UCF STIG Viewer Logo

Oracle Database 11g Installation STIG


Overview

Date Finding Count (85)
2015-06-23 CAT I (High): 5 CAT II (Med): 67 CAT III (Low): 13
STIG Description
The Oracle Database 11g Installation Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-2608 High The Oracle Listener should be configured to require administration authentication.
V-3812 High Database account passwords should be stored in encoded or encrypted format whether stored in database objects, external host files, environment variables or any other storage locations.
V-15104 High Sensitive data served by the DBMS should be protected by encryption when transmitted across the network.
V-15636 High Passwords should be encrypted when transmitted across the network.
V-5658 High Vendor supported software is evaluated and patched against newly found vulnerabilities.
V-15658 Medium The DBMS warning banner should meet DoD policy requirements.
V-15110 Medium Use of the DBMS installation account should be logged.
V-15111 Medium Use of the DBMS software installation account should be restricted to DBMS software installation, upgrade and maintenance actions.
V-15116 Medium The DBMS host platform and other dependent applications should be configured in compliance with applicable STIG requirements.
V-6756 Medium Only necessary privileges to the host system should be granted to DBA OS accounts.
V-16032 Medium Remote administration should be disabled for the Oracle connection manager.
V-3497 Medium The Oracle Listener ADMIN_RESTRICTIONS parameter if present should be set to ON.
V-15118 Medium Remote administrative access to the database should be monitored by the IAO or IAM.
V-15652 Medium DBMS remote administration should be audited.
V-4754 Medium Database software directories including DBMS configuration files are stored in dedicated directories separate from the host OS and other applications.
V-15656 Medium The DBMS should not have a connection defined to access or be accessed by a DBMS at a different classification level.
V-3813 Medium DBMS tools or applications that echo or require a password entry in clear text should be protected from password display.
V-3811 Medium Procedures for establishing temporary passwords that meet DoD password requirements for new accounts should be defined, documented and implemented.
V-15122 Medium The database should not be directly accessible from public or unauthorized networks.
V-15131 Medium Sensitive information stored in the database should be protected by encryption.
V-15132 Medium Database data files containing sensitive information should be encrypted.
V-43137 Medium DBMS cryptography must be NIST FIPS 140-2 validated.
V-15179 Medium The DBMS should not share a host supporting an independent security service.
V-3827 Medium Audit trail data should be reviewed daily or more frequently.
V-57613 Medium A minimum of two Oracle redo log groups/files must be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device.
V-57611 Medium A minimum of two Oracle control files must be defined and configured to be stored on separate, archived physical disks or archived partitions on a RAID device.
V-15621 Medium Network access to the DBMS must be restricted to authorized personnel.
V-3440 Medium Connections by mid-tier web and application systems to the Oracle DBMS should be protected, encrypted and authenticated according to database, web, application, enclave and network requirements.
V-15608 Medium Access to DBMS software files and directories should not be granted to unauthorized users.
V-15126 Medium Database backup procedures should be defined, documented and implemented.
V-15620 Medium OS accounts used to execute external procedures should be assigned minimum privileges.
V-15651 Medium Remote DBMS administration should be documented and authorized or disabled.
V-15643 Medium Access to DBMS security data should be audited.
V-2422 Medium The DBMS software installation account should be restricted to authorized users.
V-15625 Medium Recovery procedures and technical system features exist to ensure that recovery is done in a secure and verifiable manner.
V-15105 Medium Unauthorized access to external database objects should be removed from application user roles.
V-15107 Medium DBMS privileges to restore database data or other DBMS configurations, features, or objects should be restricted to authorized DBMS accounts.
V-15106 Medium DBA roles should be periodically monitored to detect assignment of unauthorized or excess privileges.
V-2612 Medium Oracle SQLNet and listener log files should not be accessible to unauthorized users.
V-15102 Medium Automated notification of suspicious activity detected in the audit trail should be implemented.
V-16055 Medium Oracle Application Express or Oracle HTML DB should not be installed on a production database.
V-15109 Medium DBMS production application and data directories should be protected from developers on shared production/development DBMS host systems.
V-2423 Medium Database software, applications and configuration files should be monitored to discover unauthorized changes.
V-3806 Medium A baseline of database application software should be documented and maintained.
V-15140 Medium Procedures and restrictions for import of production data to development databases should be documented, implemented and followed.
V-15143 Medium Database data encryption controls should be configured in accordance with application requirements.
V-3807 Medium All applications that access the database should be logged in the audit trail.
V-15144 Medium Sensitive data is stored in the database and should be identified in the System Security Plan and AIS Functional Architecture documentation.
V-15146 Medium The DBMS should not be operated without authorization on a host system supporting other application services.
V-15148 Medium DBMS network communications should comply with PPS usage restrictions.
V-15121 Medium DBMS software libraries should be periodically backed up.
V-15120 Medium DBMS backup and restoration files should be protected from unauthorized access.
V-15127 Medium The IAM should review changes to DBA role assignments.
V-6767 Medium The database should be secured in accordance with DoD, vendor and/or commercially accepted practices where applicable.
V-15659 Medium Credentials used to access remote databases should be protected by encryption and restricted to authorized users.
V-15618 Medium Access to external DBMS executables should be disabled or restricted.
V-3862 Medium The Oracle INBOUND_CONNECT_TIMEOUT and SQLNET.INBOUND_CONNECT_TIMEOUT parameters should be set to a value greater than 0.
V-3863 Medium The Oracle SQLNET.EXPIRE_TIME parameter should be set to a value greater than 0.
V-3803 Medium A production DBMS installation should not coexist on the same DBMS host with other, non-production DBMS installations.
V-15139 Medium Plans and procedures for testing DBMS installations, upgrades and patches should be defined and followed prior to production implementation.
V-3842 Medium The Oracle software installation account should not be granted excessive host system privileges.
V-57609 Medium The directory assigned to the AUDIT_FILE_DEST parameter must be protected from unauthorized access and must be stored in a dedicated directory or disk partition separate from software or other application files.
V-3825 Medium Remote adminstrative connections to the database should be encrypted.
V-15129 Medium Backup and recovery procedures should be developed, documented, implemented and periodically tested.
V-3809 Medium A single database connection configuration file should not be used to configure all database clients.
V-16056 Medium Oracle Configuration Manager should not remain installed on a production system.
V-16057 Medium The SQLNet SQLNET.ALLOWED_LOGON_VERSION parameter should be set to a value of 10 or higher.
V-16054 Medium The Oracle SEC_PROTOCOL_ERROR_TRACE_ACTION parameter should not be set to NONE.
V-15662 Medium Remote administration of the DBMS should be restricted to known, dedicated and encrypted network addresses and ports.
V-5659 Medium The latest security patches should be installed.
V-15649 Medium The DBMS should have configured all applicable settings to use trusted files, functions, features, or other components during startup, shutdown, aborts, or other unplanned interruptions.
V-15108 Medium Privileges assigned to developers on shared production and development DBMS hosts and the DBMS should be monitored every three months or more frequently for unauthorized changes.
V-15112 Low The DBMS should be periodically tested for vulnerability management and IA compliance.
V-3728 Low Unused database components, database application software, and database objects should be removed from the DBMS system.
V-3866 Low The Oracle Management Agent should be uninstalled if not required and authorized or is installed on a database accessible from the Internet.
V-15150 Low The DBMS requires a System Security Plan containing all required information.
V-16031 Low The Oracle listener.ora file should specify IP addresses rather than host names to identify hosts.
V-3805 Low Application software should be owned by a Software Application account.
V-15622 Low DBMS service identification should be unique and clearly identifies the service.
V-2420 Low Database executable and configuration files should be monitored for unauthorized modifications.
V-3726 Low Configuration management procedures should be defined and implemented for database software modifications.
V-15145 Low The DBMS restoration priority should be assigned.
V-3845 Low OS DBA group membership should be restricted to authorized accounts.
V-15138 Low The DBMS IA policies and procedures should be reviewed annually or more frequently.
V-15611 Low The audit logs should be periodically monitored to discover DBMS access using unauthorized applications.