UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Oracle Database 11g Instance STIG


Overview

Date Finding Count (92)
2015-03-26 CAT I (High): 3 CAT II (Med): 78 CAT III (Low): 11
STIG Description
The Oracle Database 11g Instance Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-2555 High The Oracle REMOTE_OS_ROLES parameter should be set to FALSE.
V-2554 High The Oracle REMOTE_OS_AUTHENT parameter should be set to FALSE.
V-15635 High DBMS default accounts should be assigned custom passwords.
V-16035 Medium The Oracle SEC_MAX_FAILED_LOGIN_ATTEMPTS parameter should be set to an ISSO-approved value between 1 and 3.
V-16033 Medium Case sensitivity for passwords should be enabled.
V-3810 Medium DBMS authentication should require use of a DoD PKI certificate.
V-3817 Medium Database accounts should not specify account lock times less than the site-approved minimum.
V-3815 Medium New passwords must be required to differ from old passwords by more than four characters.
V-15130 Medium Unapproved inactive or expired database accounts should not be found on the database.
V-3819 Medium Sensitive information from production database exports should be modified after import to a development database.
V-3818 Medium Unauthorized database links should not be defined and active.
V-15637 Medium DBMS passwords should not be stored in compiled, encoded or encrypted batch jobs or compiled, encoded or encrypted application source code.
V-15647 Medium Audit records should include the reason for blacklisting or disabling DBMS connections or accounts.
V-15644 Medium Attempts to bypass access controls should be audited.
V-15642 Medium Access grants to sensitive data should be restricted to authorized user roles.
V-2552 Medium The IDLE_TIME profile parameter should be set for Oracle profiles IAW DoD policy.
V-15747 Medium The directory assigned to the DIAGNOSTIC_DEST parameter should be protected from unauthorized access.
V-2564 Medium System Privileges should not be granted to PUBLIC.
V-15633 Medium Password reuse should be prevented where supported by the DBMS.
V-15632 Medium Use of DBA accounts should be restricted to administrative activities.
V-15631 Medium Access to DBMS system tables and other configuration or metadata should be restricted to DBAs.
V-15630 Medium Access to sensitive data should be restricted to authorized users identified by the Information Owner.
V-2556 Medium The Oracle SQL92_SECURITY parameter should be set to TRUE.
V-2558 Medium The Oracle REMOTE_LOGIN_PASSWORDFILE parameter should be set to EXCLUSIVE or NONE.
V-15639 Medium Unlimited account lock times should be specified for locked accounts.
V-15133 Medium Transaction logs should be periodically reviewed for unauthorized modification of data.
V-15623 Medium DBMS system data files should be stored in dedicated disk directories.
V-15624 Medium DBMS data files should be dedicated to support individual applications.
V-15626 Medium Database privileged role assignments should be restricted to IAO-authorized DBMS accounts.
V-15627 Medium Administrative privileges should be assigned to database accounts via database roles.
V-15628 Medium DBMS application users should not be granted administrative privileges to the DBMS.
V-15629 Medium Application users privileges should be restricted to assignment using application user roles.
V-2561 Medium System privileges granted using the WITH ADMIN OPTION should not be granted to unauthorized user accounts.
V-2562 Medium Required object auditing should be configured.
V-2508 Medium Unauthorized user accounts should not exist.
V-2507 Medium Audit trail data should be retained for one year.
V-15634 Medium DBMS account passwords should not be set to easily guessed words or values.
V-5683 Medium Application object owner accounts should be disabled when not performing installation or maintenance actions.
V-5685 Medium Required auditing parameters for database auditing should be set.
V-5686 Medium Audit records should be restricted to authorized individuals.
V-2589 Medium Object permissions granted to PUBLIC should be restricted.
V-3846 Medium Only authorized system accounts should have the SYSTEM tablespace specified as the default tablespace.
V-3849 Medium Application owner accounts should have a dedicated application tablespace.
V-15619 Medium Replication accounts should not be granted DBA privileges.
V-15615 Medium The DBA role should not be assigned excessive or unauthorized privileges.
V-15617 Medium ccess to external objects should be disabled if not required and authorized.
V-15613 Medium Each database user, application or process should have an individually assigned account.
V-2574 Medium Oracle roles granted using the WITH ADMIN OPTION should not be granted to unauthorized accounts.
V-2515 Medium The audit table should be owned by SYS or SYSTEM.
V-2517 Medium Oracle instance names should not contain Oracle version numbers.
V-2516 Medium Access to default accounts used to support replication should be restricted to authorized DBAs.
V-2511 Medium Access to the Oracle SYS and SYSTEM accounts should be restricted to authorized DBAs.
V-2593 Medium The Oracle RESOURCE_LIMIT parameter should be set to TRUE.
V-3857 Medium The Oracle _TRACE_FILES_PUBLIC parameter if present should be set to FALSE.
V-3854 Medium The directories assigned to the LOG_ARCHIVE_DEST* parameters should be protected from unauthorized access.
V-3850 Medium The directory assigned to the AUDIT_FILE_DEST parameter should be protected from unauthorized access.
V-15609 Medium Default demonstration and sample database objects and applications should be removed.
V-15607 Medium Application objects should be owned by accounts authorized for ownership.
V-2520 Medium Fixed user and public database links should be authorized for use.
V-2521 Medium A minimum of two Oracle control files should be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device.
V-2522 Medium A minimum of two Oracle redo log groups/files should be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device.
V-15660 Medium Remote database or other external access should use fully-qualified names.
V-2527 Medium The DBA role should not be granted to unauthorized user accounts.
V-15141 Medium DBMS processes or services should run under custom, dedicated OS accounts.
V-15142 Medium Asymmetric keys should use DoD PKI Certificates and be protected in accordance with NIST (unclassified data) or NSA (classified data) approved key management and processes.
V-3820 Medium Production databases should be protected from unauthorized access by developers on shared production/development host systems.
V-3821 Medium Application user privilege assignment should be reviewed monthly or more frequently to ensure compliance with least privilege and documented policy.
V-3439 Medium Oracle system privileges should not be directly assigned to unauthorized accounts.
V-3438 Medium Oracle application administration roles should be disabled if not required and authorized.
V-3437 Medium Application role permissions should not be assigned to the Oracle PUBLIC role.
V-15654 Medium DBMS symmetric keys should be protected in accordance with NSA or NIST-approved key management technology or processes.
V-15657 Medium Changes to DBMS security labels should be audited.
V-15154 Medium Credentials stored and used by the DBMS to access remote databases or applications should be authorized and restricted to authorized users.
V-15152 Medium DBMS login accounts require passwords to meet complexity requirements.
V-15153 Medium DBMS account passwords should be set to expire every 60 days or more frequently.
V-2424 Medium All database non-interactive, n-tier connection, and shared accounts that exist should be documented and approved by the IAO.
V-15128 Medium DBMS application user roles should not be assigned unauthorized privileges.
V-3808 Medium Database job/batch queues should be reviewed regularly to detect unauthorized database job submissions.
V-16053 Medium The Oracle SEC_PROTOCOL_ERROR_FURTHER_ACTION parameter should be set to a value of DELAY or DROP.
V-2533 Medium The Oracle WITH GRANT OPTION privilege should not be granted to non-DBA or non-Application administrator user accounts.
V-2539 Medium Execute permission should be revoked from PUBLIC for restricted Oracle packages.
V-3865 Low The XDB Protocol server should be uninstalled if not required and authorized for use.
V-15114 Low Developers should not be assigned excessive privileges on production databases.
V-2586 Low The Oracle O7_DICTIONARY_ACCESSIBILITY parameter should be set to FALSE.
V-3847 Low Database application user accounts should be denied storage usage for object creation within the database.
V-3848 Low The Oracle SID should not be the default SID.
V-15616 Low Sensitive data should be labeled.
V-2519 Low The Oracle OS_ROLES parameter should be set to FALSE.
V-3727 Low Database applications should be restricted from using static DDL statements to modify the application schema.
V-15149 Low DBA roles assignments should be assigned and authorized by the IAO.
V-3823 Low Custom and GOTS application source code stored in the database should be protected with encryption or encoding.
V-2531 Low The Oracle OS_AUTHENT_PREFIX parameter should be changed from the default value of OPS$.