UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Asymmetric keys should use DoD PKI Certificates and be protected in accordance with NIST (unclassified data) or NSA (classified data) approved key management and processes.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15142 DG0166-ORACLE11 SV-24819r1_rule IAKM-1 IAKM-2 IAKM-3 Medium
Description
Encryption is only effective if the encryption method is robust and the keys used to provide the encryption are not easily discovered. Without effective encryption, sensitive data is vulnerable to unauthorized access.
STIG Date
Oracle Database 11g Instance STIG 2015-03-26

Details

Check Text ( C-29383r1_chk )
If Asymmetric keys are present and Oracle Advanced Security is not installed and operational on the DBMS host, this is a Finding.

For each asymmetric key identified as being used to encrypt sensitive data, verify the key owner is an application object owner or other non-DBA account.

If the key owner listed is a DBA, this is a Finding.

If any key owner is not the application object owner account or an account specific to the application as documented in the System Security Plan, this is a Finding.

If any asymmetric keys whose private key is not encrypted exist in the database, this is a Finding.

Review the access permissions to asymmetric keys.

Verify that any permission granted is authorized in the System Security Plan for access to the key.

Examine evidence that an audit record is created whenever the asymmetric key is accessed by other than authorized users. In particular, view evidence that access by a DBA or other system privileged account results in the generation of an audit record.

This is required because system privileges that allow access to encryption keys may be used to access sensitive data where the privileged user does not have a job function need-to-know the data.

If an audit record is not generated for unauthorized access to the asymmetric key, this is a Finding.
Fix Text (F-26408r1_fix)
Use DoD code-signing certificates to create asymmetric keys stored in the database that are used to encrypt sensitive data stored in the database.

Assign the application object owner account as the owner of asymmetric keys used by the application.

Create audit events for access to the key by other than the application owner account or approved application objects.

Revoke any privileges assigned to the asymmetric key to other than the application object owner account and authorized users.

Protect the private key by encrypting it with the database system master key where available.

Where available, store encryption keys and certificates on hardware security modules (HSM).

Oracle Advanced Security is required to provide asymmetric key management features.