| V-2555 | High | The Oracle REMOTE_OS_ROLES parameter should be set to FALSE. | Setting REMOTE_OS_ROLES to TRUE allows operating system groups to control Oracle roles. The default value of FALSE causes roles to be identified and managed by the database. If REMOTE_OS_ROLES is... |
| V-2554 | High | The Oracle REMOTE_OS_AUTHENT parameter should be set to FALSE. | Setting this value to TRUE allows operating system authentication over an unsecured connection. Trusting remote operating systems can allow a user to impersonate another operating system user and... |
| V-16035 | Medium | The Oracle SEC_MAX_FAILED_LOGIN_ATTEMPTS parameter should be set to an ISSO-approved value between 1 and 3. | The SEC_MAX_FAILED_LOGIN_ATTEMPTS prevents multiple failed login attempts by a single connection. The parameter differs from the limit set on user profiles and applied to failed login attempts to... |
| V-16033 | Medium | Case sensitivity for passwords should be enabled. | Enablement of password case sensitivity allows Oracle password complexity to meet DoD password requirements. Password complexity decreases the likelihood of successful password attacks by malicious users. |
| V-2515 | Medium | The audit table should be owned by SYS or SYSTEM. | Audit data is frequently targeted by malicious users as it can provide a means to detect their activity. The protection of the audit trail data is of special concern and requires restrictions to... |
| V-2517 | Medium | Oracle instance names should not contain Oracle version numbers. | Service names may be discovered by unauthenticated users. If the service name includes version numbers or other database product information, a malicious user may use that information to develop a... |
| V-2516 | Medium | Access to default accounts used to support replication should be restricted to authorized DBAs. | Replication database accounts are used for database connections between databases. Replication requires the configuration of these accounts using the same username and password on all databases... |
| V-2511 | Medium | Access to the Oracle SYS and SYSTEM accounts should be restricted to authorized DBAs. | The Oracle SYS account has all database privileges assigned to it (SYSDBA). This account is used to manage the database availability status (startup and shutdown). The SYS account is used by any... |
| V-15654 | Medium | DBMS symmetric keys should be protected in accordance with NSA or NIST-approved key management technology or processes. | Symmetric keys used for encryption protect data from unauthorized access. However, if not protected in accordance with acceptable standards, the keys themselves may be compromised and used for... |
| V-3810 | Medium | DBMS authentication should require use of a DoD PKI certificate. | In a properly configured DBMS, access controls defined for data access and DBMS management actions are assigned based on the user identity and job function. Unauthenticated or falsely... |
| V-15623 | Medium | DBMS system data files should be stored in dedicated disk directories. | DBMS system data files have different access control requirements than application data and log files. Granting access to system data files beyond those required for system operations could lead... |
| V-2593 | Medium | The Oracle RESOURCE_LIMIT parameter should be set to TRUE. | The Oracle RESOURCE_LIMIT parameter determines whether resource limits are enforced in database profiles. If Oracle resource limits are disabled, any defined profile limits will be ignored.
NOTE:... |
| V-15154 | Medium | Credentials stored and used by the DBMS to access remote databases or applications should be authorized and restricted to authorized users. | Credentials defined for access to remote databases or applications may provide unauthorized access to additional databases and applications to unauthorized or malicious users. |
| V-15133 | Medium | Transaction logs should be periodically reviewed for unauthorized modification of data. | Unauthorized or malicious changes to data compromise the integrity and usefulness of the data. Auditing changes to data supports accountability and non-repudiation. Auditing changes to data may be... |
| V-2556 | Medium | The Oracle SQL92_SECURITY parameter should be set to TRUE. | The configuration option SQL92_SECURITY specifies whether table-level SELECT privileges are required to execute an update or delete that references table column values. If this option is disabled... |
| V-3818 | Medium | Unauthorized database links should not be defined and active. | DBMS links provide a communication and data transfer path definition between two databases that may be used by malicious users to discover and obtain unauthorized access to remote systems.... |
| V-15632 | Medium | Use of DBA accounts should be restricted to administrative activities. | Use of privileged accounts for non-administrative purposes puts data at risk of unintended or unauthorized loss, modification or exposure. In particular, DBA accounts if used for... |
| V-3857 | Medium | The Oracle _TRACE_FILES_PUBLIC parameter if present should be set to FALSE. | The _TRACE_FILES_PUBLIC parameter is used to make trace files used for debugging database applications and events available to all database users. Use of this capability precludes the discrete... |
| V-3854 | Medium | The directories assigned to the LOG_ARCHIVE_DEST* parameters should be protected from unauthorized access. | The LOG_ARCHIVE_DEST parameter is used to specify the directory to which Oracle archive logs are written. Where the DBMS availability and recovery to a specific point in time is critical, the... |
| V-3850 | Medium | The directory assigned to the AUDIT_FILE_DEST parameter should be protected from unauthorized access. | The AUDIT_FILE_DEST parameter specifies the directory where the database audit trail file is stored (when AUDIT_TRAIL parameter is set to ‘OS’, ‘xml’ or ‘xml, extended’ where supported by the... |
| V-2520 | Medium | Fixed user and public database links should be authorized for use. | Database links define connections that may be used by the local database to access remote Oracle databases. These links provide a means for a compromise to the local database to spread to remote... |
| V-15645 | Medium | Changes to configuration options must be audited. | The AUDIT_SYS_OPERATIONS parameter is used to enable auditing of actions taken by the user SYS. The SYS user account is a shared account by definition and holds all privileges in the Oracle... |
| V-15626 | Medium | Database privileged role assignments should be restricted to IAO-authorized DBMS accounts. | Roles assigned privileges to perform DDL and/or system configuration actions in the database can lead to compromise of any data in the database as well as operation of the DBMS itself. Restrict... |
| V-2507 | Medium | Audit trail data should be retained for one year. | Without preservation, a complete discovery of an attack or suspicious activity may not be determined. DBMS audit data also contributes to the complete investigation of unauthorized activity and... |
| V-2564 | Medium | System Privileges should not be granted to PUBLIC. | System privileges can be granted to users and roles and to the user group PUBLIC. All privileges granted to PUBLIC are accessible to every user in the database. Many of these privileges convey... |
| V-15609 | Medium | Default demonstration and sample database objects and applications should be removed. | Demonstration and sample database objects and applications present publicly known attack points for malicious users. These demonstration and sample objects are meant to provide simple examples of... |
| V-2561 | Medium | System privileges granted using the WITH ADMIN OPTION should not be granted to unauthorized user accounts. | The WITH ADMIN OPTION allows the grantee to grant a privilege to another database account. Best security practice restricts the privilege of assigning privileges to authorized personnel.... |
| V-2562 | Medium | Required object auditing should be configured. | Database object definitions and configurations require similar oversight as application libraries to detect unauthorized changes. Unauthorized changes may indicate attempts to compromise data or... |
| V-15619 | Medium | Replication accounts should not be granted DBA privileges. | Replication accounts may be used to access databases defined for the replication architecture. An exploit of a replication on one database could lead to the compromise of any database... |
| V-2552 | Medium | The IDLE_TIME profile parameter should be set for Oracle profiles IAW DoD policy. | The Idle Time Resource Usage setting limits the maximum idle time allowed in a session. Idle time is a continuous inactive period during a session, expressed in minutes. Long-running queries and... |
| V-15747 | Medium | The /diag subdirectory under the directory assigned to the DIAGNOSTIC_DEST parameter must be protected from unauthorized access. | <DIAGNOSTIC_DEST>/diag indicates the directory where trace, alert, core and incident directories and files are located. The files may contain sensitive data or information that could prove useful... |
| V-2521 | Medium | A minimum of two Oracle control files should be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device. | Oracle control files are used to store information critical to Oracle database integrity. Oracle uses these files to maintain time synchronization of database files as well as at system startup to... |
| V-2522 | Medium | A minimum of two Oracle redo log groups/files should be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device. | The Oracle redo log files store the detailed information on changes made to the database. This information is critical to database recovery in case of a database failure. |
| V-15627 | Medium | Administrative privileges should be assigned to database accounts via database roles. | Privileges granted outside the role of the administrative user job function are more likely to go unmanaged or without oversight for authorization. Maintenance of privileges using roles defined... |
| V-15660 | Medium | Remote database or other external access should use fully-qualified names. | The Oracle GLOBAL_NAMES parameter is used to set the requirement for database link names to be the same name as the remote database whose connection they define. By using the same name for both,... |
| V-2527 | Medium | The DBA role should not be granted to unauthorized user accounts. | The DBA role is very powerful and access to it should be restricted. Verify that any database account granted the DBA role is explicitly authorized by the IAO. In addition to full access to... |
| V-15628 | Medium | DBMS application users should not be granted administrative privileges to the DBMS. | Excessive privileges can lead to unauthorized actions on data and database objects. Assigning only the privileges required to perform the job function authorized for the user helps protect against... |
| V-15128 | Medium | DBMS application user roles should not be assigned unauthorized privileges. | Unauthorized access to the data can lead to loss of confidentiality and integrity of the data. |
| V-5685 | Medium | Required auditing parameters for database auditing should be set. | Oracle auditing can be set to log audit data to the database or operating system files. Logging events to the database prevents operating system users from viewing the data, while logging events... |
| V-5686 | Medium | Audit records should be restricted to authorized individuals. | Audit data is frequently targeted by malicious users as it can provide a means to detect their activity. The protection of the audit trail data is of special concern and requires restrictions to... |
| V-15629 | Medium | Application users privileges should be restricted to assignment using application user roles. | Granting permissions to accounts is error prone and repetitive. Using roles allows for group management of privileges assigned by function and reduces the likelihood of wrongfully assigned... |
| V-3808 | Medium | Database job/batch queues should be reviewed regularly to detect unauthorized database job submissions. | Unauthorized users may bypass security mechanisms by submitting jobs to job queues managed by the database to be run under a more privileged security context of the database or host system. These... |
| V-3437 | Medium | Application role permissions should not be assigned to the Oracle PUBLIC role. | Application roles have been granted to PUBLIC. Permissions granted to PUBLIC are granted to all users of the database. Custom roles should be used to assign application permissions to functional... |
| V-2589 | Medium | Object permissions granted to PUBLIC should be restricted. | Permissions on objects may be granted to the user group PUBLIC. Because every database user is a member of the PUBLIC group, granting object permissions to PUBLIC gives all users in the database... |
| V-15141 | Medium | DBMS processes or services should run under custom, dedicated OS accounts. | Shared accounts do not provide separation of duties nor allow for assignment of least privileges for use by database processes and services. Without separation and least privilege, the exploit of... |
| V-3846 | Medium | Only authorized system accounts should have the SYSTEM tablespace specified as the default tablespace. | The Oracle SYSTEM tablespace is used by the database to store all DBMS system objects. Other use of the system tablespace may compromise system availability and the effectiveness of host system... |
| V-3849 | Medium | Application owner accounts should have a dedicated application tablespace. | Separation of tablespaces by application helps to protect the application from resource contention and unauthorized access that could result from storage space reuses or host system access... |
| V-3820 | Medium | Production databases should be protected from unauthorized access by developers on shared production/development host systems. | Developers granted elevated database, operating system privileges on systems that support both development, and production databases can affect the operation and/or security of the production... |
| V-3821 | Medium | Application user privilege assignment should be reviewed monthly or more frequently to ensure compliance with least privilege and documented policy. | Users granted privileges not required to perform their assigned functions are able to make unauthorized modifications to the production data or database. Monthly or more frequent periodic review... |
| V-2533 | Medium | The Oracle WITH GRANT OPTION privilege should not be granted to non-DBA or non-Application administrator user accounts. | An account permission to grant privileges within the database is an administrative function. Minimizing the number and privileges of administrative accounts reduces the chances of privileged... |
| V-15607 | Medium | Application objects should be owned by accounts authorized for ownership. | Database object ownership implies full privileges to the owned object including the privilege to assign access to the owned objects to other subjects. Unmanaged or uncontrolled ownership of... |
| V-15142 | Medium | Asymmetric keys should use DoD PKI Certificates and be protected in accordance with NIST (unclassified data) or NSA (classified data) approved key management and processes. | Encryption is only effective if the encryption method is robust and the keys used to provide the encryption are not easily discovered. Without effective encryption, sensitive data is vulnerable to... |
| V-16053 | Medium | The Oracle SEC_PROTOCOL_ERROR_FURTHER_ACTION parameter should be set to a value of DELAY or DROP. | The database is vulnerable to exhaustion of resources that could result in a Denial of Service (DoS) to other clients if not protected from a flood of bad packets submitted by a malicious or... |
| V-5683 | Medium | Application object owner accounts should be disabled when not performing installation or maintenance actions. | Object ownership provides all database object permissions to the owned object. Access to the application object owner accounts requires special protection to prevent unauthorized access and use of... |
| V-3439 | Medium | Oracle system privileges should not be directly assigned to unauthorized accounts. | System privileges allow system-wide changes to the database or database objects. Unauthorized use of system privileges may jeopardize production applications, application data, or the database... |
| V-3438 | Medium | Oracle application administration roles should be disabled if not required and authorized. | Application administration roles, which are assigned system or elevated application object privileges, should be protected from default activation. Application administration roles are determined... |
| V-15615 | Medium | The DBA role should not be assigned excessive or unauthorized privileges. | Oracle SYSDBA privileges include privileges to administer the database outside of database controls (when the database is shut down or open in restricted mode) in addition to all privileges... |
| V-2558 | Medium | The Oracle REMOTE_LOGIN_PASSWORDFILE parameter should be set to EXCLUSIVE or NONE. | The REMOTE_LOGIN_PASSWORDFILE setting of "NONE" disallows remote administration of the database. The REMOTE_LOGIN_PASSWORDFILE setting of "EXCLUSIVE" allows for auditing of individual DBA logins... |
| V-15617 | Medium | ccess to external objects should be disabled if not required and authorized. | The UTL_FILE package allows host file access from within the database using the permissions and privileges assigned to the Oracle database process or service. This package should be used with... |
| V-2539 | Medium | Execute permission should be revoked from PUBLIC for restricted Oracle packages. | Access to the following packages should be restricted to authorized accounts only.
UTL_FILE: allows Oracle accounts to read and write files on the host operating system.
UTL_SMTP: allows messages... |
| V-2574 | Medium | Oracle roles granted using the WITH ADMIN OPTION should not be granted to unauthorized accounts. | The WITH ADMIN OPTION allows the grantee to grant a role to another database account. Best security practice restricts the privilege of assigning privileges to authorized personnel. Authorized... |
| V-2519 | Low | The Oracle OS_ROLES parameter should be set to FALSE. | The OS_ROLES parameter specifies whether Oracle roles are defined and managed by the DBMS or by the host operating system. To maintain and support the separation of duties between host system... |
| V-15114 | Low | Developers should not be assigned excessive privileges on production databases. | Developers play a unique role and represent a specific type of threat to the security of the DBMS. Where restricted resources prevent the required separation of production and development DBMS... |
| V-3727 | Low | Database applications should be restricted from using static DDL statements to modify the application schema. | Application users by definition and job function require only the permissions to manipulate data within database objects and execute procedures within the database. The statements used to define... |
| V-2586 | Low | The Oracle O7_DICTIONARY_ACCESSIBILITY parameter should be set to FALSE. | The database data dictionary tables contain the data used by the database for database functions including database authentication and authorization as well as database configuration and control.... |
| V-15149 | Low | DBA roles assignments should be assigned and authorized by the IAO. | The DBA role and associated privileges provide complete control over the DBMS operation and integrity. DBA role assignment without authorization could lead to the assignment of these privileges to... |
| V-3865 | Low | The XDB Protocol server should be uninstalled if not required and authorized for use. | The XML DB supports storage and retrieval of XML data objects in the Oracle Database. It requires the configuration of an Oracle shared-server dispatcher that is activated / used by the Oracle... |
| V-3847 | Low | Database application user accounts should be denied storage usage for object creation within the database. | Tablespace storage quotas allow limits on storage use to be assigned to Oracle database users. Although this does not grant the user the privilege to create objects within the database, it... |
| V-3848 | Low | The Oracle SID should not be the default SID. | Use of the default Oracle System Identifier (SID) leaves the database vulnerable to attacks that target Oracle installations running under default SID. Using a custom name helps protect the... |
| V-2531 | Low | The Oracle OS_AUTHENT_PREFIX parameter should be changed from the default value of OPS$. | The OS_AUTHENT_PREFIX parameter defines the prefix for database account names to be identified EXTERNALLY by the operating system. When set to the special value of OPS$, accounts defined with the... |
| V-3823 | Low | Custom and GOTS application source code stored in the database should be protected with encryption or encoding. | Source code may include information on data relationships, locations of sensitive data that are otherwise obscured, or other processing information that could aid a malicious user. Encoding or... |
