The DBMS warning banner should meet DoD policy requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15658	DG0179-ORACLE11	SV-24827r1_rule	ECWM-1	Medium

Description
Without sufficient warning of monitoring and access restrictions of a system, legal prosecution to assign responsibility for unauthorized or malicious access may not succeed. A warning message provides legal support for such prosecution. Access to the DBMS or the applications used to access the DBMS require this warning to help assign responsibility for database activities.

STIG	Date
Oracle 11 Database Installation STIG	2014-01-14

Details

Check Text ( C-26465r1_chk )
A warning banner displayed as a function of an Operating System or application login for applications that use the database makes this check Not a Finding for all supported versions of Oracle. View the sqlnet.ora file. If the following lines do not exist, this is a Finding (requires application code to display the warning banner, which is not covered in this check): SEC_USER_AUDIT_ACTION_BANNER = path/filename with banner text SEC_USER_UNAUTHORIZED_ACCESS_BANNER = path/filename with banner text This requirement can be fulfilled programmatically and is not covered in this check; however, if required and not performed, this is a Finding. View the files specified. If they do not contain the following text as written below, this is a Finding: [A. Use this banner for desktops, laptops, and other devices accommodating banners of 1300 characters. The banner shall be implemented as a click-through banner at logon (to the extent permitted by the operating system), meaning it prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK."] You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OK [B. For Blackberries and other PDAs/PEDs with severe character limitations:] I've read & consent to terms in IS user agreem't. This User Agreement conforms to DoD Standard Notice and Consent Banner and User Agreement – JTF-GNO CTO 08-008A, May 9, 2008 unless superceded.

Check Text ( C-26465r1_chk )

A warning banner displayed as a function of an Operating System or application login for applications that use the database makes this check Not a Finding for all supported versions of Oracle.

View the sqlnet.ora file. If the following lines do not exist, this is a Finding (requires application code to display the warning banner, which is not covered in this check):

SEC_USER_AUDIT_ACTION_BANNER = path/filename with banner text
SEC_USER_UNAUTHORIZED_ACCESS_BANNER = path/filename with banner text

This requirement can be fulfilled programmatically and is not covered in this check; however, if required and not performed, this is a Finding.

View the files specified. If they do not contain the following text as written below, this is a Finding:

[A. Use this banner for desktops, laptops, and other devices accommodating banners of 1300 characters. The banner shall be implemented as a click-through banner at logon (to the extent permitted by the operating system), meaning it prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK."]

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
OK

[B. For Blackberries and other PDAs/PEDs with severe character limitations:]

I've read & consent to terms in IS user agreem't.

This User Agreement conforms to DoD Standard Notice and Consent Banner and User Agreement – JTF-GNO CTO 08-008A, May 9, 2008 unless superceded.

Fix Text (F-16136r1_fix)
Add the following lines to the sqlnet.ora file: SEC_USER_AUDIT_ACTION_BANNER = [banner file] SEC_USER_UNAUTHORIZED_ACCESS_BANNER = [banner file] Replace [banner file] with the path and file name to a TEXT file containing the banner text as shown above. NOTE: Defining these parameters and this text makes the banner available to applications. It is not displayed unless the application is designed to display the text using OCI calls. For all versions of Oracle, this requirement can be fulfilled where the database user receives the warning message when authenticating or connecting to a front-end system that includes or covers the Oracle DBMS. Mark this check as a Finding if the display of a warning banner (not necessarily this specific warning banner) cannot be confirmed. The banner text listed in the Check section supersedes that referenced in the Database STIG requirement.

Fix Text (F-16136r1_fix)

Add the following lines to the sqlnet.ora file:

SEC_USER_AUDIT_ACTION_BANNER = [banner file]
SEC_USER_UNAUTHORIZED_ACCESS_BANNER = [banner file]

Replace [banner file] with the path and file name to a TEXT file containing the banner text as shown above.

NOTE: Defining these parameters and this text makes the banner available to applications. It is not displayed unless the application is designed to display the text using OCI calls.

For all versions of Oracle, this requirement can be fulfilled where the database user receives the warning message when authenticating or connecting to a front-end system that includes or covers the Oracle DBMS. Mark this check as a Finding if the display of a warning banner (not necessarily this specific warning banner) cannot be confirmed.

The banner text listed in the Check section supersedes that referenced in the Database STIG requirement.