UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Oracle 11 Database Instance STIG


Overview

Date Finding Count (67)
2014-01-14 CAT I (High): 2 CAT II (Med): 55 CAT III (Low): 10
STIG Description
This STIG include the Database Instance checks for an Oracle 11G database.

Available Profiles



Findings (MAC I - Mission Critial Public)

Finding ID Severity Title
V-2555 High The Oracle REMOTE_OS_ROLES parameter should be set to FALSE.
V-2554 High The Oracle REMOTE_OS_AUTHENT parameter should be set to FALSE.
V-2515 Medium The audit table should be owned by SYS or SYSTEM.
V-2517 Medium Oracle instance names should not contain Oracle version numbers.
V-2516 Medium Access to default accounts used to support replication should be restricted to authorized DBAs.
V-2511 Medium Access to the Oracle SYS and SYSTEM accounts should be restricted to authorized DBAs.
V-15654 Medium DBMS symmetric keys should be protected in accordance with NSA or NIST-approved key management technology or processes.
V-3810 Medium DBMS authentication should require use of a DoD PKI certificate.
V-2593 Medium The Oracle RESOURCE_LIMIT parameter should be set to TRUE.
V-15154 Medium Credentials stored and used by the DBMS to access remote databases or applications should be authorized and restricted to authorized users.
V-15133 Medium Transaction logs should be periodically reviewed for unauthorized modification of data. Users should be notified of time and date of the last change in data content.
V-2556 Medium The Oracle SQL92_SECURITY parameter should be set to TRUE.
V-3818 Medium Unauthorized database links should not be defined and active.
V-3857 Medium The Oracle _TRACE_FILES_PUBLIC parameter if present should be set to FALSE.
V-3854 Medium The directories assigned to the LOG_ARCHIVE_DEST* parameters should be protected from unauthorized access.
V-3850 Medium The directory assigned to the AUDIT_FILE_DEST parameter should be protected from unauthorized access.
V-15646 Medium Audit records should contain required information.
V-2520 Medium Fixed user and public database links should be authorized for use.
V-15623 Medium DBMS system data files should be stored in dedicated disk directories.
V-15624 Medium DBMS data files should be dedicated to support individual applications.
V-15626 Medium Database privileged role assignments should be restricted to IAO-authorized DBMS accounts.
V-2507 Medium Audit trail data should be retained for one year.
V-2564 Medium System Privileges should not be granted to PUBLIC.
V-15609 Medium Default demonstration and sample database objects and applications should be removed.
V-2561 Medium System privileges granted using the WITH ADMIN OPTION should not be granted to unauthorized user accounts.
V-2562 Medium Required object auditing should be configured.
V-15619 Medium Replication accounts should not be granted DBA privileges.
V-2552 Medium The IDLE_TIME profile parameter should be set for Oracle profiles IAW DoD policy.
V-15747 Medium The directory assigned to the DIAGNOSTIC_DEST parameter should be protected from unauthorized access.
V-2521 Medium A minimum of two Oracle control files should be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device.
V-2522 Medium A minimum of two Oracle redo log groups/files should be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device.
V-15627 Medium Administrative privileges should be assigned to database accounts via database roles.
V-15660 Medium Remote database or other external access should use fully-qualified names.
V-2527 Medium The DBA role should not be granted to unauthorized user accounts.
V-15628 Medium DBMS application users should not be granted administrative privileges to the DBMS.
V-15128 Medium DBMS application user roles should not be assigned unauthorized privileges.
V-5685 Medium Required auditing parameters for database auditing should be set.
V-5686 Medium Audit records should be restricted to authorized individuals.
V-15629 Medium Application users privileges should be restricted to assignment using application user roles.
V-3437 Medium Application role permissions should not be assigned to the Oracle PUBLIC role.
V-2589 Medium Object permissions granted to PUBLIC should be restricted.
V-3846 Medium Only authorized system accounts should have the SYSTEM tablespace specified as the default tablespace.
V-3849 Medium Application owner accounts should have a dedicated application tablespace.
V-3820 Medium Production databases should be protected from unauthorized access by developers on shared production/development host systems.
V-3821 Medium Application user privilege assignment should be reviewed monthly or more frequently to ensure compliance with least privilege and documented policy.
V-2533 Medium The Oracle WITH GRANT OPTION privilege should not be granted to non-DBA or non-Application administrator user accounts.
V-15607 Medium Application objects should be owned by accounts authorized for ownership.
V-15142 Medium Asymmetric keys should use DoD PKI Certificates and be protected in accordance with NIST (unclassified data) or NSA (classified data) approved key management and processes.
V-15632 Medium Use of DBA accounts should be restricted to administrative activities.
V-5683 Medium Application object owner accounts should be disabled when not performing installation or maintenance actions.
V-3439 Medium Oracle system privileges should not be directly assigned to unauthorized accounts.
V-3438 Medium Oracle application administration roles should be disabled if not required and authorized.
V-15615 Medium The DBA role should not be assigned excessive or unauthorized privileges.
V-2558 Medium The Oracle REMOTE_LOGIN_PASSWORDFILE parameter should be set to EXCLUSIVE or NONE.
V-15617 Medium ccess to external objects should be disabled if not required and authorized.
V-2539 Medium Execute permission should be revoked from PUBLIC for restricted Oracle packages.
V-2574 Medium Oracle roles granted using the WITH ADMIN OPTION should not be granted to unauthorized accounts.
V-2519 Low The Oracle OS_ROLES parameter should be set to FALSE.
V-15114 Low Developers should not be assigned excessive privileges on production databases.
V-3727 Low Database applications should be restricted from using static DDL statements to modify the application schema.
V-2586 Low The Oracle O7_DICTIONARY_ACCESSIBILITY parameter should be set to FALSE.
V-15149 Low DBA roles assignments should be assigned and authorized by the IAO.
V-3865 Low The XDB Protocol server should be uninstalled if not required and authorized for use.
V-3847 Low Database application user accounts should be denied storage usage for object creation within the database.
V-3848 Low The Oracle SID should not be the default SID.
V-2531 Low The Oracle OS_AUTHENT_PREFIX parameter should be changed from the default value of OPS$.
V-3823 Low Custom and GOTS application source code stored in the database should be protected with encryption or encoding.