UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

A DBMS providing remote access capabilities must utilize approved cryptography to protect the integrity of remote access sessions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-52343 O112-C2-001400 SV-66559r3_rule Medium
Description
Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. These connections will typically occur over the public Internet, the Public Switched Telephone Network (PSTN) or sometimes both. Since neither of these internetworking mechanisms are private nor secure, if cryptography is not used, then the session data traversing the remote connection could be intercepted and potentially modified. Cryptography provides a means to secure the remote connection to prevent unauthorized changes to the data traversing the remote access connection, thereby providing a degree of integrity. The encryption strength of mechanism is selected based on the security categorization of the information that is traversing the remote connection. Databases that accept remote connections must use approved cryptography to protect data being passed via a non-secure network. If approved cryptography is not used, data can be intercepted and potentially modified.
STIG Date
Oracle Database 11.2g Security Technical Implementation Guide 2015-06-23

Details

Check Text ( C-54383r4_chk )
Review settings to determine if DBMS is configured to accept remote connections.

Note: "remote" means "from outside the DoD Information Network (DoDIN)", and connections via approved Virtual Private Networks (VPNs) are considered to be inside the DoDIN.

If the DBMS is not configured to accept remote connections, this is not a finding.

Check DBMS settings to determine whether the authentication data for remote connections is being encrypted with approved cryptography. If not, this is a finding.

To check that network encryption is enabled and using site-specified encryption procedures, look in SQLNET.ORA located at $ORACLE_HOME/network/admin/sqlnet.ora.

If encryption is set, entries like the following will be present:

SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT= (SHA384)
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER= (SHA384)
SQLNET.ENCRYPTION_TYPES_CLIENT= (AES256)
SQLNET.ENCRYPTION_TYPES_SERVER= (AES256)
SQLNET.CRYPTO_CHECKSUM_CLIENT = requested
SQLNET.CRYPTO_CHECKSUM_SERVER = required

To list the supported encryption algorithms, crypto-checksums, and authentication methods, execute the adapters command:

$adapters

Installed Oracle Advanced Security options are:

RC4 40-bit encryption
RC4 56-bit encryption
RC4 128-bit encryption
RC4 256-bit encryption
DES40 40-bit encryption
DES 56-bit encryption
3DES 112-bit encryption
3DES 168-bit encryption
AES 128-bit encryption
AES 192-bit encryption
AES 256-bit encryption
MD5 crypto-checksumming
SHA-1 crypto-checksumming
Kerberos v5 authentication
RADIUS authentication

Because of changes in Oracle licensing policy, it is no longer to purchase Oracle Advanced Security to use network encryption and advanced authentication.
Fix Text (F-57161r6_fix)
If the database accepts remote connections, but is not using approved cryptography, modify SQLNET.ORA to enable encryption, using an approved algorithm.

The strength requirements are dependent upon data classification.

For unclassified data, where cryptography is required:

AES 128 for encryption
SHA 256 for hashing

NSA has established the suite B encryption requirements for protecting National Security Systems (NSS) as follows:

AES 128 for Secret
AES 256 for Top Secret
SHA 256 for Secret
SHA 384 for Top Secret

National Security System is defined as:

(OMB Circular A-130) Any telecommunications or information system operated by the United States Government, the function, operation, or use of which (1) involves intelligence activities; (2) involves cryptologic activities related to national security; (3) involves command and control of military forces; (4) involves equipment that is an integral part of a weapon or weapons system; or (5) is critical to the direct fulfillment of military or intelligence missions, but excluding any system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications).

The following table summarizes the combinations of parameters for desired behavior on client and server:

Desired behavior - Client Desired behavior - Server Encryption
-------------------------- ------------------------- -----------
ACCEPTED REJECTED OFF
REQUESTED REJECTED OFF
REQUIRED REJECTED Connection fails
REJECTED ACCEPTED OFF
ACCEPTED ACCEPTED OFF
REQUESTED ACCEPTED ON
REQUIRED ACCEPTED ON
REJECTED REQUESTED OFF
ACCEPTED REQUESTED ON
REQUESTED REQUESTED ON
REQUIRED REQUESTED ON
REJECTED REQUIRED Connection fails
ACCEPTED REQUIRED ON
REQUESTED REQUIRED ON
REQUIRED REQUIRED ON

Set the SQLNET.ORA to the site-specific requirements as in this example:

SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT= (SHA384)
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER= (SHA384)
SQLNET.ENCRYPTION_TYPES_CLIENT= (AES256)
SQLNET.ENCRYPTION_TYPES_SERVER= (AES256)
SQLNET.CRYPTO_CHECKSUM_CLIENT = requested
SQLNET.CRYPTO_CHECKSUM_SERVER = required