UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Credentials used to access remote databases should be protected by encryption and restricted to authorized users.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15659 DG0191-ORACLE11 SV-24835r1_rule DCFA-1 Medium
Description
Access to database connection credential stores provides easy access to the database. Unauthorized access to the database can result without controls in place to prevent unauthorized access to the credentials.
STIG Date
Oracle Database 11g Installation STIG 2014-04-02

Details

Check Text ( C-29397r1_chk )
Review the System Security Plan to discover any external storage of passwords used by applications, batch jobs or users to connect to the database.

If no database passwords or credentials are stored outside of the database including use of Oracle Wallets and the Oracle password file (pwd*.ora or orapwd*.ora), this check is Not a Finding.

View the sqlnet.ora file to determine if Oracle Wallets are used for authentication.

If the "WALLET_LOCATION" entry exists in the file, then view permissions on the directory and contents.

If access to this directory and these files is not restricted to the Oracle database and listener services, DBA's, and other authorized system and administrative accounts this is a Finding.

From SQL*Plus:

select value from v$parameter where name = 'remote_login_passwordfile';

If the command returns the value NONE, this is not a Finding.

If it returns the value SHARED, this is a Finding.

If it returns the value EXCLUSIVE, view access permissions to the Oracle password file.

The default name for Windows is pwd[SID].ora and is located in the ORACLE_HOME\database directory.

On UNIX hosts, the file is named orapw[SID] and stored in the $ORACLE_HOME/dbs directory.

If access to this file is not restricted to the Oracle database, DBA's, and other authorized system and administrative accounts, this is a Finding.

For other password or credential stores, interview the DBA to ask what restrictions to the storage location of passwords have been assigned.

If accounts other than those that require access to the storage location have been granted permissions, this is a Finding.
Fix Text (F-26422r1_fix)
Consider alternate methods for database connections to avoid custom storage of local connection credentials.

Develop and document use of locally stored credentials and their authorized use and access in the System Security Plan.

Restrict access and use of the credentials to authorized users using host file permissions and any other available method to restrict access.