UCF STIG Viewer Logo

DBMS authentication should require use of a DoD PKI certificate.


Overview

Finding ID Version Rule ID IA Controls Severity
V-3810 DG0065-ORACLE10 SV-25025r1_rule IATS-1 IATS-2 Medium
Description
In a properly configured DBMS, access controls defined for data access and DBMS management actions are assigned based on the user identity and job function. Unauthenticated or falsely authenticated access leads directly to the potential unauthorized access, misuse and lost accountability of data and activities within the DBMS. Use of PKI certificates for authentication to the DBMS provides a robust mechanism to ensure identity to authorize access to the DBMS.
STIG Date
Oracle Database 10g Instance STIG 2014-04-02

Details

Check Text ( C-26709r1_chk )
If user access to the DBMS is via a portal or mid-tier system or product and PKI-authentication occurs at the portal/mid-tier, this check is Not a Finding. Review the list of all DBMS accounts and their authentication methods. This list is usually available from a system view or table and is easily gained from a simple SQL query. If any accounts are listed with an authentication method other than a PKI certificate, this is a Finding. For MAC 3 systems, if identification and authentication is not accomplished using the DoD PKI Class 3 certificate and hardware security token (when available) at minimum, this is a Finding. For MAC 1 and 2 systems, if identification and authentication is not accomplished using the DoD PKI Class 3 or 4 certificate and hardware security token (when available) or an NSA-certified product at minimum, this is a Finding.
Fix Text (F-22885r1_fix)
Implement PKI authentication for all accounts defined within the database where applicable. Applications may use host system (server) certificates to authenticate. For MAC 3 systems, use of the DoD PKI Class 3 certificate and hardware security token (when available) at minimum is required. For MAC 1 and 2 systems, use of the DoD PKI Class 3 or 4 certificate and hardware security token (when available) or an NSA-certified product at minimum is required.