The DBMS must ensure remote sessions that access an organization-defined list of security functions and security-relevant information are audited.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-52345	O112-C2-001600	SV-66561r2_rule		Medium

Description
Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Remote network and system access is accomplished by leveraging common communication protocols to establish a remote connection. These connections will typically originate over either the public Internet or the Public Switched Telephone Network (PSTN). Neither of these internetworking mechanisms is private or secure and they do not by default restrict access to networked resources once connectivity is established. Numerous best practices are employed to protect remote connections, such as utilizing encryption to protect data sessions and firewalls to restrict and control network connectivity. In addition to these protections, auditing must also be utilized in order to track system activity, assist in diagnosing system issues, and provide evidence needed for forensic investigations after a security incident. When organizations define security-related application functions or security-related application information, it is incumbent upon the application providing access to that data to ensure auditing of remote connectivity to those resources occurs in support of organizational requirements. Remote access to security functions (e.g., user management, audit log management, etc.) and security-relevant information requires the activity be audited by the organization. Any application providing remote access must support organizational requirements to audit access or organization-defined security functions and security-relevant information. Database security features accessed through remote methods must be audited to ensure the access is authorized and appropriate.

Description

Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless. Remote network and system access is accomplished by leveraging common communication protocols to establish a remote connection. These connections will typically originate over either the public Internet or the Public Switched Telephone Network (PSTN). Neither of these internetworking mechanisms is private or secure and they do not by default restrict access to networked resources once connectivity is established. Numerous best practices are employed to protect remote connections, such as utilizing encryption to protect data sessions and firewalls to restrict and control network connectivity. In addition to these protections, auditing must also be utilized in order to track system activity, assist in diagnosing system issues, and provide evidence needed for forensic investigations after a security incident. When organizations define security-related application functions or security-related application information, it is incumbent upon the application providing access to that data to ensure auditing of remote connectivity to those resources occurs in support of organizational requirements. Remote access to security functions (e.g., user management, audit log management, etc.) and security-relevant information requires the activity be audited by the organization. Any application providing remote access must support organizational requirements to audit access or organization-defined security functions and security-relevant information. Database security features accessed through remote methods must be audited to ensure the access is authorized and appropriate.

STIG	Date
Oracle Database 11.2g Security Technical Implementation Guide	2018-06-25

Details

Check Text ( C-54385r3_chk )
Review settings to determine if DBMS is configured to accept remote connections. (Note that "remote" means "from outside the DoD Information Network (DoDIN)", and connections via approved Virtual Private Networks (VPNs) are considered to be inside the DoDIN.) If the DBMS is not configured to accept remote connections, this is not a finding. Review DBMS settings and verify whether the auditing of security features accessed via remote database access is enabled. If auditing of security feature access is not enabled, this is a finding. - - - - - - - About the Default Auditing Settings When you use Database Configuration Assistant (DBCA) to create a new database, Oracle Database configures the database to audit the most commonly used security-relevant SQL statements and privileges. It also sets the AUDIT_TRAIL initialization parameter to DB EXTENDED. If you decide to use a different audit trail type (for example, OS if you want to write the audit trail records to operating system files), then you can do that, and Oracle Database continues to audit the privileges that are audited by default. If you disable auditing by setting the AUDIT_TRAIL parameter to NONE, then no auditing takes place. This query will list the system privileges assigned to a user: SELECT LPAD(' ', 2*level) \|\| granted_role "USER PRIVS" FROM ( SELECT NULL grantee, username, granted_role FROM dba_users WHERE username LIKE UPPER('%&uname%') UNION SELECT grantee, granted_role FROM dba_role_privs UNION SELECT grantee, privilege FROM dba_sys_privs) START WITH grantee IS NULL CONNECT BY grantee = prior granted_role; or SELECT path FROM ( SELECT grantee, sys_connect_by_path(privilege, ':')\|\|':'\|\|grantee path FROM ( SELECT grantee, privilege, 0 role FROM dba_sys_privs UNION ALL SELECT grantee, granted_role, 1 role FROM dba_role_privs) CONNECT BY privilege=prior grantee START WITH role = 0) WHERE grantee IN ( SELECT username FROM dba_users WHERE lock_date IS NULL AND password != 'EXTERNAL' AND username != 'SYS') OR grantee='PUBLIC'

Check Text ( C-54385r3_chk )

Review settings to determine if DBMS is configured to accept remote connections. (Note that "remote" means "from outside the DoD Information Network (DoDIN)", and connections via approved Virtual Private Networks (VPNs) are considered to be inside the DoDIN.) If the DBMS is not configured to accept remote connections, this is not a finding.

Review DBMS settings and verify whether the auditing of security features accessed via remote database access is enabled. If auditing of security feature access is not enabled, this is a finding.

- - - - - - -

About the Default Auditing Settings

When you use Database Configuration Assistant (DBCA) to create a new database, Oracle Database configures the database to audit the most commonly used security-relevant SQL statements and privileges. It also sets the AUDIT_TRAIL initialization parameter to DB EXTENDED. If you decide to use a different audit trail type (for example, OS if you want to write the audit trail records to operating system files), then you can do that, and Oracle Database continues to audit the privileges that are audited by default. If you disable auditing by setting the AUDIT_TRAIL parameter to NONE, then no auditing takes place.

This query will list the system privileges assigned to a user:

SELECT LPAD(' ', 2*level) || granted_role "USER PRIVS"
FROM (
SELECT NULL grantee, username, granted_role
FROM dba_users
WHERE username LIKE UPPER('%&uname%')
UNION
SELECT grantee, granted_role
FROM dba_role_privs
UNION
SELECT grantee, privilege
FROM dba_sys_privs)
START WITH grantee IS NULL
CONNECT BY grantee = prior granted_role;

or

SELECT path
FROM (
SELECT grantee,
sys_connect_by_path(privilege, ':')||':'||grantee path
FROM (
SELECT grantee, privilege, 0 role
FROM dba_sys_privs
UNION ALL
SELECT grantee, granted_role, 1 role
FROM dba_role_privs)
CONNECT BY privilege=prior grantee
START WITH role = 0)
WHERE grantee IN (
SELECT username
FROM dba_users
WHERE lock_date IS NULL
AND password != 'EXTERNAL'
AND username != 'SYS')
OR grantee='PUBLIC'

Fix Text (F-57163r2_fix)
Enable auditing of security feature access via remote connections. Satisfy the auditing requirement by enabling, deploying, and configuring the Oracle Audit Vault, or by running the SECCONF.SQL script - delivered in $ORACLE_HOME/rdbms/admin/secconf.sql. See the script for details, and customize according to site-specific requirements.