report with automatic dissemination to the IAO/IAM may be used.\n\nRequire and store an acknowledgement of receipt and confirmation of review for the log report.",
"iacontrols": [
"EBRP-1"
],
"id": "V-15118",
"ruleID": "SV-24810r1_rule",
"severity": "medium",
"title": "Remote administrative access to the database should be monitored by the IAO or IAM.",
"version": "DG0159-ORACLE11"
},
"V-15120": {
"checkid": "C-29161r1_chk",
"checktext": "Review documented backup and restoration procedures to determine ownership and access during all phases of backup and recovery.\n\nReview file protections assigned to online backup and restoration files and tools.\n\nReview access, physical security protections and documented procedures for offline backup and restoration files and tools.\n\nIf implementation evidence indicates that backup or restoration files are subject to corruption, unauthorized access or physical loss, this is a Finding.",
"description": "Lost or compromised DBMS backup and restoration files may lead to not only the loss of data, but also the unauthorized access to sensitive data. Backup files need the same protections against unauthorized access when stored on backup media as when online and actively in use by the database system. In addition, the backup media needs to be protected against physical loss. Most DBMSs maintain online copies of critical control files to provide transparent or easy recovery from hard disk loss or other interruptions to database operation.",
"fixid": "F-26173r1_fix",
"fixtext": "Develop, document and implement protection for backup and restoration files.\n\nDocument personnel and the level of access authorized for each to backup and restoration files and tools.\n\nIn addition to physical and host system protections, consider other methods including password protection of the files.",
"iacontrols": [
"COBR-1"
],
"id": "V-15120",
"ruleID": "SV-24637r1_rule",
"severity": "medium",
"title": "DBMS backup and restoration files should be protected from unauthorized access.",
"version": "DG0064-ORACLE11"
},
"V-15121": {
"checkid": "C-29394r1_chk",
"checktext": "Review evidence of Oracle database and dependent application files and directories.\n\nFor UNIX Systems:\n\n These files are found in the directories $ORACLE_BASE and $ORACLE_HOME.\n\nFor Windows Systems:\n\n The Oracle software directory is specified on a Windows host in the registry value HKLM\\SOFTWARE\\Oracle\\KEY_[ORACLE_HOME_NAME]\\ORACLE_HOME.\n\nOther Oracle software including, but not limited to Oracle tools and utilities, are usually found on Windows platforms in the C:\\Program Files\\Oracle directory and subdirectories.\n \nThird-party applications may be located in other directory structures. \n\nReview the System Security Plan for a list of all DBMS application software libraries to be included in software library backups.\n\nIf any software library files are not included in regular backups, this is a Finding.",
"description": "The DBMS application depends upon the availability and integrity of its software libraries. Without backups, compromise or loss of the software libraries can prevent a successful recovery of DBMS operations.",
"fixid": "F-26420r1_fix",
"fixtext": "Configure backups to include all ORACLE home directories and subdirectories and any other Oracle application and third-party database application software libraries.",
"iacontrols": [
"COSW-1"
],
"id": "V-15121",
"ruleID": "SV-24832r1_rule",
"severity": "medium",
"title": "DBMS software libraries should be periodically backed up.",
"version": "DG0187-ORACLE11"
},
"V-15122": {
"checkid": "C-29392r1_chk",
"checktext": "Review the System Security Plan to determine if the DBMS serves data to users or applications outside the local enclave.\n\nIf the DBMS is not accessed outside of the local enclave, this check is Not a Finding.\n\nIf the DBMS serves applications available from a public network (e.g. the Internet), then confirm that the application servers are located in a DMZ.\n\nIf the DBMS is located inside the local enclave and is directly accessible to public users, this is a Finding.\n\nIf the DBMS serves public-facing applications and is not protected from direct client connections and unauthorized networks, this is a Finding.\n\nIf the DBMS serves public-facing applications and contains sensitive or classified information, this is a Finding.",
"description": "Databases often store critical and/or sensitive information used by the organization. For this reason, databases are targeted for attacks by malicious users. Additional protections provided by network defenses that limit accessibility help protect the database and its data from unnecessary exposure and risk.",
"fixid": "F-26418r1_fix",
"fixtext": "Do not allow direct connections from users originating from the Internet or other public network to the DBMS.\n\nInclude in the System Security Plan for the system whether the DBMS serves public-facing applications or applications serving users from other untrusted networks.\n\nDo not store sensitive or classified data on a DBMS server that serves public-facing applications.",
"iacontrols": [
"EBBD-1",
"EBBD-2",
"EBBD-3"
],
"id": "V-15122",
"ruleID": "SV-24449r1_rule",
"severity": "medium",
"title": "The database should not be directly accessible from public or unauthorized networks.",
"version": "DG0186-ORACLE11"
},
"V-15126": {
"checkid": "C-2967r1_chk",
"checktext": "Review the database backup procedures and implementation evidence.\n\nEvidence of implementation includes records of backup events and physical review of backup media.\n\nEvidence should match the backup plan as recorded in the System Security Plan.\n\nIf backup procedures do not exist or not implemented in accordance with the procedures, this is a Finding.\n\nIf backups do not include a redundant secondary system maintained at a separate physical site that can be activated without interruption or loss of data if the primary system fails, this is a Finding.",
"description": "Database backups provide the required means to restore databases after compromise or loss. Backups help reduce the vulnerability to unauthorized access or hardware loss.",
"fixid": "F-26099r1_fix",
"fixtext": "Develop, document and implement database backup procedures.\n\nInclude a secondary server installed at a separate location (IAW COOP guidelines) that can be brought online to prevent any disruption to availability or loss of data.",
"iacontrols": [
"CODB-1",
"CODB-2",
"CODB-3"
],
"id": "V-15126",
"ruleID": "SV-24601r1_rule",
"severity": "medium",
"title": "Database backup procedures should be defined, documented and implemented.",
"version": "DG0013-ORACLE11"
},
"V-15127": {
"checkid": "C-29353r1_chk",
"checktext": "Review policy and procedures documented or noted in the System Security Plan as well as evidence of implementation for monitoring changes to DBA role assignments and procedures for notifying the IAM of the changes for review.\n\nIf policy, procedures or implementation evidence do not exist, this is a Finding.",
"description": "Unauthorized assignment of DBA privileges can lead to a compromise of DBMS integrity. Providing oversight to the authorization and assignment of privileges provides the separation of duty to support sufficient oversight.",
"fixid": "F-26378r1_fix",
"fixtext": "Develop, document and implement procedures to monitor changes to DBA role assignments.\n\nDevelop, document and implement procedures to notify the IAM of changes to DBA role assignments.\n\nInclude in the procedures methods that provide evidence of monitoring and notification.",
"iacontrols": [
"ECPA-1"
],
"id": "V-15127",
"ruleID": "SV-24742r1_rule",
"severity": "medium",
"title": "The IAM should review changes to DBA role assignments.",
"version": "DG0118-ORACLE11"
},
"V-15129": {
"checkid": "C-29108r1_chk",
"checktext": "Review documented backup testing and recovery verification procedures noted or documented in the System Security Plan.\n\nReview evidence of implementation of testing and verification procedures by reviewing logs from backup and recovery implementation.\n\nLogs may be in electronic or hardcopy and may include email or other notification.\n\nIf backup testing and recovery verification are not documented or noted in the System Security Plan, this is a Finding.\n\nIf evidence of backup testing and recovery verification does not exist, this is a Finding.",
"description": "Problems with backup procedures or backup media may not be discovered until after a recovery is needed. Testing and verification of procedures provides the opportunity to discover oversights, conflicts, or other issues in the backup procedures or use of media designed to be used.",
"fixid": "F-26111r1_fix",
"fixtext": "Design, document and implement backup testing and recovery verification procedures for the DBMS host and all individual database instances and either include or note the name, location, version and current revision date of any external documentation in the System Security Plan.\n\nInclude any requirements for documenting database backup and recovery testing and verification activities in the procedures.",
"iacontrols": [
"CODP-1",
"CODP-2",
"CODP-3"
],
"id": "V-15129",
"ruleID": "SV-24608r1_rule",
"severity": "medium",
"title": "Backup and recovery procedures should be developed, documented, implemented and periodically tested.",
"version": "DG0020-ORACLE11"
},
"V-15131": {
"checkid": "C-26072r1_chk",
"checktext": "If no data is identified as being sensitive or classified by the Information Owner, in the System Security Plan or in the AIS Functional Architecture documentation, this check is Not a Finding.\n\nIf no identified sensitive or classified data requires encryption by the Information Owner in the System Security Plan and/or AIS Functional Architecture documentation, this check is Not a Finding.\n\nReview sensitive data stored in the database as identified in the System Security Plan using select statements.\n\nNote in the System Security Plan if the data is encrypted by column or by transparent encryption.\n\nTransparent data encryption is available only in Oracle versions 10.2 and later using Oracle Advanced Security.\n\nIf transparent data encryption is specified, then verify it is enabled.\n\nBy data columns:\n\n From SQL*Plus:\n select owner, table_name, column_name from dba_encrypted_columns;\n\nBy tablespace:\n\n From SQL*Plus:\n select tablespace_name from dba_tablespaces where encrypted='YES';\n\nIf columns within tables, tables and/or tablespaces listed in the System Security Plan are required to be encrypted transparently are not listed above, this is a Finding.\n\nIf the DBMS products are used to encrypt data, view the sensitive data fields required to be encrypted using select statements.\n\nIf any data is displayed in human-readable format, this is a Finding.\n\nIf encryption is required by the information owner, NIST-certified cryptography is used to encrypt stored sensitive information. \n\nIf encryption is required by the information owner, NIST-certified cryptography is used to encrypt stored classified non-sources and methods intelligence information.\n\nIf a classified enclave contains sources and methods intelligence data and is accessed by individuals lacking an appropriate clearance for sources and methods intelligence, then NSA-approved cryptography is used to encrypt all sources and methods intelligence stored within the enclave.\n\nNOTE: This check result may be marked not a Finding and the requirement of encryption in the database waived where the database has only database administrative accounts and application accounts that have a need-to-know to the data. This waiver does not preclude any requirement for encryption of the associated database data file (see DG0092).",
"description": "Sensitive data stored in unencrypted format within the database is vulnerable to unauthorized viewing.",
"fixid": "F-26214r1_fix",
"fixtext": "Identify all sensitive data and the method to be used to encrypt specified sensitive data in the System Security Plan.\n\nUse only NIST-certified or NSA-approved cryptography to provide encryption.\n\nOracle transparent data encryption (available in Oracle version 10.2 and later) requires Oracle Advanced Security.\n\nSee the chapter on Transparent Data Encryption in the Oracle Database Advanced Security Guide Administrator's Guide for details on using and configuring transparent data encryption.\n \nDocument acceptance of risk by the Information Owner where sensitive or classified data is not encrypted.\n\nHave the Information Owner document assurance that the unencrypted sensitive or classified information is otherwise inaccessible to those without need-to-know access to the data.\n\nDevelopers should consider using a record-specific encryption method to protect individual records.\n\nFor example, by employing the session username or other individualized element as part of the encryption key, then decryption of a data element is only possible by that user or other data accessible only by that user. \n\nConsider applying additional auditing of access to any unencrypted sensitive or classified data when accessed by unauthorized users (without need-to-know).",
"iacontrols": [
"ECCR-1",
"ECCR-2",
"ECCR-3"
],
"id": "V-15131",
"ruleID": "SV-24397r1_rule",
"severity": "medium",
"title": "Sensitive information stored in the database should be protected by encryption.\n",
"version": "DG0090-ORACLE11"
},
"V-15132": {
"checkid": "C-29216r1_chk",
"checktext": "Review the System Security Plan and/or the AIS Functional Architecture documentation to discover sensitive or classified data identified by the Information Owner that requires encryption.\n \nIf no sensitive or classified data is identified as requiring encryption by the Information Owner, this check is Not a Finding.\n\nHave the DBA use select statements in the database to review sensitive data stored in tables as identified in the System Security Plan and/or AIS Functional Architecture documentation.\n\nIf all sensitive data as identified is encrypted within the database objects, encryption of the DBMS data files is optional and Not a Finding.\n\nIf all sensitive data is not encrypted within database objects, review encryption applied to the DBMS host data files.\n\nIf no encryption is applied, this is a Finding.\n\nIf encryption is required by the information owner, NIST-certified cryptography is used to encrypt stored sensitive information. \n\nIf encryption is required by the information owner, NIST-certified cryptography is used to encrypt stored classified non-sources and methods intelligence information.\n\nIf a classified enclave contains sources and methods intelligence data and is accessed by individuals lacking an appropriate clearance for sources and methods intelligence, then NSA-approved cryptography is used to encrypt all sources and methods intelligence stored within the enclave.\n\nDetermine which DBMS data files contain sensitive data. Not all DBMS data files will require encryption.",
"description": "Where system and DBMS access controls do not provide complete protection of sensitive or classified information, the Information Owner may require encryption to provide additional protection. Encryption of sensitive data helps protect disclosure to privileged users who do not have a need-to-know requirement to the data, but may be able to access DBMS data files using OS file tools.\n\nNOTE: The decision to encrypt data is the responsibility of the Information Owner and should be based on other access controls employed to protect the data.",
"fixid": "F-26237r1_fix",
"fixtext": "Use third-party tools or native DBMS features to encrypt sensitive or classified data stored in the database.\n\nUse only NIST-certified or NSA-approved cryptography to provide encryption.\n\nDocument acceptance of risk by the Information Owner where sensitive or classified data is not encrypted.\n\nHave the IAO document assurance that the unencrypted sensitive or classified information is otherwise inaccessible to those who do not have Need-to-Know access to the data.\n\nTo lessen the impact on system performance, separate sensitive data where file encryption is required into dedicated DBMS data files.\n\nConsider applying additional auditing of access to any unencrypted sensitive or classified data when accessed by users (with and/or without Need-to-Know).",
"iacontrols": [
"ECCR-1",
"ECCR-2",
"ECCR-3"
],
"id": "V-15132",
"ruleID": "SV-24684r1_rule",
"severity": "medium",
"title": "Database data files containing sensitive information should be encrypted.",
"version": "DG0092-ORACLE11"
},
"V-15138": {
"checkid": "C-29227r1_chk",
"checktext": "Review documented policy and procedures included or noted in the System Security Plan as well as evidence of implementation for annual reviews of DBMS IA policy and procedures.\n\nIf policy and procedures do not exist, are incomplete, or are not implemented and followed annually or more frequently, this is a Finding.",
"description": "A regular review of current database security policies and procedures is necessary to maintain the desired security posture of the DBMS. Policies and procedures should be measured against current DoD policy, STIG guidance, vendor-specific guidance and recommendations, and site-specific or other security policies.",
"fixid": "F-26248r1_fix",
"fixtext": "Develop, document and implement procedures to review DBMS IA policies and procedures.",
"iacontrols": [
"DCAR-1"
],
"id": "V-15138",
"ruleID": "SV-24689r1_rule",
"severity": "low",
"title": "The DBMS IA policies and procedures should be reviewed annually or more frequently.",
"version": "DG0096-ORACLE11"
},
"V-15139": {
"checkid": "C-29233r1_chk",
"checktext": "Review policy and procedures documented or noted in the System Security Plan and evidence of implementation for testing DBMS installations, upgrades and patches prior to production deployment.\n\nIf policy and procedures do not exist or evidence of implementation does not exist, this is a Finding.",
"description": "Updates and patches to existing software have the intention of improving the security or enhancing or adding features to the product. However, it is unfortunately common that updates or patches can render production systems inoperable or even introduce serious vulnerabilities. Some updates also set security configurations back to unacceptable settings that do not meet security requirements. For these reasons, it is a good practice to test updates and patches offline before introducing them in a production environment.",
"fixid": "F-26256r1_fix",
"fixtext": "Develop, document and implement procedures for testing DBMS installations, upgrades and patches prior to deployment on production systems.",
"iacontrols": [
"DCCT-1"
],
"id": "V-15139",
"ruleID": "SV-24691r1_rule",
"severity": "medium",
"title": "Plans and procedures for testing DBMS installations, upgrades and patches should be defined and followed prior to production implementation.",
"version": "DG0097-ORACLE11"
},
"V-15140": {
"checkid": "C-29169r1_chk",
"checktext": "If the database being reviewed is not a production database or does not contain sensitive data, this check is Not a Finding.\n \nReview documented policy, procedures and proof of implementation for restrictions placed on data exports from the production database.\n\nPolicy and procedures should include that only authorized users have access to DBMS export utilities and that export data is properly sanitized prior to import to a development database.\n\nPolicy and procedures may also include that developers be granted the necessary clearance and need-to-know prior to import of production data.\n\nIf documented policy, procedures and proof of implementation are not present or complete, this is a Finding.\n\nIf methods to sanitize sensitive data are required and not documented or followed, this is a Finding.",
"description": "Data export from production databases may include sensitive data. Application developers may not be cleared for or have need-to-know to sensitive data. Any access they may have to production data would be considered unauthorized access and subject the sensitive data to unlawful or unauthorized disclosure.",
"fixid": "F-26181r1_fix",
"fixtext": "Develop, document and implement policy and procedures that provide restrictions for production data export.\n\nRequire users and administrators assigned privileges that allow the export of production data from a production database to acknowledge understanding of export restrictions.\n\nRestrict permissions allowing use or access to database export procedures or functions to authorized users.\n\nEnsure sensitive data from production is sanitized prior to import to a development database (See check DG0076).\n\nGrant access and need-to-know to developers where allowed by policy.",
"iacontrols": [
"ECAN-1"
],
"id": "V-15140",
"ruleID": "SV-24645r1_rule",
"severity": "medium",
"title": "Procedures and restrictions for import of production data to development databases should be documented, implemented and followed.",
"version": "DG0069-ORACLE11"
},
"V-15141": {
"checkid": "C-29295r1_chk",
"checktext": "Ask the DBA/SA to demonstrate process ownership for the Oracle DBMS software.\n\nOn UNIX Systems (enter at command prompt):\n\nps ef | grep -i pmon | grep -v grep (all database processes)\nps ef | grep -i tns | grep -v grep (all listener processes)\nps ef | grep -i dbsnmp | grep -v grep (Oracle Intelligent Agents)\n\nSample output (database processes):\n\noracle 5593 1 0 08:15 ? 00:00:00 ora_pmon_oraprod1\n\nSample output (listener processes):\n\noracle 5505 1 0 08:15 ? 00:00:00 /var/opt/oracle/product/10.2.0/db_1/bin/tnslsnr LISTENER -inherit\n\nSample output (agent processes):\n\noracle 1734 1 0 08:16 ? 00:00:00 /var/opt/oracle/product/10.2.0/db_1/bin/dbsnmp\n\nIn the above samples, the occurrence of \"oracle\" indicate the user account that owns the process.\n\nIf any Oracle processes are not using a dedicated OS account, this is a Finding.\n\nFor Windows Systems:\n\nLog in using account with administrator privileges.\n\nOpen the Services snap-in.\n\nReview the Oracle processes.\n\nAll Oracle processes should be run (Log On As) by a dedicated Oracle Windows OS account and not as LocalSystem.\n\nIf any Oracle service is not run by a dedicated Oracle Windows OS account, this is a Finding.\n\nIf any Oracle service is run as LocalSystem, this is a Finding.",
"description": "Shared accounts do not provide separation of duties nor allow for assignment of least privileges for use by database processes and services. Without separation and least privilege, the exploit of one service or process is more likely to be able to compromise another or all other services.",
"fixid": "F-26327r1_fix",
"fixtext": "On UNIX Systems:\n\nEnsure the Oracle Owner account is used for all Oracle processes.\n\nThe Oracle SNMP agent (Intelligent or Management Agent) is required (by Oracle Corp per MetaLink Note 548928.1) to use the Oracle Process owner account.\n\nOn Windows Systems:\n\nCreate and assign a dedicated Oracle Windows OS account for all Oracle processes.",
"iacontrols": [
"DCFA-1"
],
"id": "V-15141",
"ruleID": "SV-24702r1_rule",
"severity": "medium",
"title": "DBMS processes or services should run under custom, dedicated OS accounts.",
"version": "DG0102-ORACLE11"
},
"V-15143": {
"checkid": "C-29314r1_chk",
"checktext": "Review the System Security Plan and note sensitive data identified by the Information Owner as requiring encryption using DBMS features administered by the DBA.\n\nIf no sensitive data is present or encryption of sensitive data is not required by the Information Owner, this check is Not a Finding.\n\nReview the encryption configuration against the System Security Plan specification.\n\nIf the specified encryption is not configured, this is a Finding.",
"description": "Access to sensitive data may not always be sufficiently protected by authorizations and require encryption. In some cases, the required encryption may be provided by the application accessing the database. In others, the DBMS may be configured to provide the data encryption. When the DBMS provides the encryption, the requirement must be implemented as identified by the Information Owner to prevent unauthorized disclosure or access.",
"fixid": "F-26346r1_fix",
"fixtext": "Configure DBMS encryption features and functions as required by the System Security Plan.\n\nDiscrepancies between what features are and are not available should be resolved with the Information Owner, Application Developer and DBA as overseen by the IAO.",
"iacontrols": [
"DCFA-1"
],
"id": "V-15143",
"ruleID": "SV-24707r1_rule",
"severity": "medium",
"title": "Database data encryption controls should be configured in accordance with application requirements.",
"version": "DG0106-ORACLE11"
},
"V-15144": {
"checkid": "C-29345r1_chk",
"checktext": "If no sensitive or classified data is stored in the database, listed in the System Security Plan and listed in the AIS Functional Architecture documentation, this check is Not a Finding.\n\nReview AIS Functional Architecture documentation for the DBMS and note any sensitive data that is identified.\n\nReview database table column data or descriptions that indicate sensitive data.\n\nFor example, a data column labeled \"SSN\" could indicate social security numbers are stored in the column.\n\nQuestion the IAO or DBA where any questions arise.\n\nGeneral categories of sensitive data requiring identification include any personal data (health, financial, social security number and date of birth), proprietary or financially sensitive business data or data that might be classified.\n\nIf any data is considered sensitive and is not documented in the AISFA, this is a Finding.",
"description": "A DBMS that does not have the correct confidentiality level identified or any confidentiality level assigned is not being secured at a level appropriate to the risk it poses.",
"fixid": "F-26370r1_fix",
"fixtext": "Include identification of any sensitive data in the AIS Functional Architecture and the System Security Plan.\n\nInclude data that appear to be sensitive with a discussion as to why it is not marked as such.",
"iacontrols": [
"DCFA-1"
],
"id": "V-15144",
"ruleID": "SV-24710r1_rule",
"severity": "medium",
"title": "Sensitive data is stored in the database and should be identified in the System Security Plan and AIS Functional Architecture documentation.",
"version": "DG0107-ORACLE11"
},
"V-15145": {
"checkid": "C-29347r1_chk",
"checktext": "Review the System Security Plan to discover the restoration priority assigned to the DBMS.\n\nIf a restoration priority is not assigned, this is a Finding.",
"description": "When DBMS service is disrupted, the impact it has on the overall mission of the organization can be severe. Without proper assignment of the priority placed on restoration of the DBMS and its subsystems, restoration of DBMS services may not meet mission requirements.",
"fixid": "F-26372r1_fix",
"fixtext": "Review the mission criticality of the DBMS in relation to the overall mission of the organization and assign it a restoration priority.",
"iacontrols": [
"DCFA-1"
],
"id": "V-15145",
"ruleID": "SV-24713r1_rule",
"severity": "low",
"title": "The DBMS restoration priority should be assigned.",
"version": "DG0108-ORACLE11"
},
"V-15146": {
"checkid": "C-29349r1_chk",
"checktext": "Review a list of Windows service or UNIX processes running on the DBMS host.\n\nFor Windows, review the Services snap-in.\n\nInvestigate with the DBA/SA any unknown services.\n\nFor UNIX, issue the ps -ef command.\n\nInvestigate with the DBA/SA any unknown processes.\n\nIf web, application, ftp, domain, print or other non-DBMS services or processes are identified as supporting other optional applications or functions not authorized in the System Security Plan, this is a Finding.\n\nNOTE: Only applications that are technically required to share the same host system may be authorized to do so. Applications that share the same host for administrative, financial or other non-technical reasons may not be authorized and are a Finding.",
"description": "In the same way that added security layers can provide a cumulative positive effect on security posture, multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit to one application can lead to an exploit of other applications sharing the same security context. For example, an exploit to a web server process that leads to unauthorized administrative access to the host system can most likely lead to a compromise of all applications hosted by the same system. A DBMS not installed on a dedicated host is threatened by other hosted applications. Applications that share a single DBMS may also create risk to one another. Access controls defined for one application by default may provide access to the other application's database objects or directories. Any method that provides any level of separation of security context assists in the protection between applications.",
"fixid": "F-26374r1_fix",
"fixtext": "A dedicated host system in this case refers to an instance of the operating system at a minimum.\n\nThe operating system may reside on a virtual host machine where supported by the DBMS vendor.\n\nRemove any unauthorized processes or services and install on a separate host system.\n\nWhere separation is not supported, update the System Security Plan to provide the technical requirement for having the application share a host with the DBMS.",
"iacontrols": [
"DCPA-1"
],
"id": "V-15146",
"ruleID": "SV-24715r1_rule",
"severity": "medium",
"title": "The DBMS should not be operated without authorization on a host system supporting other application services.",
"version": "DG0109-ORACLE11"
},
"V-15147": {
"checkid": "C-1012r1_chk",
"checktext": "Review the disk/directory specification where database data, transaction log and audit files are stored.\n\nIf DBMS data, transaction or audit data files are stored in the same directory, this is a Finding.\n\nIf separation of data, transaction and audit data is not supported by the DBMS, this check is Not a Finding.\n\nIf stored separately and access permissions for each directory is the same, this is a Finding.",
"description": "Protection of DBMS data, transaction and audit data files stored by the host operating system is dependent on OS controls. When different applications share the same database process, resource contention and differing security controls may be required to isolate and protect one application's data and audit logs from another. DBMS software libraries and configuration files also require differing access control lists.",
"fixid": "F-24482r1_fix",
"fixtext": "Product-specific fix pending development. Use Generic Fix listed below:\n\nSpecify dedicated host system disk directories to store database data, transaction and audit files.\n\nConfigure DBMS default file storage locations to use dedicated disk directories where supported by the DBMS.",
"iacontrols": [
"DCPA-1"
],
"id": "V-15147",
"ruleID": "SV-24720r1_rule",
"severity": "medium",
"title": "The DBMS data files, transaction logs and audit files should be stored in dedicated directories or disk partitions separate from software or other application files.",
"version": "DG0111-ORACLE11"
},
"V-15148": {
"checkid": "C-29373r1_chk",
"checktext": "If Oracle Listener, JAVA Listener, Oracle Names and Connection Manager are not running on the local database host server, this check is Not a Finding. \n\nReview the listener.ora file located by default in the ORACLE_HOME\\network\\admin directory or in the directory specified in the environment variable TNS_ADMIN defined for the listener process or service. \n\nView the \"PORT=\" parameter for any protocols defined.\n\nIf any do not match an entry in the following list, then confirm that it is not a default or registered port for the service.\n\nView the cman.ora file in the ORACLE_HOME/network/admin directory.\n\nIf the file does not exist, the database is not accessed via Oracle Connection Manager and this part of the check is Not a Finding.\n\nView the \"PORT=\" parameter for any protocols defined.\n\nIf any do not match an entry in the following list, then confirm that it is not a default or registered port for the service.\n\nIf any non-default or non-registered ports are listed, this is a Finding.\n\nDefault Oracle Listener Ports: 1521, 2483, 2484\nDefault Java Listener Ports: 2481, 2482\nDefault Oracle Names Listener Port: 1575\nDefault Connection Manager Ports: 1521, 1830\n\nRegistered ports MAY be listed at http://www.iana.org/assignments/port-numbers or in the DoD Ports, Protocols, and Services Category Assurance List (CAL).",
"description": "Non-standard network ports, protocol or services configuration or usage could lead to bypass of network perimeter security controls and protections.",
"fixid": "F-26398r1_fix",
"fixtext": "Specify a default or registered port for TCP/IP protocols in the listener.ora and cman.ora files in the PORT= parameter of the address specification.",
"iacontrols": [
"DCPP-1"
],
"id": "V-15148",
"ruleID": "SV-24808r1_rule",
"severity": "medium",
"title": "DBMS network communications should comply with PPS usage restrictions.",
"version": "DG0152-ORACLE11"
},
"V-15150": {
"checkid": "C-29375r1_chk",
"checktext": "Review the System Security Plan for the DBMS.\n\nReview coverage of the following in the System Security Plan:\n- Technical, administrative and procedural IA program and policies that govern the DBMS\n- Identification of all IA personnel (IAM, IAO, DBA, SA) assigned responsibility to the DBMS\n- Specific IA requirements and objectives (e.g., requirements for data handling or dissemination (to include identification of sensitive data stored in the database, database application user job functions/roles and privileges), system redundancy and backup, or emergency response)\n\nIf a System Security Plan does not exist or does not identify or reference all relevant security controls, this is a Finding.",
"description": "A System Security Plan identifies security control applicability and configuration for the DBMS. It also contains security control documentation requirements. Security controls applicable to the DBMS may not be documented, tracked or followed if not identified in the System Security Plan. Any omission of security control consideration could lead to an exploit of DBMS vulnerabilities.",
"fixid": "F-26400r1_fix",
"fixtext": "Develop, document and implement a System Security Plan for the DBMS.\n\nInclude IA documentation related to the DBMS in the System Security Plan for the system that the DBMS supports.\n\nReview section 3.4 - System Security Plan Overview in the ORACLE DATABASE SECURITY CHECKLIST for more information.",
"iacontrols": [
"DCSD-1"
],
"id": "V-15150",
"ruleID": "SV-24437r1_rule",
"severity": "low",
"title": "The DBMS requires a System Security Plan containing all required information.",
"version": "DG0154-ORACLE11"
},
"V-15179": {
"checkid": "C-29351r1_chk",
"checktext": "Review the services and processes active on the DBMS host system.\n \nIf the host system is a Windows domain controller, this is a Finding.\n\nIf the host system is supporting any other security or directory services that do not use the DBMS to store information, this is a Finding.\n\nNOTE: This does not include client security applications like firewall and antivirus software.",
"description": "The Security Support Structure is a security control function or service provided by an external system or application. An example of this would be a Windows domain controller that provides identification and authentication that can be used by other systems to control access. The associated risk of a DBMS installed on a system that provides security support is significantly higher than when installed on separate systems. In cases where the DBMS is dedicated to local support of a security support function (e.g. a directory service), separation may not be possible.",
"fixid": "F-26376r1_fix",
"fixtext": "Either move the DBMS installation to a dedicated host system or move the directory or security services to another host system.\n\nA dedicated host system in this case refers to an instance of the operating system at a minimum.\n\nThe operating system may reside on a virtual host machine where supported by the DBMS vendor.",
"iacontrols": [
"DCSP-1"
],
"id": "V-15179",
"ruleID": "SV-24717r1_rule",
"severity": "medium",
"title": "The DBMS should not share a host supporting an independent security service.",
"version": "DG0110-ORACLE11"
},
"V-15608": {
"checkid": "C-1176r1_chk",
"checktext": "For UNIX Systems:\n\nLog in using the Oracle software owner account and enter the command:\n\n umask\n\nIf the value returned is 022 or more restrictive, this is not a Finding.\n\nIf the value returned is less restrictive than 022, this is a Finding.\n\nThe first number sets the mask for user/owner file permissions. The second number sets the mask for group file permissions. The third number sets file permission mask for other users. The list below shows the available settings:\n\n0 = read/write/execute\n1 = read/write\n2 = read/execute\n3 = read\n4 = write/execute\n5 = write\n6 = execute\n7 = no permissions\n\nSetting the umask to 022 effectively sets files for user/owner to read/write, group to read and other to read. Directories are set for user/owner to read/write/execute, group to read/execute and other to read/execute.\n\nFor Windows Systems:\n Review the permissions that control access to the Oracle installation software directories (e.g. \\Program Files\\Oracle\\).\n\nDBA accounts, the DBMS process account, the DBMS software installation/maintenance account, SA accounts if access by them is required for some operational level of support such as backups, and the host system itself require access.\n\nCompare the access control employed with that documented in the System Security Plan.\n\nIf access controls do not match the documented requirement, this is a Finding.\n\nIf access controls appear excessive without justification, this is a Finding.",
"description": "The DBMS software libraries contain the executables used by the DBMS to operate. Unauthorized access to the libraries can result in malicious alteration or planting of operational executables. This may in turn jeopardize data stored in the DBMS and/or operation of the host system.",
"fixid": "F-2636r1_fix",
"fixtext": "For UNIX Systems:\n\nSet the umask of the Oracle software owner account to 022. Determine the shell being used for the Oracle software owner account:\n\n env | grep -i shell\n\nStartup files for each shell are as follows (located in users $HOME directory):\n\n C-Shell (CSH) = .cshrc\n Bourne Shell (SH) = .profile\n Korn Shell (KSH) = .kshrc\n TC Shell (TCS) = .tcshrc\n BASH Shell = .bash_profile or .bashrc\n\nEdit the shell startup file for the account and add or modify the line:\n\n umask 022\n\nLog off and login, then enter the umask command to confirm the setting.\n\nNOTE: To effect this change for all Oracle processes, a reboot of the DBMS server may be required.\n\nFor Windows Systems:\n Product-specific fix pending development. Use Generic Fix listed below:\n\nRestrict access to the DBMS software libraries to the fewest accounts that clearly require access based on job function.\n\nDocument authorized access control and justify any access grants that do not fall under DBA, DBMS process, ownership, or SA accounts.",
"iacontrols": [
"DCSL-1"
],
"id": "V-15608",
"ruleID": "SV-24595r1_rule",
"severity": "medium",
"title": "Access to DBMS software files and directories should not be granted to unauthorized users.",
"version": "DG0009-ORACLE11"
},
"V-15611": {
"checkid": "C-29157r1_chk",
"checktext": "If application access audit data is not available due to the lack of a local listener process or alternate method of auditing database access, this check is Not a Finding (see check DG0052).\n\nReview the list of applications authorized to connect to the Oracle database as listed or noted in the System Security Plan.\n\nIf no list exists, this is a Finding.\n\nReview evidence of audit log monitoring to detect use of unauthorized applications to access the database.\n\nIf no evidence exists or is incomplete, this is a Finding.",
"description": "Regular and timely reviews of audit records increases the likelihood of early discovery of suspicious activity. Discovery of suspicious behavior can in turn trigger protection responses to minimize or eliminate a negative impact from malicious activity. Use of unauthorized application to access the DBMS may indicate an attempt to bypass security controls.",
"fixid": "F-26168r1_fix",
"fixtext": "Document applications authorized to access the DBMS in the System Security Plan.\n\nDevelop, document and implement a process to review log and trace files or the results from any alternate methods used to support database access auditing to detect connections from unauthorized applications.\n\nInclude in this process a method to generate and provide evidence of monitoring.\n\nThis may include automated or manual processes acknowledged by the auditor or IAO.",
"iacontrols": [
"ECAT-1",
"ECAT-2"
],
"id": "V-15611",
"ruleID": "SV-24630r1_rule",
"severity": "low",
"title": "The audit logs should be periodically monitored to discover DBMS access using unauthorized applications.",
"version": "DG0054-ORACLE11"
},
"V-15618": {
"checkid": "C-26370r1_chk",
"checktext": "Review the System Security Plan to determine if the use of the external procedure agent is authorized.\n\nReview the ORACLE_HOME/bin directory or search the ORACLE_BASE path for the executable extproc (UNIX) or extproc.exe (Windows).\n\nIf external procedure agent is not authorized for use in the System Security Plan and the executable file exists and is not restricted, this is a Finding.\n\nIf use of the external procedure agent is authorized, ensure extproc is restricted to execution of authorized applications.\n\nExternal jobs are run using the account nobody by default.\n\nReview the contents of the file ORACLE_HOME/rdbms/admin/externaljob.ora for the lines run_user= and run_group=.\n\nIf the user assigned to these parameters is not \"nobody\", this is a Finding.\n\nFor versions 11.1 and later, the external procedure agent (extproc executable) is available directly from the database and does not require definition in the listener.ora file for use.\n\nReview the contents of the file ORACLE_HOME/hs/admin/extproc.ora.\n\nIf the file does not exist, this is a Finding.\n\nIf the following entry does not appear in the file, this is a Finding:\n\nEXTPROC_DLLS=ONLY:[dll full file name1]:[dll full file name2]:..\n\n[dll full file name] represents a full path and file name.\n\nThis list of file names is separated by \":\".\n\nNOTE: If \"ONLY\" is specified, then the list is restricted to allow execution of only the DLLs specified in the list and is not a Finding. If \"ANY\" is specified, then there are no restrictions for execution except what is controlled by operating system permissions and is a Finding. If no specification is made, any files located in the %ORACLE_HOME%\\bin directory on Windows systems or $ORACLE_HOME/lib directory on UNIX systems can be executed (the default) and is a Finding.\n\nEnsure that EXTPROC is not accessible from the listener.\n\nReview the listener.ora file. If any entries reference \"extproc\", this is a Finding.\n\nNOTE: Bug 7560049 may cause external procedures in 11g not to work on certain platforms. Fix will be in Oracle 11g Release 2. If external procedures are required and you are experiencing this bug, then follow instructions for configuring external procedures for versions earlier than 11.1 and document as authorized in the System Security Plan.\n\nDetermine if the external procedure agent is in use per Oracle 10.x conventions.\n\nReview the listener.ora file.\n\nIf any entries reference \"extproc\", then the agent is in use.\n\nIf external procedure agent is not authorized for use in the System Security Plan and references to \"extproc\" exist, this is a Finding.\n\nSample listener.ora entries with extproc included:\n\nLISTENER =\n(DESCRIPTION =\n(ADDRESS = (PROTOCOL = TCP)(HOST = 127.0.0.1)(PORT = 1521))\n)\nEXTLSNR =\n(DESCRIPTION =\n(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC))\n)\nSID_LIST_LISTENER =\n(SID_LIST =\n(SID_DESC =\n(GLOBAL_DBNAME = ORCL)\n(ORACLE_HOME = /home/oracle/app/oracle/product/11.1.0/db_1)\n(SID_NAME = ORCL)\n)\n)\nSID_LIST_EXTLSNR =\n(SID_LIST =\n(SID_DESC =\n(PROGRAM = extproc)\n(SID_NAME = PLSExtProc)\n(ORACLE_HOME = /home/oracle/app/oracle/product/11.1.0/db_1)\n(ENVS=\"EXTPROC_DLLS=ONLY:/home/app1/app1lib.so:/home/app2/app2lib.so,\nLD_LIBRARY_PATH=/private/app2/lib:/private/app1,\nMYPATH=/usr/fso:/usr/local/packages\")\n)\n)\n\nSample tnsnames.ora entries with extproc included:\n\nORCL =\n(DESCRIPTION =\n(ADDRESS_LIST =\n(ADDRESS = (PROTOCOL = TCP)(HOST = 127.0.0.1)(PORT = 1521))\n)\n(CONNECT_DATA =\n(SERVICE_NAME = ORCL)\n)\n)\nEXTPROC_CONNECTION_DATA =\n(DESCRIPTION =\n(ADDRESS_LIST =\n(ADDRESS = (PROTOCOL = IPC)(KEY = extproc))\n)\n(CONNECT_DATA =\n(SERVER = DEDICATED)\n(SERVICE_NAME = PLSExtProc)\n)\n)\n\nIf EXTPROC is in use, confirm that a listener is dedicated to serving the external procedure agent (as shown above).\n\nView the protocols configured for the listener.\n\nFor the listener to be dedicated, the only entries will be to specify extproc.\n\nIf there is not a dedicated listener in use for the external procedure agent, this is a Finding.\n\nIf the PROTOCOL= specified is other than IPC, this is a Finding.\n\nVerify and ensure extproc is restricted executing authorized external applications only and extproc is restricted to execution of authorized applications.\n\nReview the listener.ora file.\n\nIf the following entry does not exist, this is a Finding:\n\nEXTPROC_DLLS=ONLY:[dll full file name1]:[dll full file name2]:...\n\nNOTE: [dll full file name] represents a full path and file name. This list of file names is separated by \":\".\n\nNOTE: If \"ONLY\" is specified, then the list is restricted to allow execution of only the DLLs specified in the list and is not a Finding. If \"ANY\" is specified, then there are no restrictions for execution except what is controlled by operating system permissions and is a Finding. If no specification is made, any files located in the %ORACLE_HOME%\\bin directory on Windows systems or $ORACLE_HOME/lib directory on UNIX systems can be executed (the default) and is a Finding.\n\nView the listener.ora file (usually in ORACLE_HOME/network/admin or directory specified by the TNS_ADMIN environment variable).\n\nIf multiple listener processes are running, then the listener.ora file for each must be viewed.\n\nFor each process, determine the directory specified in the ORACLE_HOME or TNS_ADMIN environment variable defined for the process account to locate the listener.ora file.",
"description": "The Oracle external procedure capability provides use of the Oracle process account outside the operation of the DBMS process. You can use it to submit and execute applications stored externally from the database under operating system controls. The external procedure process is the subject of frequent and successful attacks as it allows unauthenticated use of the Oracle process account on the operating system. As of Oracle version 11.1, the external procedure agent may be run directly from the database and not require use of the Oracle listener. This reduces the risk of unauthorized access to the procedure from outside of the database process.",
"fixid": "F-22704r1_fix",
"fixtext": "If the use of external procedure agent is required, then authorize and document the requirement in the System Security Plan.\n\nIf the external procedure agent must be accessible to the Oracle listener, then specify this and authorize it in the System Security Plan.\n\nIf use of the Oracle External Procedure agent is not required:\n\n - Stop the Oracle Listener process\n - Remove all references to extproc in the listener.ora and tnsnames.ora files\n - Alter the permissions on the executable files:\n UNIX - Remove read/write/execute permissions from owner, group and world\n Windows - Remove Groups/Users from the executable (except groups SYSTEM and ADMINISTRATORS) and allow READ [only] for SYSTEM and ADMINISTRATORS groups\n\nIf required:\n\n - Restrict extproc execution to only authorized applications.\n - Specify EXTPROC_DLLS=ONLY: [list of authorized DLLS] in the extproc.ora and the listener.ora files\n - Create a separate, dedicated listener for use by the external procedure agent\n\nPlease see the Oracle Net Services Administrators Guides, External Procedures section for detailed configuration information.",
"iacontrols": [
"DCFA-1"
],
"id": "V-15618",
"ruleID": "SV-24698r1_rule",
"severity": "medium",
"title": "Access to external DBMS executables should be disabled or restricted.",
"version": "DG0099-ORACLE11"
},
"V-15620": {
"checkid": "C-1769r1_chk",
"checktext": "Determine which OS accounts external DBMS executables are run.\n\nReview the privileges assigned to these accounts and compare them to the System Security Plan and the function of the applications.\n\nIf assigned privileges exceed those necessary to operate as designed or the privileges do not match the list of required privileges for the application in the System Security Plan, this is a Finding.",
"description": "External applications spawned by the DBMS process may be executed under OS accounts assigned unnecessary privileges that can lead to unauthorized access to OS resources. Unauthorized access to OS resources can lead to the compromise of the OS, the DBMS, and any other service provided by the host platform.",
"fixid": "F-3795r1_fix",
"fixtext": "Configure OS accounts used by DBMS external procedures to have the minimum privileges necessary for operation.\n\nDocument DBMS external procedures and OS privileges need to execute the procedures in the System Security Plan.",
"iacontrols": [
"DCFA-1"
],
"id": "V-15620",
"ruleID": "SV-25054r1_rule",
"severity": "medium",
"title": "OS accounts used to execute external procedures should be assigned minimum privileges.",
"version": "DG0101-ORACLE11"
},
"V-15621": {
"checkid": "C-29299r2_chk",
"checktext": "IP address restriction may be defined for the database listener, by use of the Oracle Connection Manager or by an external network device.\n\nIdentify the method used to enforce address restriction (interview or System Security Plan review).\n\nIf enforced by the database listener, then review the SQLNET.ORA file located in the\nORACLE_HOME/network/admin directory or the directory indicated by the TNS_ADMIN environment variable or registry setting.\n\n\nIf the following entries do not exist, then restriction by IP address is not configured and is a Finding.\ntcp.validnode_checking=YES\ntcp.invited_nodes=(IP1, IP2, IP3)\n\nIf enforced by an Oracle Connection Manager, then review the CMAN.ORA file for the Connection Manager (located in the TNS_ADMIN or ORACLE_HOME/network/admin directory for the connection manager).\n\nIf a RULE entry allows all addresses (\"/32\") or does not match the address range specified in the System Security Plan, this is a Finding.\n\n(rule=(src=[IP]/27)(dst=[IP])(srv=*)(act=accept))\n\nNOTE: an IP address with a \"/\" indicates acceptance by subnet mask where the number after the \"/\" is the left most number of bits in the address that must match for the rule to apply.\n\nIf this rule is database-specific, then determine if the SERVICE_NAME parameter is set:\n\nFrom SQL*PLUS:\n\nselect value from v$parameter where name = 'service_names';\n\nIf SERVICE_NAME is set in the initialization file for the database instance, use (srv=[service name]), else, use (srv=*) if not set or rule applies to all databases on the DBMS server.\n\nIf network access restriction is performed by an external device, validate ACLs are in place to prohibit unauthorized access to the DBMS. To do this, find the IP address of the database server (destination address) and source address (authorized IPs) in the System Security Plan. Confirm only authorized IPs from the System Security Plan are allowed access to the DBMS.",
"description": "Restricting remote access to specific, trusted systems helps prevent access by unauthorized and potentially malicious users.",
"fixid": "F-26331r2_fix",
"fixtext": "Configure the database listener to restrict access by IP address or set up an external device to restrict network access to the DBMS.",
"iacontrols": [
"DCFA-1"
],
"id": "V-15621",
"ruleID": "SV-24410r2_rule",
"severity": "medium",
"title": "Network access to the DBMS must be restricted to authorized personnel.",
"version": "DG0103-ORACLE11"
},
"V-15622": {
"checkid": "C-29309r1_chk",
"checktext": "Review the Oracle instance names on the DBMS host:\n\nOn UNIX platforms:\n Solaris: cat /var/opt/oracle/oratab\n Other UNIX: cat /etc/oratab\n\nThe format of lines in the oratab file is:\n sid:oracle_home_directory:Y or N\n\nThe instance name is the sid.\n\nOn Windows platforms:\n Go to Start / Administrative Tools / Services \n \nView service names that begin with \"OracleService\".\n \nThe remainder of the service name is the instance name.\n Example: OracleServicesalesDB -- where salesDB is the instance name\n\nIf instance names are listed and do not clearly identify the use of the instance or clearly differentiate individual instances, this is a Finding.\n\nAn example of instance naming that meets the requirement: prdinv01 (Production Inventory Database #1), dvsales02 (Development Sales Database #2), orfindb1 (Oracle Financials Database #1).\n\nExamples of instance naming that do not meet the requirement: Instance1, MyInstance, orcl, 10gdb1\n\nInterview the DBA to get an understanding of the naming scheme used to determine if the names are clear differentiations.",
"description": "Local or network services that do not employ unique or clearly identifiable targets can lead to inadvertent or unauthorized connections.",
"fixid": "F-26341r1_fix",
"fixtext": "Follow the instructions in Oracle Doc ID: 15390.1 to change the SID without re-creating the database.\n\nSet the value so that it does not identify the Oracle version and clearly identifies its purpose.",
"iacontrols": [
"DCFA-1"
],
"id": "V-15622",
"ruleID": "SV-24415r1_rule",
"severity": "low",
"title": "DBMS service identification should be unique and clearly identifies the service.",
"version": "DG0104-ORACLE11"
},
"V-15625": {
"checkid": "C-29546r1_chk",
"checktext": "Review DBMS recovery procedures or technical system features to determine if mechanisms exist and are in place to specify use of trusted files during DBMS recovery.\n\nIf recovery procedures do not exist or are not sufficient to ensure recovery is done in a secure and verifiable manner, this is a Finding.\n\nIf system features exist and are not employed or not employed sufficiently, this is a Finding.\n\nIf circumstances that can inhibit a trusted recovery are not documented and appropriate mitigating procedures have not been put in place, this is a Finding.",
"description": "A DBMS may be vulnerable to use of compromised data or other critical files during recovery. Use of compromised files could introduce maliciously altered application code, relaxed security settings or loss of data integrity. Where available, DBMS mechanisms to ensure use of only trusted files can help protect the database from this type of compromise during DBMS recovery.",
"fixid": "F-26648r1_fix",
"fixtext": "Develop, document and implement DBMS recovery procedures and employ technical system features where supported by the DBMS to specify trusted files during DBMS recovery.\n\nEnsure circumstances that can inhibit a trusted recovery are documented and appropriate mitigating procedures have been put in place.",
"iacontrols": [
"COTR-1"
],
"id": "V-15625",
"ruleID": "SV-28967r1_rule",
"severity": "medium",
"title": "Recovery procedures and technical system features exist to ensure that recovery is done\nin a secure and verifiable manner.",
"version": "DG0115-ORACLE11"
},
"V-15636": {
"checkid": "C-29867r1_chk",
"checktext": "Oracle natively encrypts passwords in transit when using Oracle connection protocols and products (i.e. Oracle Client).\n\nWhere other connection products and protocols are used, review configuration options for encrypting passwords during login events across the network.\n\nIf passwords are not encrypted, this is a Finding.\n\nWhere only Oracle connection protocols and products are used and password encryption is not purposely disabled and enabled where applicable, this is Not a Finding.\n\nIf determined that passwords are passed unencrypted at any point along the transmission path between the source and destination, this is a Finding.",
"description": "DBMS passwords sent in clear text format across the network are vulnerable to discovery by unauthorized users. Disclosure of passwords may easily lead to unauthorized access to the database.",
"fixid": "F-25688r1_fix",
"fixtext": "Utilize Oracle connection protocols and products (i.e. Oracle Client) where possible.\n\nWhere other connection products and protocols are used, ensure configuration options for encrypting passwords during login events across the network are used.\n\nIf the database does not provide encryption for login events natively, employ encryption at the OS or network level.\n\nEnsure passwords remain encrypted from source to destination.",
"iacontrols": [
"IAIA-1",
"IAIA-2"
],
"id": "V-15636",
"ruleID": "SV-24967r1_rule",
"severity": "high",
"title": "Passwords should be encrypted when transmitted across the network.",
"version": "DG0129-ORACLE11"
},
"V-15643": {
"checkid": "C-23647r1_chk",
"checktext": "Determine the locations of DBMS audit, configuration, credential and other security data. Review audit settings for these files or data objects.\n\nIf access to the security data is not audited, this is a Finding.\n\nIf no access is audited, consider the operational impact and appropriateness for access that is not audited.\n\nIf the risk for incomplete auditing of the security files is reasonable and documented in the System Security Plan, then do not include this as a Finding.",
"description": "DBMS security data is useful to malicious users to perpetrate activities that compromise DBMS operations or data integrity. Auditing of access to this data supports forensic and accountability investigations.",
"fixid": "F-23926r1_fix",
"fixtext": "Determine all locations for storage of DBMS security and configuration data. Enable auditing for access to any security data. If auditing results in an unacceptable adverse impact on application operation, reduce the amount of auditing to a reasonable and acceptable level. Document any incomplete audit with acceptance of the risk of incomplete audit in the System Security Plan.",
"iacontrols": [
"ECAR-1",
"ECAR-2",
"ECAR-3"
],
"id": "V-15643",
"ruleID": "SV-24432r1_rule",
"severity": "medium",
"title": "Access to DBMS security data should be audited.",
"version": "DG0140-ORACLE11"
},
"V-15649": {
"checkid": "C-28261r1_chk",
"checktext": "Ask the DBA and/or IAO to demonstrate that the DBMS system initialization, shutdown, and aborts are configured to ensure that the DBMS system remains in a secure state.\n\nIf the DBA and/or IAO has documented proof from the DBMS vendor demonstrating that the DBMS does not support this either natively or programmatically, this check is a Finding, but can be downgraded to a CAT 3 severity.\n\nIf the DBMS does support this either natively or programmatically and the configuration does not meet the requirements listed above, this is a Finding.\n\nFor all MAC 1, all MAC 2 and Classified MAC 3 systems where the DBMS supports the requirements, review documented procedures and evidence of periodic testing to ensure DBMS system state integrity. \n\nIf documented procedures do not exist or no evidence of implementation is provided, this is a Finding.",
"description": "The DBMS opens data files and reads configuration files at system startup, system shutdown and during abort recovery efforts. If the DBMS does not verify the trustworthiness of these files, it is vulnerable to malicious alterations of its configuration or unauthorized replacement of data.",
"fixid": "F-25690r1_fix",
"fixtext": "Configure DBMS system initialization, shutdown and aborts to ensure DBMS system remains in a secure state.\n\nFor applicable DBMS systems as listed in the check, periodically test configuration to ensure DBMS system state integrity.\n\nWhere DBMS system state integrity is not supported by the DBMS vendor, obtain and apply mitigation strategies to bring risk to a DAA-acceptable level.",
"iacontrols": [
"DCSS-1",
"DCSS-2"
],
"id": "V-15649",
"ruleID": "SV-25385r1_rule",
"severity": "medium",
"title": "The DBMS should have configured all applicable settings to use trusted files, functions, features, or other components during startup, shutdown, aborts, or other unplanned interruptions.",
"version": "DG0155-ORACLE11"
},
"V-15651": {
"checkid": "C-19408r1_chk",
"checktext": "Review the System Security Plan for authorization, assignments and usage procedures for remote DBMS administration.\n\nIf remote administration of the DBMS is not documented or poorly documented, this is a Finding.\n\nIf remote administration of the DBMS is not authorized and not disabled, this is a Finding.",
"description": "Remote administration may expose configuration and sensitive data to unauthorized viewing during transit across the network or allow unauthorized administrative access to the DBMS to remote users.",
"fixid": "F-19561r1_fix",
"fixtext": "Disable remote administration of the DBMS where not required.\n\nWhere remote administration of the DBMS is required, develop, document and implement policy and procedures on its use.\n\nAssign remote administration privileges to IAO-authorized personnel only.\n\nDocument assignments in the System Security Plan.",
"iacontrols": [
"EBRP-1"
],
"id": "V-15651",
"ruleID": "SV-24982r1_rule",
"severity": "medium",
"title": "Remote DBMS administration should be documented and authorized or disabled.",
"version": "DG0157-ORACLE11"
},
"V-15652": {
"checkid": "C-20343r1_chk",
"checktext": "Review settings for actions taken during remote administration sessions.\n\nIf auditing of remote administration sessions and actions is not enabled, this is a Finding.\n\nIf audit logs do not include all actions taken by database administrators during remote sessions, this is a Finding.\n\nActions should be tied to a specific user.",
"description": "When remote administration is available, the vulnerability to attack for administrative access is increased. An audit of remote administrative access provides additional means to discover suspicious activity and to provide accountability for administrative actions completed by remote users.",
"fixid": "F-16165r1_fix",
"fixtext": "Develop, document and implement policy and procedures for remote administration auditing.\n\nConfigure the DBMS to provide an audit trail for remote administrative sessions.\n\nInclude all actions taken by database administrators during remote sessions.\n\nActions should be tied to a specific user.",
"iacontrols": [
"EBRP-1"
],
"id": "V-15652",
"ruleID": "SV-24985r1_rule",
"severity": "medium",
"title": "DBMS remote administration should be audited.",
"version": "DG0158-ORACLE11"
},
"V-15656": {
"checkid": "C-23524r1_chk",
"checktext": "Review database links or other connections defined for the database to access or be accessed by remote databases or other applications as defined in the AIS Functional Architecture documentation or the System Security Plan.\n\nIf any interconnections show differences in the DBMS and remote system classification levels, this is a Finding.",
"description": "Applications that access databases and databases connecting to remote databases that differ in their assigned classification levels may expose sensitive data to unauthorized clients. Any interconnections between databases or applications and databases differing in classification levels are required to comply with interface control rules.",
"fixid": "F-20164r1_fix",
"fixtext": "Disassociate or remove connection definitions to remote systems of differing classification levels.",
"iacontrols": [
"ECIC-1"
],
"id": "V-15656",
"ruleID": "SV-25075r1_rule",
"severity": "medium",
"title": "The DBMS should not have a connection defined to access or be accessed by a DBMS at a different classification level.",
"version": "DG0171-ORACLE11"
},
"V-15658": {
"checkid": "C-26465r1_chk",
"checktext": "A warning banner displayed as a function of an Operating System or application login for applications that use the database makes this check Not a Finding for all supported versions of Oracle.\n\nView the sqlnet.ora file. If the following lines do not exist, this is a Finding (requires application code to display the warning banner, which is not covered in this check):\n\nSEC_USER_AUDIT_ACTION_BANNER = path/filename with banner text\nSEC_USER_UNAUTHORIZED_ACCESS_BANNER = path/filename with banner text\n\nThis requirement can be fulfilled programmatically and is not covered in this check; however, if required and not performed, this is a Finding.\n\nView the files specified. If they do not contain the following text as written below, this is a Finding:\n\n\n[A. Use this banner for desktops, laptops, and other devices accommodating banners of 1300 characters. The banner shall be implemented as a click-through banner at logon (to the extent permitted by the operating system), meaning it prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating \"OK.\"]\n\nYou are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS. \n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\nOK\n\n[B. For Blackberries and other PDAs/PEDs with severe character limitations:]\n\nI've read & consent to terms in IS user agreem't.\n\n\nThis User Agreement conforms to DoD Standard Notice and Consent Banner and User Agreement \u2013 JTF-GNO CTO 08-008A, May 9, 2008 unless superceded.",
"description": "Without sufficient warning of monitoring and access restrictions of a system, legal prosecution to assign responsibility for unauthorized or malicious access may not succeed. A warning message provides legal support for such prosecution. Access to the DBMS or the applications used to access the DBMS require this warning to help assign responsibility for database activities.",
"fixid": "F-16136r1_fix",
"fixtext": "Add the following lines to the sqlnet.ora file:\n\nSEC_USER_AUDIT_ACTION_BANNER = [banner file]\nSEC_USER_UNAUTHORIZED_ACCESS_BANNER = [banner file]\n\nReplace [banner file] with the path and file name to a TEXT file containing the banner text as shown above.\n\nNOTE: Defining these parameters and this text makes the banner available to applications. It is not displayed unless the application is designed to display the text using OCI calls.\n\nFor all versions of Oracle, this requirement can be fulfilled where the database user receives the warning message when authenticating or connecting to a front-end system that includes or covers the Oracle DBMS. Mark this check as a Finding if the display of a warning banner (not necessarily this specific warning banner) cannot be confirmed.\n\nThe banner text listed in the Check section supersedes that referenced in the Database STIG requirement.",
"iacontrols": [
"ECWM-1"
],
"id": "V-15658",
"ruleID": "SV-24827r1_rule",
"severity": "medium",
"title": "The DBMS warning banner should meet DoD policy requirements.",
"version": "DG0179-ORACLE11"
},
"V-15659": {
"checkid": "C-29397r1_chk",
"checktext": "Review the System Security Plan to discover any external storage of passwords used by applications, batch jobs or users to connect to the database.\n\nIf no database passwords or credentials are stored outside of the database including use of Oracle Wallets and the Oracle password file (pwd*.ora or orapwd*.ora), this check is Not a Finding. \n\nView the sqlnet.ora file to determine if Oracle Wallets are used for authentication.\n\nIf the \"WALLET_LOCATION\" entry exists in the file, then view permissions on the directory and contents.\n\nIf access to this directory and these files is not restricted to the Oracle database and listener services, DBA's, and other authorized system and administrative accounts this is a Finding.\n\nFrom SQL*Plus:\n\n select value from v$parameter where name = 'remote_login_passwordfile';\n\nIf the command returns the value NONE, this is not a Finding.\n\nIf it returns the value SHARED, this is a Finding.\n\nIf it returns the value EXCLUSIVE, view access permissions to the Oracle password file.\n\nThe default name for Windows is pwd[SID].ora and is located in the ORACLE_HOME\\database directory.\n\nOn UNIX hosts, the file is named orapw[SID] and stored in the $ORACLE_HOME/dbs directory.\n\nIf access to this file is not restricted to the Oracle database, DBA's, and other authorized system and administrative accounts, this is a Finding.\n\nFor other password or credential stores, interview the DBA to ask what restrictions to the storage location of passwords have been assigned.\n\nIf accounts other than those that require access to the storage location have been granted permissions, this is a Finding.",
"description": "Access to database connection credential stores provides easy access to the database. Unauthorized access to the database can result without controls in place to prevent unauthorized access to the credentials.",
"fixid": "F-26422r1_fix",
"fixtext": "Consider alternate methods for database connections to avoid custom storage of local connection credentials.\n\nDevelop and document use of locally stored credentials and their authorized use and access in the System Security Plan.\n\nRestrict access and use of the credentials to authorized users using host file permissions and any other available method to restrict access.",
"iacontrols": [
"DCFA-1"
],
"id": "V-15659",
"ruleID": "SV-24835r1_rule",
"severity": "medium",
"title": "Credentials used to access remote databases should be protected by encryption and restricted to authorized users.",
"version": "DG0191-ORACLE11"
},
"V-15662": {
"checkid": "C-29405r1_chk",
"checktext": "Ask the DBA if the DBMS is accessed remotely for administration purposes. If it is not, this check is Not a Finding.\n\nCheck DG0093 specifies remote administration encryption for confidentiality.\n\nThis check should confirm the use of dedicated and encrypted network addresses and ports.\n\nReview configured network access interfaces for remote DBMS administration.\n\nThese may be host-based encryptions such as IPSec or may be configured for the DBMS as part of the network communications and/or in the DBMS listening process.\n\nFor DBMS listeners, verify that encrypted ports exist and are restricted to specific network addresses to access the DBMS.\n\nView the System Security Plan to review the authorized procedures and access for remote administration.\n\nIf the configuration does not match the specifications in the System Security Plan, this is a Finding.\n\nNote: Out-Of-Band (OOB) is allowed for remote administration, however, OOB alone does not maintain encryption of network traffic from source to destination and is a Finding for this check. ",
"description": "Remote administration provides many conveniences that can assist in the maintenance of the designed security posture of the DBMS. On the other hand, remote administration of the database also provides malicious users the ability to access from the network a highly privileged function. Remote administration needs to be carefully considered and used only when sufficient protections against its abuse can be applied. Encryption and dedication of ports to access remote administration functions can help prevent unauthorized access to it.",
"fixid": "F-26430r1_fix",
"fixtext": "Disable remote administration where it is not required.\n\nConsider restricting administrative access to local connections only.\n\nWhere necessary, configure the DBMS network communications to provide an encrypted, dedicated port for remote administration access.\n\nDevelop and provide procedures for remote administrative access to DBAs that have been authorized for remote administration.\n\nVerify during audit reviews that DBAs do not access the database remotely except through the dedicated and encrypted port.",
"iacontrols": [
"EBRP-1"
],
"id": "V-15662",
"ruleID": "SV-24844r1_rule",
"severity": "medium",
"title": "Remote administration of the DBMS should be restricted to known, dedicated and encrypted network addresses and ports.",
"version": "DG0198-ORACLE11"
},
"V-16031": {
"checkid": "C-29491r1_chk",
"checktext": "If a listener is not running on the local database host server, this check is Not a Finding.\n\nReview all listener.ora files for the HOST =.\n\nVerify the HOST = value specifies an IP address for all occurrences of the HOST = setting.\n\nSample:\n\n(ADDRESS= (PROTOCOL=TCP) (HOST= [host IP address]) (PORT=1521))\n\nIf any addresses specify a host name in place of an IP or other network address, this is a Finding.\n\nNOTE: If a host name is used, ensure it can be locally resolved to an IP address on the DBMS system using a host table, however, if a hostname is used, it is still a Finding.",
"description": "The use of IP address in place of host names helps to protect against malicious corruption or spoofing of host names. Use of static IP addresses is considered more stable and reliable than use of hostnames or Fully Qualified Domain Names (FQDN).",
"fixid": "F-26559r1_fix",
"fixtext": "Edit the listener.ora file and replace any HOST= [hostname or domain name] to use static IP addresses for the host.\n\nThe listener.ora file is by default located in the ORACLE_HOME/network/admin directory or the directory specified in the TNS_ADMIN environment variable for the listener service or process owner account.",
"iacontrols": [
"DCFA-1"
],
"id": "V-16031",
"ruleID": "SV-24952r1_rule",
"severity": "low",
"title": "The Oracle listener.ora file should specify IP addresses rather than host names to identify hosts.",
"version": "DO6746-ORACLE11"
},
"V-16032": {
"checkid": "C-29493r1_chk",
"checktext": "View the cman.ora file in the ORACLE_HOME/network/admin directory.\n\nIf the file does not exist, the database is not accessed via Oracle Connection Manager and this check is Not a Finding.\n\nIf the entry and value for REMOTE_ADMIN is not listed or is not set to a value of NO (REMOTE_ADMIN = NO), this is a Finding.",
"description": "Remote administration provides a potential opportunity for malicious users to make unauthorized changes to the Connection Manager configuration or interrupt its service.",
"fixid": "F-26561r1_fix",
"fixtext": "View the cman.ora file in the ORACLE_HOME/network/admin directory of the Connection Manager.\n\nInclude the following line in the file:\n\n REMOTE_ADMIN = NO",
"iacontrols": [
"EBRP-1"
],
"id": "V-16032",
"ruleID": "SV-24955r1_rule",
"severity": "medium",
"title": "Remote administration should be disabled for the Oracle connection manager.",
"version": "DO6747-ORACLE11"
},
"V-16054": {
"checkid": "None",
"checktext": "None",
"description": "Undetected attacks using bad packets can lead to a successful Denial of Service (DoS) to database clients. Notification of attacks based on a flood of bad packets sent to the database can assist in discovery and response to this type of attack.",
"fixid": "F-22866r1_fix",
"fixtext": "Set the value for the sec_protocol_error_trace_action initialization parameter to ALERT or LOG.\n\nTRACE may be appropriate for testing or development, but provides more detail than may be useful.\n\nConsider using ALERT for MAC 1 systems.\n\nFrom SQL*Plus:\n\n alter system set sec_protocol_error_trace_action = 'ALERT' scope = spfile;\n OR\n alter system set sec_protocol_error_trace_action = 'LOG' scope = spfile;\n\nThe above SQL*Plus command will set the parameter to take effect at next system startup.",
"iacontrols": [
"ECAT-1",
"ECAT-2"
],
"id": "V-16054",
"ruleID": "SV-24959r1_rule",
"severity": "medium",
"title": "The Oracle SEC_PROTOCOL_ERROR_TRACE_ACTION parameter should not be set to NONE.",
"version": "DO6752-ORACLE11"
},
"V-16055": {
"checkid": "C-28654r1_chk",
"checktext": "From SQL*Plus:\n select count(*) from dba_users where username like 'FLOWS_%';\n\nIf the value returned is not 0 and the database is a production system, this is a Finding.",
"description": "The Oracle Application Express, formerly called HTML DB, is an application development component installed by default with Oracle. Unauthorized application development can introduce a variety of vulnerabilities to the database.",
"fixid": "F-25681r1_fix",
"fixtext": "Remove Application Express using the instruction found in Oracle MetaLink Note 558340.1 from production DBMS systems.\n\nFor new installations, select custom installation and de-select Application Express from the selectable options if available.",
"iacontrols": [
"ECSD-1",
"ECSD-2"
],
"id": "V-16055",
"ruleID": "SV-24961r1_rule",
"severity": "medium",
"title": "Oracle Application Express or Oracle HTML DB should not be installed on a production database.",
"version": "DO6753-ORACLE11"
},
"V-16056": {
"checkid": "C-29496r1_chk",
"checktext": "NOTE: The collection does not include application or custom data within the database. If released to unauthorized persons, system configuration data may be used by malicious persons to gain additional unauthorized access to the database or other systems.\n\nOn UNIX Systems:\n\n ls $ORACLE_HOME/ccr\n\nOn Windows Systems (From Windows Explorer):\n\n Browse to the %ORACLE_HOME% directory.\n\nIf the directory ORACLE_HOME\\ccr does not exist, this is not a Finding.\n\nIf the ccr directory exists, confirm if any of the Oracle databases have been configured for OCM:\n\nFrom SQL*Plus:\n\n select username from dba_users where username = 'ORACLE_OCM';\n\nIf the account exists, OCM has been installed (on this database) and is a Finding.",
"description": "Oracle Configuration Manager (OCM) is a function of the Oracle Software Configuration Manager (SCM). OCM collects system configuration data used for automated upload to systems owned and managed by Oracle to assist in providing customer support. The configuration information about the server that the OCM collects includes IP addresses, hostname, database username, location of datafiles, etc.",
"fixid": "F-26564r1_fix",
"fixtext": "Remove Oracle Configuration Manager.\n\nDetails for removal are provided in Oracle MetaLink Note 369111.1 or in MetaLink Note 728989.1 for a link to the OCM Installation and Administration Guide.",
"iacontrols": [
"ECAN-1"
],
"id": "V-16056",
"ruleID": "SV-24963r1_rule",
"severity": "medium",
"title": "Oracle Configuration Manager should not remain installed on a production system.",
"version": "DO6754-ORACLE11"
},
"V-16057": {
"checkid": "C-29494r1_chk",
"checktext": "View the SQLNET.ORA file in the ORACLE_HOME/network/admin directory or the directory specified in the TNS_ADMIN environment variable.\n\nLocate the following entry:\n\nSQLNET.ALLOWED_LOGON_VERSION = 10\n\nIf the parameter does not exist, this is a Finding.\n\nIf the parameter is not set to a value of 10 or higher, this is a Finding.\n\nNOTE: It has been reported that the there is an Oracle bug (6051243) that prevents connections to the DBMS using JDBC THIN drivers when this parameter is set. The fix is available as patch 6779501.",
"description": "Unsupported Oracle network client installations may introduce vulnerabilities to the database. Restriction to use of supported versions helps to protect the database and helps to enforce newer, more robust security controls.",
"fixid": "F-26562r1_fix",
"fixtext": "Edit the SQLNET.ORA file to add or edit the entry:\n\nSQLNET.ALLOWED_LOGON_VERSION = 10\n\nSet the value to 10 or higher (10 and 11 are currently valid values).",
"iacontrols": [
"VIVM-1"
],
"id": "V-16057",
"ruleID": "SV-24958r1_rule",
"severity": "medium",
"title": "The SQLNet SQLNET.ALLOWED_LOGON_VERSION parameter should be set to a value of 10 or higher.",
"version": "DO6751-ORACLE11"
},
"V-2420": {
"checkid": "C-17065r1_chk",
"checktext": "Ask the DBA to describe/demonstrate any software modification detection procedures in place and request documents of these procedures for review.\n\nVerify by reviewing reports for inclusion of the DBMS executable and configuration files.\n\nIf documented procedures and proof of implementation does not exist that includes review of the database software directories and database application directories, this is a Finding.",
"description": "Changes to files in the DBMS software directory including executable, configuration, script, or batch files can indicate malicious compromise of the software files. Changes to non-executable files, such as log files and data files, do not usually reflect unauthorized changes, but are modified by the DBMS as part of normal operation. These modifications can be ignored.",
"fixid": "F-3428r1_fix",
"fixtext": "Develop, document and implement procedures to monitor changes made to the DBMS software.\n\nIdentify all database files and directories to be included in the host system or database backups and provide these to the person responsible for backups.\n\nFor Windows systems, you can use the dir /s > filename.txt run weekly to store and compare file modification/creation dates and file sizes using the DOS fc command.\n\nFor UNIX systems, you can use the ls \u2013as >filename.txt command to store and compare (diff command) file statistics for comparison.\n\nThese are not as comprehensive as some tools available, but may be enhanced by including checks for checksums or file hashes.",
"iacontrols": [
"DCSL-1"
],
"id": "V-2420",
"ruleID": "SV-24597r1_rule",
"severity": "low",
"title": "Database executable and configuration files should be monitored for unauthorized modifications.",
"version": "DG0010-ORACLE11"
},
"V-2422": {
"checkid": "C-29113r1_chk",
"checktext": "Review documented and implemented procedures for controlling and granting access of the Oracle DBMS software installation account.\n\nIf access or use of this account is not restricted to the minimum number of personnel required or unauthorized access to the account has been granted, this is a Finding.\n\nOn UNIX systems:\n If the account is not disabled when not in use, this is a Finding.\n\nOn Windows systems:\nThe Oracle DBMS software is usually installed using an account with administrator privileges. Ownership is assigned to the account used to install the DBMS software. \n\nThe creation of a dedicated Oracle OS account and change of ownership of all files in the %ORACLE_HOME% and %ORACLE_BASE% directories and subdirectories should be performed prior to placing the DBMS system into production. See checks DG0019, DO0120 and DG0102 for details on establishing a dedicated OS account for Oracle services on Windows platforms.",
"description": "DBA and other privileged administrative or application owner accounts are granted privileges that allow actions that can have a greater impact on database security and operation. It is especially important to grant access to privileged accounts to only those persons who are qualified and authorized to use them.",
"fixid": "F-26116r1_fix",
"fixtext": "Develop, document and implement procedures to restrict use of the Oracle DBMS software installation account.\n\nEnsure that the Oracle DBMS software installation account is locked when not in use.",
"iacontrols": [
"ECLP-1",
"ECPA-1"
],
"id": "V-2422",
"ruleID": "SV-24374r1_rule",
"severity": "medium",
"title": "The DBMS software installation account should be restricted to authorized users.",
"version": "DG0040-ORACLE11"
},
"V-2423": {
"checkid": "C-29147r1_chk",
"checktext": "Review documented software and configuration monitoring procedures and implementation evidence to verify that monitoring of changes to database software libraries, related applications and configuration files is being performed weekly or more often.\n\nVerify that a list of files and directories being monitored is complete.\n\nIf monitoring is not being performed weekly or more often, this is a Finding.\n\nIf implementation evidence is not complete, this is a Finding.",
"description": "Unmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations.",
"fixid": "F-26156r1_fix",
"fixtext": "Develop, document and implement procedures to monitor for unauthorized changes to DBMS software libraries, related software application libraries and configuration files.\n\nIf a third-party automated tool is not employed, an automated job that reports file information on the directories and files of interest and compares them to the baseline report for the same will meet the requirement.\n\nFile hashes or checksums should be used for comparisons as file dates may be manipulated by malicious users.",
"iacontrols": [
"DCSL-1",
"DCSW-1"
],
"id": "V-2423",
"ruleID": "SV-24383r1_rule",
"severity": "medium",
"title": "Database software, applications and configuration files should be monitored to discover unauthorized changes.",
"version": "DG0050-ORACLE11"
},
"V-2608": {
"checkid": "C-26563r1_chk",
"checktext": "If a listener is not running on the local database host server, this check is Not a Finding.\n\nNOTE: This check needs to be done only once per host system and once per listener. Multiple listeners may be defined on a single host system. They must all be reviewed, but only once per database home review.\n\nFor subsequent database home reviews on the same host system, mark this check as Not a Finding.\n\nDetermine all Listeners running on the host.\n\nFor Windows hosts, view all Windows services with TNSListener embedded in the service name\n - The service name format is:\n Oracle[ORACLE_HOME_NAME]TNSListener\n\nFor UNIX hosts, the Oracle Listener process will indicate the TNSLSNR executable.\n\nAt a command prompt, issue the command:\n ps -ef | grep tnslsnr | grep \u2013v grep\n\nThe alias for the listener follows tnslsnr in the command output.\n\nYou must be logged on the host system using the account that owns the tnslsnr executable (UNIX). If the account is denied local login, have the system SA assist you in this task by 'su' to the listener account from the root account. On Windows platforms, log in using an account with administrator privileges to complete the check.\n\nFrom a system command prompt, execute the listener control utility:\n\n lsnrctl status [LISTENER NAME]\n\nReview the results for the value of Security.\n\nIf Security = OFF is displayed, this is a Finding.\n\nIf Security = ON: Local OS Authentication is displayed, this is not a Finding.\n\nIf Security = ON: Password or Local OS Authentication, this is a Finding (do not set a password on Oracle versions 10.1 and higher. Instead, use Local OS Authentication).\n\nRepeat the execution of the lsnrctl utility for all active listeners.",
"description": "Oracle listener authentication helps prevent unauthorized administration of the Oracle listener. Unauthorized administration of the listener could lead to DoS exploits; loss of connection audit data, unauthorized reconfiguration or other unauthorized access. This is a Category I finding because privileged access to the listener is not restricted to authorized users. Unauthorized access can result in stopping of the listener (DoS) and overwriting of listener audit logs.",
"fixid": "F-22856r1_fix",
"fixtext": "Configure the listener to use Local OS Authentication. This setting prevents remote administration of the listener, restricts management to the Oracle listener owner account (UNIX) and accounts with administrator privileges (WIN).\n\nRemote administration of the listener should not be permitted. If listener administration from a remote system is required, granting secure remote access to the Oracle DBMS server and performing local administration is preferred. Authorize and document this requirement in the System Security Plan.",
"iacontrols": [
"EBRP-1"
],
"id": "V-2608",
"ruleID": "SV-24934r1_rule",
"severity": "high",
"title": "The Oracle Listener should be configured to require administration authentication.",
"version": "DO3630-ORACLE11"
},
"V-2612": {
"checkid": "C-26572r1_chk",
"checktext": "Locate the Listener and SQLNet log files. View the contents of the sqlnet.ora and listener.ora configuration files located in the ORACLE_HOME/network/admin directory or the directory specified by the TNS_ADMIN environment variable (if set) for the listener process/service account:\n\nIf the sqlnet.ora parameter TRACE_LEVEL_SERVER is not defined or is set to OFF OR 0, SQLNet logging is not enabled and the check for these parameters below is Not a Finding, otherwise, verify the directories specified in the following parameters of the sqlnet.ora file exist:\n \nLOG_FILE_SERVER = sqlnet [filename is sqlnet.log]\nLOG_DIRECTORY_SERVER = [directory on a volume with enough free space]\n\nVerify the directories and files specified in the following parameters of the listener.ora exist:\n\nNOTE: If you are using Automatic Diagnostic Repository (ADR) logging (DIAG_ADR_ENABLED_[listener name] = ON in listener.ora), the following parameters are Not Applicable. Setting DIAG_ADR_ENABLED_[listener name] = OFF reverts to traditional listener tracing/logging and the following parameters are in effect. For more information on Automatic Diagnostic Repository (ADR), refer to Oracle MetaLink Note 454927.1.\n\nLOG_DIRECTORY_[listener name] = [directory on a volume with enough free space]\nLOG_FILE_[listener name] = listener\nTRACE_DIRECTORY_[listener name] = [directory on a volume with enough free space]\n\nDefault log file locations (by Oracle Version):\n\n - DIAG_ADR_ENABLED_[listener name] = OFF:\n\n -- listener log directory and file: ORACLE_HOME/network/log/listener.log\n -- listener trace directory and files: ORACLE_HOME/network/trace/listener.trc\n -- sqlnet log file: ORACLE_HOME/network/log/sqlnet.log \n -- sqlnet trace file: ORACLE_HOME/network/trace/sqlnet.trc\n\n - DIAG_ADR_ENABLED_[listener name] = ON:\n\nNOTE: The ADR_HOME is defined from the ADR_BASE parameter. If ADR_BASE is not defined, then ADR_BASE is set to the value of the DIAGNOSTIC_DEST initialization parameter, or if DIAGNOSTIC_DEST is not defined, then the value of the ORACLE_BASE environment variable is used. See Oracle MetaLink Note 453125.1 for more information on ADR file locations.\n\n -- listener log directory and file: [ADR_HOME]/alert/log.xml \n -- listener trace log directory and files: [ADR_HOME]/trace/alert_[SID].log and [ADR_HOME]/trace/*.trc \n -- sqlnet log file: [ADR_BASE]/diag/clients/[database name]/[SID]/trace/sqlnet.log and [listener name].log\n -- sqlnet trace file: [ADR_BASE]/diag/clients/[database name]/[SID]/trace/*.trc\n\nThe listener log file location may also be determined using the lsnrctl utility, STATUS command, and viewing the value displayed for listener log file.\n\nReview access permissions assigned to the files and directories:\n\n - For UNIX, verify that the permissions on the directory and log files are restricted to the Oracle software owner and OS DBA and/or Listener process group.\n\n - For Windows, verify that the file permissions on the listener.log and sqlnet.log files restrict access to the Oracle software owner and OS DBA and/or Listener process group.\n\nIf access to the files is not restricted as listed above, this is a Finding.",
"description": "The SQLNet and Listener log files provide audit data useful to the discovery of suspicious behavior. The log files may contain usernames and passwords in clear text as well as other information that could aid a malicious user with unauthorized access attempts to the database. Generation and protection of these files helps support security monitoring efforts.",
"fixid": "F-26555r1_fix",
"fixtext": "Restrict access to the listener and sqlnet log files.\n\nRestrict access to the tnslsnr service account to DBAs, SAs and auditors where they are required by assigned responsibilities.",
"iacontrols": [
"ECTP-1"
],
"id": "V-2612",
"ruleID": "SV-24946r1_rule",
"severity": "medium",
"title": "Oracle SQLNet and listener log files should not be accessible to unauthorized users.",
"version": "DO5037-ORACLE11"
},
"V-3440": {
"checkid": "None",
"checktext": "None",
"description": "Multi-tier systems may be configured with the database and connecting middle-tier system located on an internal network, with the database located on an internal network behind a firewall and the middle-tier system located in a DMZ. In cases where systems are located in the DMZ, network communications between both systems must be encrypted. In all cases, the application account requires PKI authentication. IP address restriction to the backend database system, under a separate requirement, provides an additional level of protection.",
"fixid": "F-26517r1_fix",
"fixtext": "Configure PKI authentication to help protect access to the shared account.\n\nPKI authentication may be accomplished using Oracle Advanced Security on most platforms.\n\nOn a Windows host, user authentication using PKI may be used with Active Directory or NTS authentication using the DoD CAC.\n\nOn UNIX and other hosts, Oracle Advanced Security may used to authenticate via LDAP or SSL.\n\nThe application may require storage of the authentication certificate in the Oracle Wallet or on a hardware security module (HSM) to authenticate.\n\nPlease see the Oracle Security Guides and the Oracle Advanced Security Guides for instructions on configuring PKI authentication.",
"iacontrols": [
"IAGA-1"
],
"id": "V-3440",
"ruleID": "SV-24537r1_rule",
"severity": "medium",
"title": "Connections by mid-tier web and application systems to the Oracle DBMS should be protected, encrypted and authenticated according to database, web, application, enclave and network requirements.",
"version": "DO0360-ORACLE11"
},
"V-3497": {
"checkid": "C-29489r1_chk",
"checktext": "If a listener is not running on the local database host server, this check is Not a Finding.\n\nUse the LSNRCTL utility and issue the STATUS [listener-name] command to locate the listener.ora file.\n\nOpen the listener.ora file in a text editor or viewer.\n\nLocate the line with ADMIN_RESTRICTIONS_[listener-name] = ON where listener-name is the alias of the listener supplied by the DBA.\n\nIf no such line is found, this is a Finding.\n\nRepeat for each listener listed in the LISTENER.ORA file.",
"description": "The Oracle listener process can be dynamically configured. By connecting to the listener process directly, usually through the Oracle LSNRCTL utility, a user may change any of the parameters available through the set command. This vulnerability has been used to overwrite the listener log and trace files. The ADMIN_RESTRICTIONS parameter, set in the listener.ora file, prohibits dynamic listener configuration changes and protects the configuration using host operating system security controls.",
"fixid": "F-26557r1_fix",
"fixtext": "Edit the listener.ora file and add the following line for each listener in use on the system:\n\nADMIN_RESTRICTIONS_[listener-name] = ON\n\nRestart the listener to activate the setting.",
"iacontrols": [
"EBRP-1"
],
"id": "V-3497",
"ruleID": "SV-24949r1_rule",
"severity": "medium",
"title": "The Oracle Listener ADMIN_RESTRICTIONS parameter if present should be set to ON.",
"version": "DO6740-ORACLE11"
},
"V-3726": {
"checkid": "C-1257r1_chk",
"checktext": "Interview the IAO and review documentation to determine if a configuration management (CM) process is implemented for the DBMS system that includes requirements for:\n (1) Formally documented CM roles, responsibilities, and procedures to include the management of IA information and documentation;\n (2) A configuration control board that implements procedures to ensure a security review and approval of all proposed DoD information system changes, to include interconnections to other DoD information systems;\n (3) A testing process to verify proposed configuration changes prior to implementation in the operational environment; and\n (4) A verification process to provide additional assurance that the CM process is working effectively and that changes outside the CM process are technically or procedurally not permitted.\n\nIf documented evidence for procedures or processes outlined above are not present or are incomplete, this is a Finding.",
"description": "Uncontrolled, untested, or unmanaged changes result in an unreliable security posture. All changes to software libraries related to the database and its use need to be reviewed, considered, and the responsibility for CM assigned. CM responsibilities may appear to cross boundaries. It is important, however, for the boundaries of CM responsibility to be clearly defined and assigned to ensure no libraries or configurations are left unaddressed. Related database application libraries may include third-party DBMS management tools, DBMS stored procedures, or other end-user applications.",
"fixid": "F-3780r1_fix",
"fixtext": "Develop, document and implement configuration management procedures or processes.\n\nEnsure the 4 major requirements listed in the check are documented at a minimum.\n\nAssign responsibilities for oversight and approval for any and all changes made to DBMS software and configuration.",
"iacontrols": [
"DCPR-1"
],
"id": "V-3726",
"ruleID": "SV-24599r1_rule",
"severity": "low",
"title": "Configuration management procedures should be defined and implemented for database software modifications.",
"version": "DG0011-ORACLE11"
},
"V-3728": {
"checkid": "C-26063r1_chk",
"checktext": "Use the Oracle Universal Installer or OPATCH utility to display the list of installed products. Review the list of installed products with the DBA and verify any installed products listed below are required and licensed. If any are installed and are not required or not licensed, this is a Finding.\n\nFrom Command Prompt:\n $ORACLE_HOME/OPatch/opatch lsinventory \u2013detail | more (UNIX)\n %ORACLE_HOME%/OPatch/opatch lsinventory \u2013detail | more (Windows)\n\nRequires additional License on Enterprise Edition:\nOracle Active Data Guard\nOracle Total Recall\nOracle Real Application Clusters\nOracle In-Memory Database Cache\nOracle Advanced Security\nOracle Label Security\nOracle Database Vault\nOracle Change Management Pack \nOracle Configuration Management Pack\nOracle Diagnostic Pack\nOracle Tuning Pack\nOracle Provisioning and Patch Automation Pack\nOracle Real Application Testing\nOracle Partitioning\nOracle OLAP\nOracle Data Mining\nOracle Data Quality and Profiling\nOracle Data Watch and Repair Connector\nOracle Advanced Compression\nOracle Spatial\nOracle Content Database Suite\n\nRequires additional License:\nOracle Database Gateways\n\nConfirm requirements for these products:\nDatabase Workspace Manager\nEnterprise Manager Agent\niSQL*Plus\nLDAP\nOracle Data Guard\nOracle Fail Safe (Windows only)\nOracle HTTP Server\nOracle interMedia\nOracle Internet Directory\nOracle Advanced Replication\nOracle Starter Database\nOracle Text\nOracle Virtual Private Database\nOracle Wallet Manager (Requires Advanced Security when using PKI and transparent encryption)\nOracle XML Development\nSample Schema\n\nNOTE: This list does not take into account product dependencies that when selected for de-install, remove required database software. A custom installation without selection of unnecessary components is required to ensure a clean install of only required and licensed products. The list of product dependencies may be subject to change by Oracle and is not addressed here.",
"description": "Unused, unnecessary DBMS components increase the attack vector for the DBMS by introducing additional targets for attack. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced.",
"fixid": "F-23717r1_fix",
"fixtext": "Review the list of installed products available for the DBMS install. If any are required and licensed for operation of applications that will be accessing the DBMS, include them in the application design specification and list them in the System Security Plan. If any are not, but have been installed, uninstall them and remove any database SCHEMA, objects and applications that exclusively support them.",
"iacontrols": [
"DCFA-1"
],
"id": "V-3728",
"ruleID": "SV-24359r1_rule",
"severity": "low",
"title": "Unused database components, database application software and database objects should be removed from the DBMS system.",
"version": "DG0016-ORACLE11"
},
"V-3803": {
"checkid": "C-936r1_chk",
"checktext": "Review the System Security Plan and interview the DBA and IAO to determine if the DBMS host contains production and non-production DBMS installations.\n\nIf the DBMS host contains both production and non-production DBMS installations or the production DBMS installation is being used for non-production efforts, determine if this allowance is documented in the System Security Plan and authorized by the IAO.\n\nIf not documented and authorized, this is a Finding.\n\nNOTE: Though shared production/non-production DBMS installations was allowed under previous database STIG guidance, doing so may place it in violation of OS, Application, Network or Enclave STIG guidance. Ensure that any shared production/non-production DBMS installations meets STIG guidance requirements at all levels or mitigate any conflicts in STIG guidance with your DAA.",
"description": "Production, development and other non-production DBMS installations have different access and security requirements. Shared production/non-production DBMS installations secured at a production-level can impede development efforts whereas production/non-production DBMS installations secured at a development-level can lead to exploitation of production-level installations. Production DBMS installations should be kept separate from development, QA, TEST and other non-production DBMS systems.",
"fixid": "F-26104r1_fix",
"fixtext": "Recommend establishing a dedicated DBMS host for production DBMS installations (See Checks DG0109 and DG0110).\n\nA dedicated host system in this case refers to an instance of the operating system at a minimum.\n\nThe operating system may reside on a virtual host machine where supported by the DBMS vendor.",
"iacontrols": [
"ECSD-1",
"ECSD-2"
],
"id": "V-3803",
"ruleID": "SV-24606r1_rule",
"severity": "medium",
"title": "A production DBMS installation should not coexist on the same DBMS host with other, non-production DBMS installations.",
"version": "DG0017-ORACLE11"
},
"V-3805": {
"checkid": "C-29106r1_chk",
"checktext": "Ask the DBA/SA to demonstrate file and group ownership of the Oracle DBMS software and files and directories.\n\nOn Windows systems:\n\nLaunch a Windows Explorer window. In the Right Pane, Right-Click on one of the display headers and select Owner from the list. Move the Owner column after the Name column. Size the Owner column to fit the current contents.\n\nNOTE: This will show the owner column for this folder only. If you want to see the owner column in all folders, select Tools -> Options -> View tab and click on the Apply to All Folders button.\n\nThe Oracle DBMS software is usually installed using an account with administrator privileges and ownership is assigned either to the account used to install the DBMS software or to the Administrators group.\n\nFor DBMS systems with multiple Oracle Homes using a common Oracle Base, ensure an ownership review for files and directories in the %ORACLE_BASE% that are not addressed above is performed.\n\nIf any files or directories belonging to an Oracle DBMS software installation are not owned by a dedicated Oracle OS owner account, this is a Finding.\n\nOn UNIX systems:\n\nfind $ORACLE_HOME /var/opt/oracle /etc/ora* /usr/local/bin/*ora* usr/local/bin/db* ! -user oracle -o ! -group oinstall | xargs ls -lR -d\n\nWhere \"oracle\" is the known Oracle Owner account name and \"oinstall\" is the known Oracle Group account name.\n\nReview the resulting output and note the file/directory ownership.\n\nFor DBMS systems with multiple Oracle Homes using a common Oracle Base, ensure an ownership review for files and directories in the %ORACLE_BASE% that are not addressed above is performed.\n\nIf any files or directories belonging to an Oracle DBMS software installation are not owned by a dedicated Oracle OS owner account, this is a Finding.\n\nThe owner and group ownership as well as file permissions for the following files (if present) should not be changed:\n extjob\n jssu\n nmb\n nmhs\n nmo\n oradism\n externaljob.ora\n coraenv\n dbhome\n oraenv",
"description": "File and directory ownership imparts full privileges to the owner. These privileges should be restricted to a single, dedicated account to preserve proper chains of ownership and privilege assignment management.",
"fixid": "F-26109r1_fix",
"fixtext": "Assign DBMS file and directory ownership to a dedicated Oracle OS owner account.\n\nDocument the locations of Oracle DBMS files and directories in the System Security Plan.\n\nOn Windows systems:\n\nThe creation of a dedicated Oracle OS account and change of ownership of all files in the %ORACLE_HOME% directories and subdirectories should be performed prior to placing the DBMS system into production.\n\nSee checks DO0120 and DG0102 for details on establishing a dedicated OS account for Oracle services on Windows platforms.\n\nUsing the dedicated Oracle OS owner account to install and maintain the DBMS software libraries and configuration files will help maintain file and directory ownership.\n\nOn UNIX systems:\n\nAssign DBMS file and directory ownership to a dedicated Oracle host OS software installation and maintenance account.\n\nThe owner and group ownership as well as file permissions for the following files (if present) should not be changed:\n\nextjob\njssu\nnmb\nnmhs\nnmo\noradism\nexternaljob.ora\ncoraenv\ndbhome\noraenv\n\nUsing the dedicated Oracle host OS software installation and maintenance account to install and maintain the DBMS software libraries and configuration files will help maintain file and directory ownership.",
"iacontrols": [
"DCSL-1",
"ECSD-1",
"ECSD-2"
],
"id": "V-3805",
"ruleID": "SV-24363r1_rule",
"severity": "low",
"title": "Application software should be owned by a Software Application account.",
"version": "DG0019-ORACLE11"
},
"V-3806": {
"checkid": "C-29111r1_chk",
"checktext": "Review DBMS software baseline procedures and implementation evidence.\n\nReview the list of files, directories and details included in the current baseline for completeness.\n \nIf DBMS software configuration baseline procedures do not exist, evidence of implementation does not exist, or baseline is not documented and current, this is a Finding.",
"description": "Without maintenance of a baseline of current DBMS application software, monitoring for changes cannot be complete and unauthorized changes to the software can go undetected. Changes to the DBMS executables could be the result of intentional or unintentional actions.",
"fixid": "F-26114r1_fix",
"fixtext": "Develop, document and implement DBMS software baseline procedures that include all DBMS software files and directories under the ORACLE_BASE and ORACLE_HOME environment variables and any custom and platform-specific directories.\n\nGenerate a list of files, directories and details for the DBMS software configuration baseline.\n\nUpdate the configuration baseline after new installations, upgrades/updates or maintenance activities that include changes to the baseline software.",
"iacontrols": [
"DCSW-1"
],
"id": "V-3806",
"ruleID": "SV-24610r1_rule",
"severity": "medium",
"title": "A baseline of database application software should be documented and maintained.",
"version": "DG0021-ORACLE11"
},
"V-3807": {
"checkid": "C-29151r1_chk",
"checktext": "Review the DBMS audit trail to determine if the names [or unique identifiers] of applications used to connect to the database are included.\n\nIf an alternate method other than DBMS logging is authorized and implemented, review the audit trail to determine if the names [or unique identifiers] of applications used to connect to the database are included.\n\nIf application access to the DBMS is not being audited, this is a Finding.\n\nIf auditing does not capture the name [or unique identifier] of applications accessing the DBMS at a minimum, this is a Finding.",
"description": "Protections and privileges are designed within the database to correspond to access via authorized software. Use of unauthorized software to access the database could indicate an attempt to bypass established permissions. Reviewing the use of application software to the database can lead to discovery of unauthorized access attempts.",
"fixid": "F-26162r1_fix",
"fixtext": "Modify auditing to ensure audit records include identification of applications used to access the DBMS.\n\nEnsure auditing captures the name [or unique identifier] of applications accessing the DBMS at a minimum.\n\nDevelop or procure a 3rd-party solution where native DBMS logging is not employed or does not capture required information.",
"iacontrols": [
"ECAT-1",
"ECAT-2"
],
"id": "V-3807",
"ruleID": "SV-24626r1_rule",
"severity": "medium",
"title": "All applications that access the database should be logged in the audit trail.",
"version": "DG0052-ORACLE11"
},
"V-3809": {
"checkid": "C-29154r1_chk",
"checktext": "Review documented and implemented procedures contained or noted in the System Security Plan for providing database client connection information to users and user workstations. Oracle client connection information is stored in the file: \n\n$ORACLE_HOME/network/admin/tnsnames.ora (UNIX) %ORACLE_HOME%\\network\\admin\\tnsnames.ora (Windows)\n\nIf procedures do not indicate and implement restrictions in distribution of connection definitions to personnel/machines authorized to connect to the database, this is a Finding.",
"description": "Many sites distribute a single client database connection configuration file to all site database users that contains network access information for all databases on the site. Such a file provides information to access databases not required by all users that may assist in unauthorized access attempts.",
"fixid": "F-26165r1_fix",
"fixtext": "Develop, document and implement procedures to distribute client connection definitions or definition files that contain only connection definitions authorized for that user or user workstation.\n\nInclude or note these procedures in the System Security Plan.",
"iacontrols": [
"ECAN-1"
],
"id": "V-3809",
"ruleID": "SV-24628r1_rule",
"severity": "medium",
"title": "A single database connection configuration file should not be used to configure all database clients.",
"version": "DG0053-ORACLE11"
},
"V-3811": {
"checkid": "C-29163r1_chk",
"checktext": "If all database accounts are configured to authenticate using certificates or other credentials besides passwords, this check is Not a Finding.\n\nReview documented procedures and evidence of implementation for assignment of temporary passwords for password-authenticated accounts.\n\nConfirm temporary passwords meet DoD password requirements.\n\nReview documented procedures for distribution of temporary passwords to users.\n\nHave the DBA demonstrate that the DBMS or applications accessing the database are configured to require a change of password by the user upon first use.\n\nIf documented procedures and evidence do not exist or are not complete, temporary passwords do not meet DoD password requirements, or the DBMS or applications accessing the database are not configured to require a change of password by the user upon first use, this is a Finding.",
"description": "New accounts authenticated by passwords that are created without a password or with an easily guessed password are vulnerable to unauthorized access. Procedures for creating new accounts with passwords should include the required assignment of a temporary password to be modified by the user upon first use.",
"fixid": "F-26175r1_fix",
"fixtext": "Develop, document and implement procedures for assigning, distributing and changing of temporary passwords for new database user accounts.\n\nProcedures should include instruction that meet current DoD password length and complexity requirements and provide a secure method to relay the temporary password to the user.\n\nTemporary passwords should also be short-lived and require immediate update by the user upon first use.\n\nConsider using account authentication using certificates or other credentials in place of password authentication.",
"iacontrols": [
"IAIA-1",
"IAIA-2"
],
"id": "V-3811",
"ruleID": "SV-24639r1_rule",
"severity": "medium",
"title": "Procedures for establishing temporary passwords that meet DoD password requirements for new accounts should be defined, documented and implemented.",
"version": "DG0066-ORACLE11"
},
"V-3812": {
"checkid": "C-29165r1_chk",
"checktext": "This check applies specifically to the Oracle DBMS installation and its associated files, scripts and environments.\n\nThis check does not apply to compiled, encoded or encrypted application source code and batch job code covered in Check DG0130. \n\nAsk the DBA to review the list of DBMS database objects, database configuration files, associated scripts and applications defined within and external to the DBMS that access the database.\n\nThe list should also include files or settings used to configure the operational environment for the DBMS and for interactive DBMS user accounts.\n\nAsk the DBA and/or IAO to determine if any DBMS database objects, database configuration files, associated scripts and applications defined within or external to the DBMS that access the database, and DBMS / user environment files/settings contain database passwords.\n\nIf any do, confirm that DBMS passwords stored internally or externally to the DBMS are encoded or encrypted.\n\nIf any passwords are stored in clear text, this is a Finding.\n\nIf a list of DBMS database objects, database configuration files, associated scripts and applications defined within or external to the DBMS that access the database, and DBMS / user environment files/settings is not maintained in the System Security Plan, this is a Finding.",
"description": "Database passwords stored in clear text are vulnerable to unauthorized disclosure. Database passwords should always be encoded or encrypted when stored internally or externally to the DBMS.",
"fixid": "F-26177r1_fix",
"fixtext": "Develop, document and maintain a list of DBMS database objects, database configuration files, associated scripts and applications defined within or external to the DBMS that access the database, and DBMS / user environment files/settings in the System Security Plan.\n\nRecord whether they do or do not contain DBMS passwords.\n\nIf passwords are present, ensure they are encoded or encrypted and protected by host system security.\n\nConsider using vendor or 3rd party tools to support external authentication (i.e. Oracle Database Vault).",
"iacontrols": [
"IAIA-1",
"IAIA-2"
],
"id": "V-3812",
"ruleID": "SV-24641r1_rule",
"severity": "high",
"title": "Database account passwords should be stored in encoded or encrypted format whether stored in database objects, external host files, environment variables or any other storage locations.",
"version": "DG0067-ORACLE11"
},
"V-3813": {
"checkid": "C-29167r1_chk",
"checktext": "Review policy and instructions included or noted in the System Security Plan used to inform users and administrators not to enter database passwords at the command line.\n\nReview documented and implemented procedures used to monitor the DBMS system for such activity.\n\nIf policy or instructions do not exist, proof of users and administrators being briefed does not exist or monitoring for compliance is not being performed to dissuade the practice of entering database passwords on the command line, this is a Finding.",
"description": "Database applications may allow for entry of the account name and password as a visible parameter of the application execution command. This practice should be prohibited and disabled, if possible, by the application. If it cannot be disabled, then users should be strictly instructed not to use this feature. Typically, the application will prompt for this information and accept it without echoing it on the users computer screen.",
"fixid": "F-26179r1_fix",
"fixtext": "Review policy and instructions included or noted in the System Security Plan used to inform users and administrators not to enter database passwords at the command line.\n\nReview documented and implemented procedures used to monitor the DBMS system for such activity.\n\nIf policy or instructions do not exist, proof of users and administrators being briefed does not exist or monitoring for compliance is not being performed to dissuade the practice of entering database passwords on the command line, this is a Finding.",
"iacontrols": [
"IAIA-1",
"IAIA-2"
],
"id": "V-3813",
"ruleID": "SV-24643r1_rule",
"severity": "medium",
"title": "DBMS tools or applications that echo or require a password entry in clear text should be protected from password display.",
"version": "DG0068-ORACLE11"
},
"V-3825": {
"checkid": "C-29218r1_chk",
"checktext": "Ask the DBA if the DBMS is accessed remotely for administration purposes.\n\nIf it is not, this check is Not a Finding.\n\nIf it is, ask the DBA if the remote access to DBA accounts is made using remote access to the DBMS host or made directly to the database from a remote database client.\n\nIf administration is performed using remote access to the DBMS host, review policy and procedures documented or noted in the System Security Plan, along with evidence that remote administration of the DBMS is performed only via an encrypted connection protocol such as SSH or IPSec.\n\nIf it is not, this is a Finding.\n\nIf administration is performed from a remote database client, confirm that a dedicated database listener that encrypts communications exists for remote administrative communications.\n\nIf a DBMS listener that encrypts traffic is not configured, this is a Finding.\n\nIf any listeners on the DBMS host are configured to accept unencrypted traffic, review documented policy, procedures and evidence of training DBAs not to use the unencrypted listener for remote access to DBA accounts.\n\nIf no such policy exists or the DBAs have not been instructed not to use the unencrypted connections, this is a Finding.\n\nNote: Out-Of-Band (OOB) is allowed for remote administration, however, OOB alone does not maintain encryption of network traffic from source to destination and is a Finding for this check.\n\nEnsure unclassified, sensitive data transmitted through a commercial or wireless network are encrypted using NIST-certified cryptography.",
"description": "Communications between a client and database service across the network may contain sensitive information including passwords. This is particularly true in the case of administrative activities. Encryption of remote administrative connections to the database ensures confidentiality of configuration, management, and other administrative data.",
"fixid": "F-22699r1_fix",
"fixtext": "Where remote access to DBA accounts is not allowed, develop, document and implement policies and train DBAs that remote access to DBA accounts is prohibited. \n\nWhere remote access to DBA accounts is allowed, the remote connection must be encrypted.\n\nEnsure unclassified, sensitive data transmitted through a commercial or wireless network are encrypted using NIST-certified cryptography.\n\nIf remote access is established via the database listener, then install a dedicated listener configured to encrypt all traffic for use by DBAs for remote access.\n\nThis requires use of Oracle Advanced Security and Oracle Wallet Manager.\n\nSee the Oracle Advanced Security Guide, Configuring Network Data Encryption and Integrity for Oracle Servers and Clients for details.\n\nConfigure the listener to require SSL for the DBA connections by specifying the TCPS as the network protocol.\n\nSample listener.ora entries:\n\nDBALSNR =\n (DESCRIPTION =\n (ADDRESS = (PROTOCOL = TCPS) (HOST = [IP]) (PORT = 1575))\n (CONNECT_DATA = \n (SERVER = DEDICATED)\n (SERVICE_NAME = [SID])\n )\n )\n\nConfigure the server's FIPS.ORA file to use FIPS 140-2 compliant settings to encrypt the traffic and ensure integrity of the transmission.\n\nIn the FIPS.ORA file in the $ORACLE_HOME/ldap/admin directory or the directory specified in the FIPS_HOME environment variable for the dedicated listener on the server, add the following line:\n\n SSLFIPS_140=TRUE\n\nMonitor the listener log files for evidence of any unencrypted remote access to DBA accounts.",
"iacontrols": [
"ECCT-1",
"ECCT-2"
],
"id": "V-3825",
"ruleID": "SV-24687r1_rule",
"severity": "medium",
"title": "Remote adminstrative connections to the database should be encrypted.",
"version": "DG0093-ORACLE11"
},
"V-3827": {
"checkid": "C-29224r1_chk",
"checktext": "If the database being reviewed is not a production database, this check is Not a Finding.\n\nReview policy and procedures documented or noted in the System Security plan as well as evidence of implementation for daily audit trail monitoring. \n\nIf policy and procedures are not documented or evidence of implementation is not available, this is a Finding.",
"description": "Review of audit trail data provides a means for detection of unauthorized access or attempted access. Frequent and regularly scheduled reviews ensures that such access is discovered in a timely manner.",
"fixid": "F-26245r1_fix",
"fixtext": "Develop, document and implement policy and procedures to monitor audit trail data daily.",
"iacontrols": [
"ECAT-1"
],
"id": "V-3827",
"ruleID": "SV-24405r1_rule",
"severity": "medium",
"title": "Audit trail data should be reviewed daily or more frequently.",
"version": "DG0095-ORACLE11"
},
"V-3842": {
"checkid": "C-29407r1_chk",
"checktext": "Review the Oracle process/owner account.\n\nFor UNIX Systems:\n\nLog into the Oracle installation account and from a system prompt enter:\n\n groups\n\nIf root is returned in the list, this is a Finding.\n\nFor Windows Systems:\n\nLog in using an account with administrator privileges.\n\nOpen the Services snap-in.\n\nIf the Oracle services are not assigned a dedicated OS account (view the Log on As tab), this is a Finding.\n\nIf the account is assigned group membership to other than the local administrator account and Oracle DBA groups, this is a Finding.\n\nView user rights assigned to the service accounts.\n\nIf Deny Logon Locally is not assigned to the Oracle service account, this is a Finding.\n\nIf the service account is a domain rather than local user account, confirm with the DBA that domain resources are required and that the account is not assigned to any domain groups not required for Oracle operation (e.g. the domain users or domain administrators groups).\n\nIf the service account is a domain account and the account is assigned to domain groups not required for Oracle operations, this is a Finding.",
"description": "A compromise of the Oracle database process could be used to gain access to the host operating system under the security account of the process owner. Limitation of the privileges assigned to the process account can help contain access to other processes and host system resources. This can in turn help to limit any resulting malicious activity.",
"fixid": "F-26434r1_fix",
"fixtext": "Remove root privileges from the Oracle software owner account on UNIX systems.\n\nCreate and assign a dedicated OS account for all Oracle processes (Windows).\n\nGrant the dedicated OS account Oracle DBA privileges and assign the Deny Logon Locally user right to the dedicated OS account.",
"iacontrols": [
"DCFA-1"
],
"id": "V-3842",
"ruleID": "SV-24465r1_rule",
"severity": "medium",
"title": "The Oracle software installation account should not be granted excessive host system privileges.",
"version": "DO0120-ORACLE11"
},
"V-3845": {
"checkid": "C-29411r1_chk",
"checktext": "Review the membership for the Oracle DBA host system OS group. \n\nOn UNIX systems:\n\n cat /etc/group | grep -i dba [where dba is the default group name from Oracle]\n\nTo display the group name if dba is not the default, use the command:\n\n cat $ORACLE_HOME/rdbms/lib/config.[cs] | grep SS_DBA_GRP\n\nOn Windows Systems:\n\nOpen Computer Management, expand System Tools, expand Local Users and Groups, select the Group folder.\n\nDouble-click on the ORA_DBA group to view group members.\n\nCompare the list of members with the list of authorized DBA accounts documented in the System Security Plan with the IAO.\n\nIf any users are assigned to the group that are not authorized by the IAO and documented in the System Security Plan for the system, this is a Finding.",
"description": "Oracle SYSDBA privileges include privileges to administer the database outside of database controls (when the database is shut down) in addition to all privileges controlled under database operation. Assignment of membership to the OS dba group to unauthorized persons can compromise all DBMS activities.",
"fixid": "F-26438r1_fix",
"fixtext": "Document user accounts that are authorized by the IAO to be assigned DBA privileges in the System Security Plan.\n\nRemove any accounts assigned membership in the operating system DBA group that has not been authorized by the IAO.\n\nDevelop, document and implement procedures for periodic review of accounts assigned membership to the DBA group.",
"iacontrols": [
"DCSD-1"
],
"id": "V-3845",
"ruleID": "SV-24853r1_rule",
"severity": "low",
"title": "OS DBA group membership should be restricted to authorized accounts.",
"version": "DO0145-ORACLE11"
},
"V-3862": {
"checkid": "C-29443r1_chk",
"checktext": "Review the listener.ora file and the sqlnet.ora file.\n\nIf the INBOUND_CONNECT_TIMEOUT_[listener-name] parameter does not exist for each listener found in the listener.ora and contain a value greater than 0, this is a Finding.\n\nIf the SQLNET.INBOUND_CONNECT_TIMEOUT parameter does not exist in the sqlnet.ora and contain a value greater than 0, this is a Finding.\n\nNOTE: although the default value may provide adequate protection, assuming the default could lead to unanticipated changes in future product updates. Specify a value to manage the setting.",
"description": "The INBOUND_CONNECT_TIMEOUT_[listener-name] and SQLNET.INBOUND_CONNECT_TIMEOUT defines the limit the database listener and database server respectively will wait for a client connection to complete after a connection request is made. This limit protects the listener and database server from a Denial-of-Service attack where multiple connection requests are made that are not used or closed from a client. Server resources can be exhausted if unused connections are maintained.",
"fixid": "F-26505r1_fix",
"fixtext": "Using a text editor or administrative tool, modify the listener.ora file to include a limit for connection request timeouts for the listener.\n\nExample entry (value unit is in seconds):\n\n INBOUND_CONNECT_TIMEOUT_LISTENER = 2\n\nModify the sqlnet.ora file to include a limit for connection request timeouts for the listener.\n\nExample entry (value unit is in seconds):\n\n SQLNET.INBOUND_CONNECT_TIMEOUT = 3\n\nReview the Oracle Net Services Administrator's Guide for information about configuring these parameters.",
"iacontrols": [
"ECLO-1"
],
"id": "V-3862",
"ruleID": "SV-24890r1_rule",
"severity": "medium",
"title": "The Oracle INBOUND_CONNECT_TIMEOUT and SQLNET.INBOUND_CONNECT_TIMEOUT parameters should be set to a value greater than 0.",
"version": "DO0286-ORACLE11"
},
"V-3863": {
"checkid": "C-29445r1_chk",
"checktext": "View the SQLNET.ORA file to verify if a SQLNET.EXPIRE_TIME has been set to the value greater than 0.\n\nIf the parameter does not exist or is set to 0, this is a Finding.",
"description": "The SQLNET.EXPIRE_TIME parameter defines a limit for the frequency of active connection verification of a client connection. This prevents indefinite open connections to the database where client connections have not been terminated properly. Indefinite open connections could lead to an exhaustion of system resources or leave an open connection available for compromise.",
"fixid": "F-26508r1_fix",
"fixtext": "Using a text editor or administrative tool, modify the SQLNET.ORA file on the database host server to include a limit for connection request timeouts for the listener.\n\nExample entry (value unit is in minutes):\n\n SQLNET.EXPIRE_TIME = 3\n\nNOTE: Use the lowest number possible that does not generate so much network traffic that performance becomes unacceptable. The lower the number, the less likely an exhaustion of resources will occur. Set the value to the lowest number greater than 0 that is supported by the target system environment.",
"iacontrols": [
"ECLO-1"
],
"id": "V-3863",
"ruleID": "SV-24893r1_rule",
"severity": "medium",
"title": "The Oracle SQLNET.EXPIRE_TIME parameter should be set to a value greater than 0.",
"version": "DO0287-ORACLE11"
},
"V-3866": {
"checkid": "C-29457r1_chk",
"checktext": "Determine if the Oracle Management Agent is installed:\n\nFrom SQL*Plus:\n\n select account_status from dba_users\n where upper(username) = 'DBSNMP';\n\nIf no rows are returned, this is not a Finding.\n\nIf the DBSNMP account exists and the account_status is OPEN, then verify in the System Security Plan that operation and use of the Oracle Enterprise Manager Management Agent or another SNMP management program is documented and authorized.\n\nIf it is not documented in the System Security Plan as being required, this is a Finding.\n\nIf the DBSNMP account exists and the account_status is not OPEN, schedule the FIX action below then mark as not a Finding.\n\nDespite any justification or authorization, if a Management Agent is installed on a DBMS server that is in a DMZ and Internet facing, this is a Finding.",
"description": "The Oracle Management Agent (Oracle Intelligent Agent in earlier versions) provides the mechanism for local and/or remote management of the local Oracle Database by Oracle Enterprise Manager or other SNMP management platforms. Because it provides access to operating system and database functions, it should be uninstalled if not in use.",
"fixid": "F-26519r1_fix",
"fixtext": "Use the ORACLE_HOME/rdbms/admin/catnsnmp.sql script to remove all Oracle SNMP management agent objects in the database.\n\nDelete the executable file ORACLE_HOME/bin/dbsnmp or dbsnmp.exe if it exists from any Oracle Home not authorized for SNMP management.\n\nUninstall any SNMP management agents installed on Oracle database servers installed in a DMZ that serve applications to Internet users.\n\nUninstall any SNMP management agents that have not been authorized and documented in the System Security Plan.\n\nDocument any authorized use of the SNMP management agent on database servers that do not support Internet applications in a DMZ in the System Security Plan.\n\nNOTE: Removal of SNMP management objects will prevent the ability to generate database statistics within Oracle Enterprise Manager.",
"iacontrols": [
"DCFA-1"
],
"id": "V-3866",
"ruleID": "SV-24546r1_rule",
"severity": "low",
"title": "The Oracle Management Agent should be uninstalled if not required and authorized or is installed on a database accessible from the Internet.",
"version": "DO0430-ORACLE11"
},
"V-43137": {
"checkid": "C-26268r2_chk",
"checktext": "Verify organizational requirements for encryption based on the system's data classification. If DBMS encryption is not required, this check is not a finding.\n\nIf DBMS encryption is required and cryptography is either not being used or is not NIST FIPS 140-2 certified, this is a Finding.\n\nMaintain a copy of the FIPS 140-2 Validation Certificate for the cryptographic modules in use as proof of certification.\n\nDetailed information on the NIST Cryptographic Module Validation Program (CMVP) is available at the following website:\n\nhttp://csrc.nist.gov/groups/STM/cmvp/index.html\n\n--\n\nReview the DBMS documentation to determine where cryptography may be used and/or configured.\n\nReview network communication encryption options, data object encryption (both tables and application code objects), and encryption key management.\n\nFor UNIX systems:\n $ORACLE_HOME/OPatch/opatch lsinventory \u2013detail | grep \u201cOracle Advanced Security\u201d\n\nFor Windows Systems:\n %ORACLE_HOME%/OPatch/opatch lsinventory \u2013detail | find \u201cOracle Advanced Security\u201d\n\nIf DBMS data/network encryption is required and Oracle Advanced Security is not installed, this is a Finding.\n\nView the SQLNET.ORA file.\n\nIf SQLNET.SSLFIPS_140 = TRUE is not set, this is a Finding.\n\nIf SSL_CIPHER_SUITES is not defined, this is a Finding.\n\nIf any cipher suites listed in SSL_CIPHER_SUITES value list is not included in the cipher suite list included below (and in this order), this is a Finding.\n\nFIPS 140-2 validated cipher suites for the Oracle SSL Libraries in the order of strongest to weakest:\n\nSSL_RSA_WITH_AES_256_CBC_SHA\nSSL_RSA_WITH_AES_128_CBC_SHA \nSSL_RSA_WITH_3DES_EDE_CBC_SHA \nSSL_RSA_WITH_RC4_128_SHA \nSSL_RSA_WITH_RC4_128_MD5 \nSSL_RSA_WITH_DES_CBC_SHA \nSSL_DH_anon_WITH_3DES_EDE_CBC_SHA \nSSL_DH_anon_WITH_RC4_128_MD5 \nSSL_DH_anon_WITH_DES_CBC_SHA\n\nDetailed information on the FIPS 140-2 standard is available at the following website:\n\nhttp://csrc.nist.gov/groups/SMA/index.html",
"description": "Use of cryptography to provide confidentiality and non-repudiation is not effective unless strong methods are employed with its use. Many earlier encryption methods and modules have been broken and/or overtaken by increasing computing power. The NIST FIPS 140-2 cryptographic standards provide proven methods and strengths to employ cryptography effectively.",
"fixid": "F-22674r3_fix",
"fixtext": "Obtain and utilize native or third-party NIST FIPS 140-2 validated cryptography solution for the DBMS.\n\nInstallation of Oracle Advanced Security product (which may require additional Oracle licensing consideration) is required to use native Oracle encryption.\n\nPlease see the Oracle Advanced Security Administrator's Guide for configuration and use of encryption in the database. The Oracle Advanced Security Administrator's Guide provides references to the encryption features provided by Oracle Advanced Security.\n\nInstructions for the configuration of FIPS 140-2 compliance for encryption of network communications are provided in a dedicated appendix of the Oracle Advanced Security Administrator's Guide.\n\nAll cipher suites listed above include FIPS 140-2 validated algorithms available for data encryption.\n\nEncryption of data stored within the database is available only in Oracle versions 11.1 and later. View Data Encryption and Integrity in the Oracle Advanced Security Administration Guide for configuration details. \n\nNote: FIPS 140-2 compliance or non-compliance for the host and network is outside the purview of the Database STIG. FIPS 140-2 non-compliance at the host/network level does not negate this requirement.",
"iacontrols": [
"DCNR-1"
],
"id": "V-43137",
"ruleID": "SV-55867r1_rule",
"severity": "medium",
"title": "DBMS cryptography must be NIST FIPS 140-2 validated.",
"version": "DG0025-ORACLE11"
},
"V-4754": {
"checkid": "C-19568r1_chk",
"checktext": "For UNIX Systems:\n ls $ORACLE_BASE\n ls $ORACLE_HOME\n\nIf the ORACLE_BASE directory contains subdirectories other than ORACLE_HOME directories, a flash_recovery_area directory and an admin directory, verify they are used by the DBMS.\n\nIf they are not part of the Oracle DBMS software product, this is a Finding.\n\nNOTE: Oracle DBMS data file storage may be placed on a separate, dedicated disk partition and linked to ORACLE_BASE. Refer to check DG0112.\n\nFor Windows Systems:\n echo %ORACLE_BASE%\n echo %ORACLE_HOME%\n\nORACLE_BASE, if defined, is usually set to C:\\Program Files\\Oracle.\n\nIf ORACLE_HOME is not in a dedicated directory separate from the OS software and other applications where supported by the DBMS, this is a Finding.\n\nAll Systems:\n Recommend dedicating a separate partition for the DBMS software libraries where supported by the DBMS on all platforms.",
"description": "Multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit to one application can lead to an exploit of other applications sharing the same security context. For example, an exploit to a web server process that leads to unauthorized administrative access to host system directories can most likely lead to a compromise of all applications hosted by the same system. Database software not installed using dedicated directoriies both threatens and is threatened by other hosted applications. Access controls defined for one application may by default provide access to the other application\u2019s database objects or directories. Any method that provides any level of separation of security context assists in the protection between applications.",
"fixid": "F-3797r1_fix",
"fixtext": "Install Oracle DBMS software using directories separate from the OS and other application software library directories.\n\nRe-locate any directories or re-install other application software that currently shares the DBMS software library directory to separate directories.\n\nRecommend dedicating a separate partition for the DBMS software libraries where supported by the DBMS.",
"iacontrols": [
"DCPA-1"
],
"id": "V-4754",
"ruleID": "SV-24350r1_rule",
"severity": "medium",
"title": "Database software directories including DBMS configuration files are stored in dedicated directories separate from the host OS and other applications.",
"version": "DG0012-ORACLE11"
},
"V-5658": {
"checkid": "C-28293r1_chk",
"checktext": "From SQL*Plus:\n select banner from v$version where banner like 'Oracle%';\n\nCurrently supported Oracle 11g versions as of 10/2009 are:\n\n11.1 - Premier Support for 11.1 ends 31 Aug 2012\n Extended Support for 11.1 available after 31 Aug 2012\n Sustaining Support for 11.1 available after 31 Aug 2015\n\n11.2 - Premier Support for 11.2 ends 31 Jan 2015\n Extended Support for 11.2 ends 31 Jan 2018\n Sustaining Support for 11.1 available after 31 Jan 2018\n\nIf the Oracle version is not in the list above or is not supported with a purchased extended support contract, this is a Finding.\n\nNote: Sustaining Support does not include security updates. Any product in Sustaining Support is a Finding.\n\nA patchset is an 'amended code set', consisting of a number of bug fixes, which is subjected to a rigorous QA and certification process.\n\nOracle patch sets update the Oracle version number (e.g. 10.2.0.3 to 10.2.0.4) and are usually bundled together to support a product family (for example, Oracle DBMS includes Enterprise, Standard, Personal and Client Editions).\n\nCurrently supported patched versions as of 6/2010 are:\n\n11.2.0.1.0 (Select Platforms)\n11.1.0.7.0\n\nIf the Oracle patchset level is less than that listed above, this is a Finding.",
"description": "Unsupported software versions are not patched by vendors to address newly discovered security versions. An unpatched version is vulnerable to attack.",
"fixid": "F-22570r1_fix",
"fixtext": "Upgrade to a supported Oracle version. Purchase an Oracle Extended Support Contract where required.\n\nSee http://www.oracle.com/technology/support/patches.htm for a definitive list of version patch sets for Oracle DBMS software.\n\nSee http://www.oracle.com/support/library/brochure/lifetime-support-technology.pdf for Oracle support policies and timelines.",
"iacontrols": [
"VIVM-1"
],
"id": "V-5658",
"ruleID": "SV-24339r1_rule",
"severity": "high",
"title": "Vendor supported software is evaluated and patched against newly found vulnerabilities.",
"version": "DG0001-ORACLE11"
},
"V-5659": {
"checkid": "C-26060r1_chk",
"checktext": "Oracle provides patches in service patchsets, Critical Patch Updates (CPU) as well as providing patch set exceptions for installed DBMS products.\n\nA patchset is an 'amended code set', consisting of a number of bug fixes, which is subjected to a rigorous QA and certification process. Oracle patch sets update the Oracle version number (e.g. 11.1.0.6 to 11.1.0.7) and are usually bundled together to support a product family (for example, Oracle DBMS includes Enterprise, Standard, Personal and Client Editions). This is covered in Check DG0001.\n\nOracle security patches are published quarterly in January, April, July and October as Critical Patch Updates (CPU). CPUs may be viewed at:\n\nhttp://www.oracle.com/technology/deploy/security/alerts.htm\n\nMost Oracle CPU patches are also listed in DoD IAVM alerts.\n\nPatch set exceptions are fixes per a particular DBMS product based on reported bugs and do not undergo the rigorous QA and certification process that patchsets do. These are installed as needed to correct reported or observed bugs in Oracle DBMS products.\n\nThis check applies to the application of the CPU patches only. You must comply with Check DG0001 prior to applying Oracle Critical Patch Updates.\n\nFor Oracle Critical Patch Updates (CPU):\n\n1. Go to the website http://www.oracle.com/technology/deploy/security/alerts.htm.\n2. Click on the latest Critical Patch Update link.\n3. Click on the [Database] link in the Supported Products and Components Affected section.\n4. Enter your Oracle MetaLink credentials.\n5. Locate the Critical Patch Update Availability table.\n6. Identify your OS Platform and Oracle version to see if there is a CPU release.\n7. If there is none, this check is Not a Finding. If there is one, note the patch number for the steps below.\n\nView the installed patch numbers for the database using the Oracle opatch utility. \n\nOn UNIX systems: \n $ORACLE_HOME/OPatch/opatch lsinventory \u2013detail | grep [PATCHNUM]\n\nOn Windows systems (From Windows Command Prompt):\n %ORACLE_HOME%\\OPatch\\opatch lsinventory \u2013detail | findstr [PATCHNUM]\n\nReplace [PATCHNUM] with the Patch number noted above. If the output shows the installed patch is present, this check is Not a Finding. No output indicates that the patch has not been applied and is a Finding.",
"description": "Maintaining the currency of the software version protects the database from known vulnerabilities.",
"fixid": "F-16405r1_fix",
"fixtext": "Apply the most current Oracle Critical Patch update to the database software when available.\n\nFollow vendor-provided patch installation instructions.",
"iacontrols": [
"VIVM-1"
],
"id": "V-5659",
"ruleID": "SV-24342r1_rule",
"severity": "medium",
"title": "The latest security patches should be installed.",
"version": "DG0003-ORACLE11"
},
"V-6756": {
"checkid": "C-28571r1_chk",
"checktext": "Review host system privileges assigned to the Oracle DBA group and all individual Oracle DBA accounts.\n\nNOTE: do not include the Oracle software installation account in any results for this check.\n\nFor UNIX systems (as root):\n cat /etc/group | grep -i dba\n groups root\n\nIf \"root\" is returned in the first list, this is a Finding.\n\nIf any accounts listed in the first list are also listed in the second list, this is a Finding.\n\nInvestigate any user account group memberships other than DBA or root groups that are returned by the following command (also as root):\n\n groups [dba user account]\n\nReplace [dba user account] with the user account name of each DBA account.\n\nIf individual DBA accounts are assigned to groups that grant access or privileges for purposes other than DBA responsibilities, this is a Finding.\n\nFor Windows Systems (click or select):\n Start / Settings / Control Panel / Administrative Tools / Computer Management / Local Users and Groups / Groups / ORA_DBA\n Start / Settings / Control Panel / Administrative Tools / Computer Management / Local Users and Groups / Groups / ORA_[SID]_DBA (if present)\n\nNOTE: Users assigned DBA privileges on a Windows host are granted membership in the ORA_DBA and/or ORA_[SID]_DBA groups. The ORA_DBA group grants DBA privileges to any database on the system. The ORA_[SID]_DBA groups grant DBA privileges to specific Oracle instances only.\n\nMake a note of each user listed. For each user (click or select):\n Start / Settings / Control Panel / Administrative Tools / Computer Management / Local Users and Groups / Users / [DBA user name] / Member of\n\nIf DBA users belong to any groups other than DBA groups and the Windows Users group, this is a Finding.\n\nExamine User Rights assigned to DBA groups or group members:\n Start / Settings / Control Panel / Administrative Tools / Local Security Policy / Security Settings / Local Policies / User Rights Assignments\n\nIf any User Rights are assigned directly to the DBA group(s) or DBA user accounts, this is a Finding.",
"description": "Database administration accounts are frequently granted more permissions to the local host system than are necessary. This allows inadvertent or malicious changes to the host operating system.",
"fixid": "F-24656r1_fix",
"fixtext": "Revoke all host system privileges from the DBA group accounts and DBA user accounts not required for DBMS administration.\n\nRevoke all OS group memberships that assign excessive privileges to the DBA group accounts and DBA user accounts.\n\nRemove any directly applied permissions or user rights from the DBA group accounts and DBA user accounts.\n\nYou should document all DBA group accounts and individual DBA account assigned privileges in the System Security Plan.",
"iacontrols": [
"ECLP-1"
],
"id": "V-6756",
"ruleID": "SV-24346r1_rule",
"severity": "medium",
"title": "Only necessary privileges to the host system should be granted to DBA OS accounts.",
"version": "DG0005-ORACLE11"
},
"V-6767": {
"checkid": "C-1048r1_chk",
"checktext": "Review security and administration documentation maintained for the DBMS system for indications that DoD security guidance has been applied to the DBMS system.\n\nIf the DBMS system has not been secured using available DoD security guidance, this is a Finding.",
"description": "DBMS systems that do not follow DoD security guidance are vulnerable to related published vulnerabilities. A DoD reference document such as a security technical implementation guide or security recommendation guide constitutes the primary source for security configuration or implementation guidance for the deployment of newly acquired IA- and IA-enabled IT products that require use of the product's IA capabilities. ",
"fixid": "F-17962r1_fix",
"fixtext": "Apply available DoD security guidance to the DBMS system.\n\nIf DoD security guidance is not available, the system owner works with DISA or NSA to draft configuration guidance for inclusion in a departmental reference guide.",
"iacontrols": [
"DCCS-1",
"DCCS-2"
],
"id": "V-6767",
"ruleID": "SV-25032r1_rule",
"severity": "medium",
"title": "The database should be secured in accordance with DoD guidance where applicable.",
"version": "DG0007-ORACLE11"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-15102": "true",
"V-15103": "true",
"V-15104": "true",
"V-15105": "true",
"V-15106": "true",
"V-15107": "true",
"V-15108": "true",
"V-15109": "true",
"V-15110": "true",
"V-15111": "true",
"V-15112": "true",
"V-15116": "true",
"V-15117": "true",
"V-15118": "true",
"V-15120": "true",
"V-15121": "true",
"V-15126": "true",
"V-15127": "true",
"V-15129": "true",
"V-15131": "true",
"V-15132": "true",
"V-15138": "true",
"V-15139": "true",
"V-15140": "true",
"V-15141": "true",
"V-15143": "true",
"V-15144": "true",
"V-15145": "true",
"V-15146": "true",
"V-15147": "true",
"V-15148": "true",
"V-15150": "true",
"V-15179": "true",
"V-15608": "true",
"V-15611": "true",
"V-15618": "true",
"V-15620": "true",
"V-15621": "true",
"V-15622": "true",
"V-15625": "true",
"V-15636": "true",
"V-15643": "true",
"V-15649": "true",
"V-15651": "true",
"V-15652": "true",
"V-15656": "true",
"V-15658": "true",
"V-15659": "true",
"V-15662": "true",
"V-16031": "true",
"V-16032": "true",
"V-16054": "true",
"V-16055": "true",
"V-16056": "true",
"V-16057": "true",
"V-2420": "true",
"V-2422": "true",
"V-2423": "true",
"V-2608": "true",
"V-2612": "true",
"V-3440": "true",
"V-3497": "true",
"V-3726": "true",
"V-3728": "true",
"V-3803": "true",
"V-3805": "true",
"V-3806": "true",
"V-3807": "true",
"V-3809": "true",
"V-3811": "true",
"V-3812": "true",
"V-3813": "true",
"V-3825": "true",
"V-3842": "true",
"V-3845": "true",
"V-3862": "true",
"V-3863": "true",
"V-3866": "true",
"V-43137": "true",
"V-4754": "true",
"V-5658": "true",
"V-5659": "true",
"V-6756": "true",
"V-6767": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critial Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-15102": "true",
"V-15103": "true",
"V-15105": "true",
"V-15106": "true",
"V-15107": "true",
"V-15108": "true",
"V-15109": "true",
"V-15110": "true",
"V-15111": "true",
"V-15112": "true",
"V-15116": "true",
"V-15117": "true",
"V-15120": "true",
"V-15121": "true",
"V-15122": "true",
"V-15126": "true",
"V-15127": "true",
"V-15129": "true",
"V-15138": "true",
"V-15139": "true",
"V-15141": "true",
"V-15143": "true",
"V-15144": "true",
"V-15145": "true",
"V-15146": "true",
"V-15147": "true",
"V-15148": "true",
"V-15150": "true",
"V-15179": "true",
"V-15608": "true",
"V-15611": "true",
"V-15618": "true",
"V-15620": "true",
"V-15621": "true",
"V-15622": "true",
"V-15625": "true",
"V-15643": "true",
"V-15649": "true",
"V-15658": "true",
"V-15659": "true",
"V-16031": "true",
"V-16032": "true",
"V-16054": "true",
"V-16055": "true",
"V-16056": "true",
"V-16057": "true",
"V-2420": "true",
"V-2422": "true",
"V-2423": "true",
"V-2608": "true",
"V-2612": "true",
"V-3440": "true",
"V-3497": "true",
"V-3726": "true",
"V-3728": "true",
"V-3803": "true",
"V-3805": "true",
"V-3806": "true",
"V-3807": "true",
"V-3842": "true",
"V-3845": "true",
"V-3862": "true",
"V-3863": "true",
"V-3866": "true",
"V-43137": "true",
"V-4754": "true",
"V-5658": "true",
"V-5659": "true",
"V-6756": "true",
"V-6767": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critial Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-15102": "true",
"V-15103": "true",
"V-15104": "true",
"V-15105": "true",
"V-15106": "true",
"V-15107": "true",
"V-15108": "true",
"V-15109": "true",
"V-15110": "true",
"V-15111": "true",
"V-15112": "true",
"V-15116": "true",
"V-15117": "true",
"V-15118": "true",
"V-15120": "true",
"V-15121": "true",
"V-15122": "true",
"V-15126": "true",
"V-15127": "true",
"V-15129": "true",
"V-15131": "true",
"V-15132": "true",
"V-15138": "true",
"V-15139": "true",
"V-15140": "true",
"V-15141": "true",
"V-15143": "true",
"V-15144": "true",
"V-15145": "true",
"V-15146": "true",
"V-15147": "true",
"V-15148": "true",
"V-15150": "true",
"V-15179": "true",
"V-15608": "true",
"V-15611": "true",
"V-15618": "true",
"V-15620": "true",
"V-15621": "true",
"V-15622": "true",
"V-15625": "true",
"V-15636": "true",
"V-15643": "true",
"V-15649": "true",
"V-15651": "true",
"V-15652": "true",
"V-15656": "true",
"V-15658": "true",
"V-15659": "true",
"V-15662": "true",
"V-16031": "true",
"V-16032": "true",
"V-16054": "true",
"V-16055": "true",
"V-16056": "true",
"V-16057": "true",
"V-2420": "true",
"V-2422": "true",
"V-2423": "true",
"V-2608": "true",
"V-2612": "true",
"V-3440": "true",
"V-3497": "true",
"V-3726": "true",
"V-3728": "true",
"V-3803": "true",
"V-3805": "true",
"V-3806": "true",
"V-3807": "true",
"V-3809": "true",
"V-3811": "true",
"V-3812": "true",
"V-3813": "true",
"V-3825": "true",
"V-3842": "true",
"V-3845": "true",
"V-3862": "true",
"V-3863": "true",
"V-3866": "true",
"V-43137": "true",
"V-4754": "true",
"V-5658": "true",
"V-5659": "true",
"V-6756": "true",
"V-6767": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critial Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-15102": "true",
"V-15103": "true",
"V-15104": "true",
"V-15105": "true",
"V-15106": "true",
"V-15107": "true",
"V-15108": "true",
"V-15109": "true",
"V-15110": "true",
"V-15111": "true",
"V-15112": "true",
"V-15116": "true",
"V-15117": "true",
"V-15118": "true",
"V-15120": "true",
"V-15121": "true",
"V-15126": "true",
"V-15127": "true",
"V-15129": "true",
"V-15131": "true",
"V-15132": "true",
"V-15138": "true",
"V-15139": "true",
"V-15140": "true",
"V-15141": "true",
"V-15143": "true",
"V-15144": "true",
"V-15145": "true",
"V-15146": "true",
"V-15147": "true",
"V-15148": "true",
"V-15150": "true",
"V-15179": "true",
"V-15608": "true",
"V-15611": "true",
"V-15618": "true",
"V-15620": "true",
"V-15621": "true",
"V-15622": "true",
"V-15625": "true",
"V-15636": "true",
"V-15643": "true",
"V-15649": "true",
"V-15651": "true",
"V-15652": "true",
"V-15656": "true",
"V-15658": "true",
"V-15659": "true",
"V-15662": "true",
"V-16031": "true",
"V-16032": "true",
"V-16054": "true",
"V-16055": "true",
"V-16056": "true",
"V-16057": "true",
"V-2420": "true",
"V-2422": "true",
"V-2423": "true",
"V-2608": "true",
"V-2612": "true",
"V-3440": "true",
"V-3497": "true",
"V-3726": "true",
"V-3728": "true",
"V-3803": "true",
"V-3805": "true",
"V-3806": "true",
"V-3807": "true",
"V-3809": "true",
"V-3811": "true",
"V-3812": "true",
"V-3813": "true",
"V-3825": "true",
"V-3842": "true",
"V-3845": "true",
"V-3862": "true",
"V-3863": "true",
"V-3866": "true",
"V-43137": "true",
"V-4754": "true",
"V-5658": "true",
"V-5659": "true",
"V-6756": "true",
"V-6767": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-15102": "true",
"V-15103": "true",
"V-15105": "true",
"V-15106": "true",
"V-15107": "true",
"V-15108": "true",
"V-15109": "true",
"V-15110": "true",
"V-15111": "true",
"V-15112": "true",
"V-15116": "true",
"V-15117": "true",
"V-15120": "true",
"V-15121": "true",
"V-15122": "true",
"V-15126": "true",
"V-15127": "true",
"V-15129": "true",
"V-15138": "true",
"V-15139": "true",
"V-15141": "true",
"V-15143": "true",
"V-15144": "true",
"V-15145": "true",
"V-15146": "true",
"V-15147": "true",
"V-15148": "true",
"V-15150": "true",
"V-15179": "true",
"V-15608": "true",
"V-15611": "true",
"V-15618": "true",
"V-15620": "true",
"V-15621": "true",
"V-15622": "true",
"V-15625": "true",
"V-15643": "true",
"V-15649": "true",
"V-15658": "true",
"V-15659": "true",
"V-16031": "true",
"V-16032": "true",
"V-16054": "true",
"V-16055": "true",
"V-16056": "true",
"V-16057": "true",
"V-2420": "true",
"V-2422": "true",
"V-2423": "true",
"V-2608": "true",
"V-2612": "true",
"V-3440": "true",
"V-3497": "true",
"V-3726": "true",
"V-3728": "true",
"V-3803": "true",
"V-3805": "true",
"V-3806": "true",
"V-3807": "true",
"V-3842": "true",
"V-3845": "true",
"V-3862": "true",
"V-3863": "true",
"V-3866": "true",
"V-43137": "true",
"V-4754": "true",
"V-5658": "true",
"V-5659": "true",
"V-6756": "true",
"V-6767": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-15102": "true",
"V-15103": "true",
"V-15104": "true",
"V-15105": "true",
"V-15106": "true",
"V-15107": "true",
"V-15108": "true",
"V-15109": "true",
"V-15110": "true",
"V-15111": "true",
"V-15112": "true",
"V-15116": "true",
"V-15117": "true",
"V-15118": "true",
"V-15120": "true",
"V-15121": "true",
"V-15122": "true",
"V-15126": "true",
"V-15127": "true",
"V-15129": "true",
"V-15131": "true",
"V-15132": "true",
"V-15138": "true",
"V-15139": "true",
"V-15140": "true",
"V-15141": "true",
"V-15143": "true",
"V-15144": "true",
"V-15145": "true",
"V-15146": "true",
"V-15147": "true",
"V-15148": "true",
"V-15150": "true",
"V-15179": "true",
"V-15608": "true",
"V-15611": "true",
"V-15618": "true",
"V-15620": "true",
"V-15621": "true",
"V-15622": "true",
"V-15625": "true",
"V-15636": "true",
"V-15643": "true",
"V-15649": "true",
"V-15651": "true",
"V-15652": "true",
"V-15656": "true",
"V-15658": "true",
"V-15659": "true",
"V-15662": "true",
"V-16031": "true",
"V-16032": "true",
"V-16054": "true",
"V-16055": "true",
"V-16056": "true",
"V-16057": "true",
"V-2420": "true",
"V-2422": "true",
"V-2423": "true",
"V-2608": "true",
"V-2612": "true",
"V-3440": "true",
"V-3497": "true",
"V-3726": "true",
"V-3728": "true",
"V-3803": "true",
"V-3805": "true",
"V-3806": "true",
"V-3807": "true",
"V-3809": "true",
"V-3811": "true",
"V-3812": "true",
"V-3813": "true",
"V-3825": "true",
"V-3842": "true",
"V-3845": "true",
"V-3862": "true",
"V-3863": "true",
"V-3866": "true",
"V-43137": "true",
"V-4754": "true",
"V-5658": "true",
"V-5659": "true",
"V-6756": "true",
"V-6767": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-15102": "true",
"V-15103": "true",
"V-15104": "true",
"V-15105": "true",
"V-15106": "true",
"V-15107": "true",
"V-15108": "true",
"V-15109": "true",
"V-15110": "true",
"V-15111": "true",
"V-15112": "true",
"V-15116": "true",
"V-15117": "true",
"V-15118": "true",
"V-15120": "true",
"V-15121": "true",
"V-15126": "true",
"V-15127": "true",
"V-15129": "true",
"V-15131": "true",
"V-15132": "true",
"V-15138": "true",
"V-15139": "true",
"V-15140": "true",
"V-15141": "true",
"V-15143": "true",
"V-15144": "true",
"V-15145": "true",
"V-15146": "true",
"V-15147": "true",
"V-15148": "true",
"V-15150": "true",
"V-15179": "true",
"V-15608": "true",
"V-15611": "true",
"V-15618": "true",
"V-15620": "true",
"V-15621": "true",
"V-15622": "true",
"V-15625": "true",
"V-15636": "true",
"V-15643": "true",
"V-15649": "true",
"V-15651": "true",
"V-15652": "true",
"V-15656": "true",
"V-15658": "true",
"V-15659": "true",
"V-15662": "true",
"V-16031": "true",
"V-16032": "true",
"V-16054": "true",
"V-16055": "true",
"V-16056": "true",
"V-16057": "true",
"V-2420": "true",
"V-2422": "true",
"V-2423": "true",
"V-2608": "true",
"V-2612": "true",
"V-3440": "true",
"V-3497": "true",
"V-3726": "true",
"V-3728": "true",
"V-3803": "true",
"V-3805": "true",
"V-3806": "true",
"V-3807": "true",
"V-3809": "true",
"V-3811": "true",
"V-3812": "true",
"V-3813": "true",
"V-3825": "true",
"V-3842": "true",
"V-3845": "true",
"V-3862": "true",
"V-3863": "true",
"V-3866": "true",
"V-43137": "true",
"V-4754": "true",
"V-5658": "true",
"V-5659": "true",
"V-6756": "true",
"V-6767": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-15102": "true",
"V-15105": "true",
"V-15106": "true",
"V-15107": "true",
"V-15108": "true",
"V-15109": "true",
"V-15110": "true",
"V-15111": "true",
"V-15112": "true",
"V-15116": "true",
"V-15120": "true",
"V-15121": "true",
"V-15122": "true",
"V-15126": "true",
"V-15127": "true",
"V-15129": "true",
"V-15138": "true",
"V-15139": "true",
"V-15141": "true",
"V-15143": "true",
"V-15144": "true",
"V-15145": "true",
"V-15146": "true",
"V-15147": "true",
"V-15148": "true",
"V-15150": "true",
"V-15179": "true",
"V-15608": "true",
"V-15611": "true",
"V-15618": "true",
"V-15620": "true",
"V-15621": "true",
"V-15622": "true",
"V-15625": "true",
"V-15643": "true",
"V-15649": "true",
"V-15658": "true",
"V-15659": "true",
"V-16031": "true",
"V-16032": "true",
"V-16054": "true",
"V-16055": "true",
"V-16056": "true",
"V-16057": "true",
"V-2420": "true",
"V-2422": "true",
"V-2423": "true",
"V-2608": "true",
"V-2612": "true",
"V-3440": "true",
"V-3497": "true",
"V-3726": "true",
"V-3728": "true",
"V-3803": "true",
"V-3805": "true",
"V-3806": "true",
"V-3807": "true",
"V-3827": "true",
"V-3842": "true",
"V-3845": "true",
"V-3862": "true",
"V-3863": "true",
"V-3866": "true",
"V-43137": "true",
"V-4754": "true",
"V-5658": "true",
"V-5659": "true",
"V-6756": "true",
"V-6767": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-15102": "true",
"V-15104": "true",
"V-15105": "true",
"V-15106": "true",
"V-15107": "true",
"V-15108": "true",
"V-15109": "true",
"V-15110": "true",
"V-15111": "true",
"V-15112": "true",
"V-15116": "true",
"V-15118": "true",
"V-15120": "true",
"V-15121": "true",
"V-15122": "true",
"V-15126": "true",
"V-15127": "true",
"V-15129": "true",
"V-15131": "true",
"V-15132": "true",
"V-15138": "true",
"V-15139": "true",
"V-15140": "true",
"V-15141": "true",
"V-15143": "true",
"V-15144": "true",
"V-15145": "true",
"V-15146": "true",
"V-15147": "true",
"V-15148": "true",
"V-15150": "true",
"V-15179": "true",
"V-15608": "true",
"V-15611": "true",
"V-15618": "true",
"V-15620": "true",
"V-15621": "true",
"V-15622": "true",
"V-15625": "true",
"V-15636": "true",
"V-15643": "true",
"V-15649": "true",
"V-15651": "true",
"V-15652": "true",
"V-15656": "true",
"V-15658": "true",
"V-15659": "true",
"V-15662": "true",
"V-16031": "true",
"V-16032": "true",
"V-16054": "true",
"V-16055": "true",
"V-16056": "true",
"V-16057": "true",
"V-2420": "true",
"V-2422": "true",
"V-2423": "true",
"V-2608": "true",
"V-2612": "true",
"V-3440": "true",
"V-3497": "true",
"V-3726": "true",
"V-3728": "true",
"V-3803": "true",
"V-3805": "true",
"V-3806": "true",
"V-3807": "true",
"V-3809": "true",
"V-3811": "true",
"V-3812": "true",
"V-3813": "true",
"V-3825": "true",
"V-3827": "true",
"V-3842": "true",
"V-3845": "true",
"V-3862": "true",
"V-3863": "true",
"V-3866": "true",
"V-43137": "true",
"V-4754": "true",
"V-5658": "true",
"V-5659": "true",
"V-6756": "true",
"V-6767": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "oracle_11_database_installation",
"title": "Oracle 11 Database Installation STIG",
"version": "8"
}
}