UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Oracle Database 11.2g Security Technical Implementation Guide



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-53991 High The Oracle Listener must be configured to require administration authentication.
V-52333 High The DBMS must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission unless the transmitted data is otherwise protected by alternative physical measures.
V-52331 High The DBMS, when using PKI-based authentication, must enforce authorized access to the corresponding private key.
V-52125 High DBA OS accounts must be granted only those host system privileges necessary for the administration of the DBMS.
V-52329 High DBMS default accounts must be assigned custom passwords.
V-52327 High Vendor-supported software must be evaluated and patched against newly found vulnerabilities.
V-52395 High Applications must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
V-52397 High When using command-line tools such as Oracle SQL*Plus, which can accept a plain-text password, users must use an alternative login method that does not expose the password.
V-53977 High The Oracle REMOTE_OS_ROLES parameter must be set to FALSE.
V-53975 High The Oracle REMOTE_OS_AUTHENT parameter must be set to FALSE.
V-52389 Medium All use of privileged accounts must be audited.
V-52383 Medium Administrative privileges must be assigned to database accounts via database roles.
V-52387 Medium Administrators must utilize a separate, distinct administrative account when performing administrative activities, accessing database security functions, or accessing security-relevant information.
V-52303 Medium Databases employed to write data to portable digital media must use cryptographic mechanisms to protect and restrict access to information on portable digital media.
V-52301 Medium The DBMS must employ strong identification and authentication techniques when establishing non-local maintenance and diagnostic sessions.
V-52149 Medium The DBMS must automatically terminate emergency accounts after an organization-defined time period for each type of account.
V-52305 Medium The DBMS must support organizational requirements to encrypt information stored in the database, and information extracted or derived from the database and stored on digital media.
V-52145 Medium The DBMS must employ cryptographic mechanisms preventing the unauthorized disclosure of information at rest.
V-52147 Medium The DBMS must isolate security functions from non-security functions by means of separate security domains.
V-52141 Medium The DBMS must preserve any organization-defined system state information in the event of a system failure.
V-52143 Medium The DBMS must take needed steps to protect data at rest and ensure confidentiality and integrity of application data.
V-53987 Medium Oracle roles granted using the WITH ADMIN OPTION must not be granted to unauthorized accounts.
V-52263 Medium The DBMS must ensure users are authenticated with an individual authenticator prior to using a group authenticator.
V-52265 Medium The DBMS must use organization-defined replay-resistant authentication mechanisms for network access to privileged accounts.
V-52267 Medium The DBMS must use organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts.
V-52269 Medium The DBMS must disable user accounts after 35 days of inactivity.
V-53989 Medium Object permissions granted to PUBLIC must be restricted.
V-52361 Medium The DBMS must automatically audit account disabling actions, to the extent such information is available.
V-75031 Medium The DBMS must use multifactor authentication for local access to non-privileged accounts.
V-52233 Medium Unused database components, DBMS software, and database objects must be removed.
V-52231 Medium Default demonstration and sample databases, database objects, and applications must be removed.
V-52179 Medium The DBMS must protect audit information from any type of unauthorized access.
V-54077 Medium The SQLNet SQLNET.ALLOWED_LOGON_VERSION parameter must be set to a value of 12 or higher.
V-54075 Medium Remote administration must be disabled for the Oracle connection manager.
V-54073 Medium The /diag subdirectory under the directory assigned to the DIAGNOSTIC_DEST parameter must be protected from unauthorized access.
V-54071 Medium Remote database or other external access must use fully-qualified names.
V-52171 Medium The system must provide the capability to automatically process audit records for events of interest based upon selectable event criteria.
V-52173 Medium The DBMS must identify potentially security-relevant error conditions.
V-52175 Medium Attempts to bypass access controls must be audited.
V-52177 Medium The DBMS must only generate error messages that provide information necessary for corrective actions without revealing organization-defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.
V-52369 Medium DBMS processes or services must run under custom, dedicated OS accounts.
V-52377 Medium The DBMS must be protected from unauthorized access by developers on shared production/development host systems.
V-53995 Medium Oracle application administration roles must be disabled if not required and authorized.
V-52375 Medium The DBMS must be protected from unauthorized access by developers.
V-53997 Medium Connections by mid-tier web and application systems to the Oracle DBMS from a DMZ or external network must be encrypted.
V-52373 Medium A single database connection configuration file must not be used to configure all database clients.
V-52469 Medium The DBMS must generate audit records for the DoD-selected list of auditable events, to the extent such information is available.
V-53993 Medium Application role permissions must not be assigned to the Oracle PUBLIC role.
V-52467 Medium The DBMS must allow designated organizational personnel to select which auditable events are to be audited by the database.
V-52277 Medium The DBMS must support organizational requirements to enforce password complexity by the number of lower-case characters used.
V-52275 Medium The DBMS must support organizational requirements to enforce password complexity by the number of upper-case characters used.
V-52463 Medium The DBMS must provide audit record generation capability for organization-defined auditable events within the database.
V-52273 Medium The DBMS must support organizational requirements to prohibit password reuse for the organization-defined number of generations.
V-52379 Medium The DBMS must restrict access to system tables and other configuration information or metadata to DBAs or other authorized users.
V-52271 Medium The DBMS must support organizational requirements to enforce minimum password length.
V-52239 Medium The DBMS must support the organizational requirements to specifically prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services.
V-53281 Medium Processes (services, applications, etc.) that connect to the DBMS independently of individual users, must use valid, current DoD-issued PKI certificates for authentication to the DBMS.
V-52311 Medium Database data files containing sensitive information must be encrypted.
V-52283 Medium The DBMS must support organizational requirements to enforce the number of characters that get changed when passwords are changed.
V-52167 Medium The DBMS must alert designated organizational officials in the event of an audit processing failure.
V-52281 Medium The DBMS must support organizational requirements to enforce password complexity by the number of special characters used.
V-52165 Medium The DBMS must check the validity of data inputs.
V-52287 Medium Procedures for establishing temporary passwords that meet DoD password requirements for new accounts must be defined, documented, and implemented.
V-52163 Medium The DBMS must provide a real-time alert when organization-defined audit failure events occur.
V-52285 Medium The DBMS must support organizational requirements to enforce password encryption for storage.
V-52161 Medium The DBMS must protect against or limit the effects of the organization-defined types of Denial of Service (DoS) attacks.
V-52289 Medium DBMS passwords must not be stored in compiled, encoded, or encrypted batch jobs or compiled, encoded, or encrypted application source code.
V-54079 Medium The DBMS host platform and other dependent applications must be configured in compliance with applicable STIG requirements.
V-54029 Medium Plans and procedures for testing DBMS installations, upgrades and patches must be defined and followed prior to production implementation.
V-52359 Medium The DBMS must support the requirement to automatically audit account modification.
V-52169 Medium The DBMS must verify there have not been unauthorized changes to the DBMS software and information.
V-54003 Medium Sensitive information from production database exports must be modified before being imported into a development database.
V-54001 Medium Unauthorized database links must not be defined and active.
V-54007 Medium Audit trail data must be reviewed daily or more frequently.
V-54005 Medium Application user privilege assignment must be reviewed monthly or more frequently to ensure compliance with least privilege and documented policy.
V-54009 Medium Only authorized system accounts must have the SYSTEM tablespace specified as the default tablespace.
V-52365 Medium The DBMS must enforce approved authorizations for logical access to the system in accordance with applicable policy.
V-52367 Medium The DBMS must enforce Discretionary Access Control (DAC) policy allowing users to specify and control sharing by named individuals, groups of individuals, or by both, limiting propagation of access rights and includes or excludes access to the granularity of a single user.
V-52479 Medium The DBMS must produce audit records containing sufficient information to establish the outcome (success or failure) of the events.
V-52363 Medium The DBMS must automatically audit account termination.
V-52475 Medium The DBMS must produce audit records containing sufficient information to establish where the events occurred.
V-52201 Medium The DBMS must protect audit tools from unauthorized deletion.
V-52477 Medium The DBMS must produce audit records containing sufficient information to establish the sources (origins) of the events.
V-52471 Medium The DBMS must produce audit records containing sufficient information to establish what type of events occurred.
V-52205 Medium The DBMS must support the requirement to back up audit data and records onto a different system or media than the system being audited on an organization-defined frequency.
V-52473 Medium The DBMS must produce audit records containing sufficient information to establish when (date and time) the events occurred.
V-52371 Medium The DBMS must restrict grants to sensitive information to authorized user roles.
V-52183 Medium The DBMS must support taking organization-defined list of least disruptive actions to terminate suspicious events.
V-52279 Medium The DBMS must support organizational requirements to enforce password complexity by the number of numeric characters used.
V-52291 Medium The DBMS must enforce password maximum lifetime restrictions.
V-52293 Medium The DBMS, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor.
V-52295 Medium The DBMS must ensure that PKI-based authentication maps the authenticated identity to the user account.
V-52297 Medium The DBMS must use NIST-validated FIPS 140-2-compliant cryptography for authentication mechanisms.
V-52299 Medium The DBMS must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.
V-52307 Medium The DBMS must terminate the network connection associated with a communications session at the end of the session or after 15 minutes of inactivity.
V-54011 Medium Application owner accounts must have a dedicated application tablespace.
V-54013 Medium The directories assigned to the LOG_ARCHIVE_DEST* parameters must be protected from unauthorized access.
V-54015 Medium The Oracle _TRACE_FILES_PUBLIC parameter if present must be set to FALSE.
V-54017 Medium Application object owner accounts must be disabled when not performing installation or maintenance actions.
V-54019 Medium DBMS production application and data directories must be protected from developers on shared production/development DBMS host systems.
V-53999 Medium Database job/batch queues must be reviewed regularly to detect unauthorized database job submissions.
V-52351 Medium The DBMS must provide a mechanism to automatically identify accounts designated as temporary or emergency accounts.
V-52219 Medium The DBMS must support enforcement of logical access restrictions associated with changes to the DBMS configuration and to the database itself.
V-52199 Medium The DBMS must notify appropriate individuals when accounts are terminated.
V-52461 Medium The DBMS must prevent the presentation of information system management-related functionality at an interface utilized by general (i.e., non-privileged) users.
V-52357 Medium The DBMS must support the requirement to automatically audit account creation.
V-52249 Medium Database recovery procedures must be developed, documented, implemented, and periodically tested.
V-52193 Medium The DBMS must protect audit tools from unauthorized access.
V-52211 Medium The DBMS must protect audit data records and integrity by using cryptographic mechanisms.
V-52191 Medium The DBMS must notify appropriate individuals when accounts are modified.
V-52197 Medium The DBMS must protect audit tools from unauthorized modification.
V-52215 Medium The DBMS must protect the audit records generated, as a result of remote access to privileged accounts, and the execution of privileged functions.
V-52447 Medium The DBMS must have its auditing configured to reduce the likelihood of storage capacity being exceeded.
V-52309 Medium The DBMS must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
V-52229 Medium The DBMS must enforce requirements for remote connections to the information system.
V-52457 Medium A DBMS utilizing Discretionary Access Control (DAC) must enforce a policy that includes or excludes access to the granularity of a single user.
V-52455 Medium The DBMS must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-52453 Medium Databases utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights.
V-52223 Medium Database objects must be owned by accounts authorized for ownership.
V-52451 Medium The DBMS must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
V-54025 Medium The database must not be directly accessible from public or unauthorized networks.
V-54027 Medium The IAM must review changes to DBA role assignments.
V-54021 Medium Use of the DBMS installation account must be logged.
V-53985 Medium System Privileges must not be granted to PUBLIC.
V-54023 Medium Remote administrative access to the database must be monitored by the IAO or IAM.
V-52459 Medium The DBMS must separate user functionality (including user interface services) from database management functionality.
V-52189 Medium The DBMS must protect audit information from unauthorized deletion.
V-52349 Medium The system must employ automated mechanisms for supporting Oracle user account management.
V-52181 Medium The DBMS must restrict error messages, so only authorized personnel may view them.
V-52345 Medium The DBMS must ensure remote sessions that access an organization-defined list of security functions and security-relevant information are audited.
V-52185 Medium The DBMS must protect audit information from unauthorized modification.
V-52187 Medium The DBMS must notify appropriate individuals when accounts are created.
V-53981 Medium The Oracle password file ownership and permissions should be limited to the Oracle installation account and REMOTE_LOGIN_PASSWORDFILE parameter must be set to EXCLUSIVE or NONE.
V-52347 Medium The DBMS must support the disabling of network protocols deemed by the organization to be non-secure.
V-52135 Medium The DBMS must terminate user sessions upon user logout or any other organization or policy-defined session termination events, such as idle time limit exceeded.
V-53959 Medium Audit trail data must be retained for one year.
V-52137 Medium The DBMS must provide a logout functionality to allow the user to manually terminate the session.
V-52133 Medium The DBMS must protect the integrity of publicly available information and applications.
V-60141 Medium Access to external executables must be disabled or restricted.
V-54039 Medium Credentials stored and used by the DBMS to access remote databases or applications must be authorized and restricted to authorized users.
V-52427 Medium Database software, applications, and configuration files must be monitored to discover unauthorized changes.
V-52237 Medium Use of external executables must be authorized.
V-52425 Medium Use of the DBMS software installation account must be restricted.
V-52235 Medium Unused database components that are integrated in the DBMS and cannot be uninstalled must be disabled.
V-54033 Medium Sensitive data stored in the database must be identified in the System Security Plan and AIS Functional Architecture documentation.
V-52429 Medium The OS must limit privileges to change the DBMS software resident within software libraries (including privileged programs).
V-54031 Medium Procedures and restrictions for import of production data to development databases must be documented, implemented, and followed.
V-52157 Medium The DBMS must prevent unauthorized and unintended information transfer via shared system resources.
V-54067 Medium DBMS symmetric keys must be protected in accordance with NSA- or NIST-approved key management technology or processes.
V-52251 Medium DBMS backup and restoration files must be protected from unauthorized access.
V-52337 Medium The DBMS must limit the number of concurrent sessions for each system account to an organization-defined number of sessions.
V-52155 Medium The DBMS must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject.
V-53969 Medium A minimum of two Oracle redo log groups/files must be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device.
V-53965 Medium Fixed user and public database links must be authorized for use.
V-53961 Medium Access to default accounts used to support replication must be restricted to authorized DBAs.
V-53963 Medium Oracle instance names must not contain Oracle version numbers.
V-52449 Medium The DBMS must have allocated audit record storage capacity.
V-52433 Medium The DBMS must provide the ability to write specified audit record content to a centralized audit log repository.
V-52435 Medium The DBMS, when the maximum number of unsuccessful attempts is exceeded, must automatically lock the account/node for an organization-defined time period or lock the account/node until released by an administrator IAW organizational policy.
V-52437 Medium The DBMS software installation account must be restricted to authorized users.
V-52353 Medium The DBMS must provide a mechanism to automatically terminate accounts designated as temporary or emergency accounts after an organization-defined time period.
V-53983 Medium System privileges granted using the WITH ADMIN OPTION must not be granted to unauthorized user accounts.
V-52247 Medium Database backup procedures must be defined, documented, and implemented.
V-52245 Medium Oracle must back up user-level information per a defined frequency.
V-52241 Medium Recovery procedures and technical system features must exist to ensure recovery is done in a secure and verifiable manner.
V-54047 Medium Network access to the DBMS must be restricted to authorized personnel.
V-54045 Medium Replication accounts must not be granted DBA privileges.
V-54043 Medium Access to DBMS software files and directories must not be granted to unauthorized users.
V-54041 Medium The DBMS must not share a host supporting an independent security service.
V-52431 Medium The DBMS must have the capability to limit the number of failed login attempts based upon an organization-defined number of consecutive invalid attempts occurring within an organization-defined time period.
V-57615 Medium The directory assigned to the AUDIT_FILE_DEST parameter must be protected from unauthorized access and must be stored in a dedicated directory or disk partition separate from software or other application files.
V-59855 Medium Owners of privileged accounts must use non-privileged accounts for non-administrative activities.
V-52441 Medium Database software directories, including DBMS configuration files, must be stored in dedicated directories, or DASD pools, separate from the host OS and other applications.
V-53979 Medium The Oracle SQL92_SECURITY parameter must be set to TRUE.
V-52399 Medium OS accounts utilized to run external procedures called by the DBMS must have limited privileges.
V-54069 Medium Changes to DBMS security labels must be audited.
V-53973 Medium Execute permission must be revoked from PUBLIC for restricted Oracle packages.
V-53971 Medium The Oracle WITH GRANT OPTION privilege must not be granted to non-DBA or non-Application administrator user accounts.
V-52393 Medium The DBA role must not be assigned excessive or unauthorized privileges.
V-52409 Medium Disk space used by audit trail(s) must be monitored; audit records must be regularly or continuously offloaded to a centralized log management system.
V-52159 Medium The DBMS itself, or the logging or alerting mechanism the application utilizes, must provide a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity.
V-52405 Medium DBMS default accounts must be protected from misuse.
V-52445 Medium The DBMS software libraries must be periodically backed up.
V-52407 Medium The DBMS must specify an account lockout duration that is greater than or equal to the organization-approved minimum.
V-68861 Medium Logic modules within the database (to include packages, procedures, functions and triggers) must be monitored to discover unauthorized changes.
V-52153 Medium The DBMS must employ automated mechanisms to alert security personnel of inappropriate or unusual activities with security implications.
V-52151 Medium The DBMS must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event.
V-52259 Medium The DBMS must use multifactor authentication for local access to privileged accounts.
V-52255 Medium The DBMS must use multifactor authentication for network access to privileged accounts.
V-52257 Medium The DBMS must use multifactor authentication for network access to non-privileged accounts.
V-52195 Medium The DBMS must notify appropriate individuals when account disabling actions are taken.
V-52253 Medium DBMS must conduct backups of system-level information per organization-defined frequency that is consistent with recovery time and recovery point objectives.
V-54055 Medium Remote DBMS administration must be documented and authorized or disabled.
V-54051 Medium Changes to configuration options must be audited.
V-52465 Low The DBMS must protect against an individual using a group account from falsely denying having performed a particular action.
V-52209 Low The DBMS must provide an audit log reduction capability.
V-52203 Low The DBMS must implement separation of duties through assigned information access authorizations.
V-52213 Low The DBMS must provide a report generation capability for audit reduction data.
V-52217 Low The DBMS must restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
V-52225 Low The DBMS must limit the use of resources by priority and not impede the host from servicing processes designated as a higher-priority.
V-52227 Low The DBMS must support organizational requirements to employ automated patch management tools to facilitate flaw remediation to organization-defined information system components.
V-52221 Low The DBMS must manage resources to limit the effects of information flooding types of Denial of Service (DoS) incidents.
V-53967 Low A minimum of two Oracle control files must be defined and configured to be stored on separate, archived disks (physical or virtual) or archived partitions on a RAID device.