The DBMS must use multifactor authentication for local access to non-privileged accounts.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-52261	O112-C2-013200	SV-66477r1_rule		Medium

Description
Multifactor authentication is defined as using two or more factors to achieve authentication. Factors include: (i) Something a user knows (e.g., password/PIN); (ii) Something a user has (e.g., cryptographic identification device, token); or (iii) Something a user is (e.g., biometric). A non-privileged account is defined as an information system account with authorizations of a regular or non-privileged user. Local Access is defined as access to an organizational information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network. The lack of multifactor authentication makes it much easier for an attacker to gain unauthorized access to a system.

Description

Multifactor authentication is defined as using two or more factors to achieve authentication. Factors include: (i) Something a user knows (e.g., password/PIN); (ii) Something a user has (e.g., cryptographic identification device, token); or (iii) Something a user is (e.g., biometric). A non-privileged account is defined as an information system account with authorizations of a regular or non-privileged user. Local Access is defined as access to an organizational information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network. The lack of multifactor authentication makes it much easier for an attacker to gain unauthorized access to a system.

STIG	Date
Oracle Database 11.2g Security Technical Implementation Guide	2015-03-26

Details

Check Text ( C-54317r1_chk )
Review DBMS settings, OS settings, and/or enterprise-level authentication/access mechanism settings to determine whether users logging into non-privileged accounts locally are required to use multifactor authentication. If users logging into non-privileged accounts locally are not required to use multifactor authentication, this is a finding. (Oracle Advanced Security Option (ASO) may be helpful in meeting this requirement. Notes on ASO Data Integrity follow.) Authentication is used to prove the identity of the user. Authenticating user identity is imperative in distributed environments, without which there can be little confidence in network security. Passwords are the most common means of authentication. Oracle Advanced Security enables strong multifactor authentication with Oracle authentication adapters that support various third-party authentication services, including SSL with digital certificates as well as Smart Cards (CAC, PIV). Oracle Advanced Security provides multifactor authentication to the database. With Oracle Advanced Security, customers can require their users to plug-in a Smart Card (CAC, PIV) as part of their SSL-based authentication to the Oracle Database. Unix and Windows platforms can be checked, by selecting installed products in the Oracle Universal Installer (OUI). Select the Oracle home, and, from Contents tab, drill down to Enterprise Edition Options. On Unix you can also run the adapters command $ adapters Installed Oracle Advanced Security options are: RC4 40-bit encryption RC4 56-bit encryption RC4 128-bit encryption RC4 256-bit encryption DES40 40-bit encryption DES 56-bit encryption 3DES 112-bit encryption 3DES 168-bit encryption AES 128-bit encryption AES 192-bit encryption AES 256-bit encryption MD5 crypto-checksumming SHA-1 crypto-checksumming Kerberos v5 authentication RADIUS authentication If the $ORACLE_HOME/network/admin/sqlnet.ora contains the following entries, ASO with SSL is installed. The following entries in the sqlnet.ora will be generated when SSL is installed. #SSL WALLET_LOCATION = (SOURCE= (METHOD = FILE) (METHOD_DATA = DIRECTORY=/wallet) SSL_CIPHER_SUITES=(SSL_cipher_suiteExample) SSL_VERSION= 3 SSL_CLIENT_AUTHENTICATION=FALSE/TRUE

Check Text ( C-54317r1_chk )

Review DBMS settings, OS settings, and/or enterprise-level authentication/access mechanism settings to determine whether users logging into non-privileged accounts locally are required to use multifactor authentication. If users logging into non-privileged accounts locally are not required to use multifactor authentication, this is a finding.

(Oracle Advanced Security Option (ASO) may be helpful in meeting this requirement. Notes on ASO Data Integrity follow.)

Authentication is used to prove the identity of the user. Authenticating user identity is imperative in distributed environments, without which there can be little confidence in network security. Passwords are the most common means of authentication. Oracle Advanced Security enables strong multifactor authentication with Oracle authentication adapters that support various third-party authentication services, including SSL with digital certificates as well as Smart Cards (CAC, PIV).

Oracle Advanced Security provides multifactor authentication to the database. With Oracle Advanced Security, customers can require their users to plug-in a Smart Card (CAC, PIV) as part of their SSL-based authentication to the Oracle Database.

Unix and Windows platforms can be checked, by selecting installed products in the Oracle Universal Installer (OUI).

Select the Oracle home, and, from Contents tab, drill down to Enterprise Edition Options.

On Unix you can also run the adapters command
$ adapters

Installed Oracle Advanced Security options are:

RC4 40-bit encryption
RC4 56-bit encryption
RC4 128-bit encryption
RC4 256-bit encryption
DES40 40-bit encryption
DES 56-bit encryption
3DES 112-bit encryption
3DES 168-bit encryption
AES 128-bit encryption
AES 192-bit encryption
AES 256-bit encryption
MD5 crypto-checksumming
SHA-1 crypto-checksumming
Kerberos v5 authentication
RADIUS authentication

If the $ORACLE_HOME/network/admin/sqlnet.ora contains the following entries, ASO with SSL is installed. The following entries in the sqlnet.ora will be generated when SSL is installed.

#SSL
WALLET_LOCATION = (SOURCE=
(METHOD = FILE)
(METHOD_DATA =
DIRECTORY=/wallet)

SSL_CIPHER_SUITES=(SSL_cipher_suiteExample)
SSL_VERSION= 3
SSL_CLIENT_AUTHENTICATION=FALSE/TRUE

Fix Text (F-57077r1_fix)
Configure DBMS, OS and/or enterprise-level authentication/access mechanism to require multifactor authentication for local users logging into non-privileged accounts. If appropriate, install Oracle Advanced Security Option to support Secure Sockets Layer (SSL) protocols and multifactor authentication through the use of Smart Cards (CAC/PIV).