UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DBMS must use multifactor authentication for local access to privileged accounts.


Overview

Finding ID Version Rule ID IA Controls Severity
V-52259 O112-C2-013100 SV-66475r1_rule Medium
Description
Multifactor authentication is defined as using two or more factors to achieve authentication. Factors include: (i) Something a user knows (e.g., password/PIN); (ii) Something a user has (e.g., cryptographic identification device, token); or (iii) Something a user is (e.g., biometric). A privileged account is defined as an information system account with authorizations of a privileged user. Local Access is defined as access to an organizational information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network. The lack of multifactor authentication makes it much easier for an attacker to gain unauthorized access to a system.
STIG Date
Oracle Database 11.2g Security Technical Implementation Guide 2015-03-26

Details

Check Text ( C-54315r1_chk )
Review DBMS settings, OS settings, and/or enterprise-level authentication/access mechanism settings to determine whether users logging into privileged accounts locally are required to use multifactor authentication. If users logging into privileged accounts locally are not required to use multifactor authentication, this is a finding.

(Oracle Advanced Security Option (ASO) may be helpful in meeting this requirement. Notes on ASO Data Integrity follow.)

Authentication is used to prove the identity of the user. Authenticating user identity is imperative in distributed environments, without which there can be little confidence in network security. Passwords are the most common means of authentication. Oracle Advanced Security enables strong multifactor authentication with Oracle authentication adapters that support various third-party authentication services, including SSL with digital certificates as well as Smart Cards (CAC, PIV).

Oracle Advanced Security provides multifactor authentication to the database. With Oracle Advanced Security, customers can require their users to plug-in a Smart Card (CAC, PIV) as part of their SSL-based authentication to the Oracle Database.

Unix and Windows platforms can be checked by selecting installed products in the Oracle Universal Installer (OUI).

Select the Oracle home, and, from Contents tab, drill down to Enterprise Edition Options.

On Unix you can also run the adapters command
$ adapters

Installed Oracle Advanced Security options are:

RC4 40-bit encryption
RC4 56-bit encryption
RC4 128-bit encryption
RC4 256-bit encryption
DES40 40-bit encryption
DES 56-bit encryption
3DES 112-bit encryption
3DES 168-bit encryption
AES 128-bit encryption
AES 192-bit encryption
AES 256-bit encryption
MD5 crypto-checksumming
SHA-1 crypto-checksumming
Kerberos v5 authentication
RADIUS authentication

If the $ORACLE_HOME/network/admin/sqlnet.ora contains the following entries, ASO with SSL is installed. The following entries in the sqlnet.ora will be generated when SSL is installed.

#SSL
WALLET_LOCATION = (SOURCE=
(METHOD = FILE)
(METHOD_DATA =
DIRECTORY=/wallet)

SSL_CIPHER_SUITES=(SSL_cipher_suiteExample)
SSL_VERSION= 3
SSL_CLIENT_AUTHENTICATION=FALSE/TRUE
Fix Text (F-57075r1_fix)
Configure DBMS, OS and/or enterprise-level authentication/access mechanism to require multifactor authentication for local users logging into privileged accounts.

If appropriate, install Oracle Advanced Security Option to support Secure Sockets Layer (SSL) protocols and multifactor authentication through the use of Smart Cards (CAC/PIV).