UCF STIG Viewer Logo

The DBMS should be periodically tested for vulnerability management and IA compliance.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15112 DG0088-ORACLE10 SV-24677r1_rule ECMT-1 ECMT-2 Low
Description
The DBMS security configuration may be altered either intentionally or unintentionally over time. The DBMS may also be the subject of published vulnerabilities that require the installation of a security patch or a reconfiguration to mitigate the vulnerability. If the DBMS is not monitored for required or unintentional changes that render it not compliant with requirements, then it can be vulnerable to attack or compromise.
STIG Date
Oracle Database 10g Installation STIG 2014-04-02

Details

Check Text ( C-29193r1_chk )
Review procedures and evidence of implementation for DBMS IA and vulnerability management compliance.

This should include periodic, unannounced, in-depth monitoring and provide for specific penetration testing to ensure compliance with all vulnerability mitigation procedures such as the DoD IAVA or other DoD IA practices is planned, scheduled and conducted.

Testing is intended to ensure that the system's IA capabilities continue to provide adequate assurance against constantly evolving threats and vulnerabilities.

The results for Classified systems are required to be independently validated.

If the requirments listed above are not being met, this is a Finding.
Fix Text (F-26209r1_fix)
Develop, document and implement procedures for periodic testing of the DBMS for current vulnerability management and security configuration compliance as stated in the check.

Coordinate 3rd-party validation testing for Classified systems.