Changes to DBMS security labels must be audited.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-61527	O121-BP-026200	SV-76017r1_rule		Medium

Description
Some DBMS systems provide the feature to assign security labels to data elements. The confidentiality and integrity of the data depends upon the security label assignment where this feature is in use. Changes to security label assignment may indicate suspicious activity.

STIG	Date
Oracle Database 12c Security Technical Implementation Guide	2015-12-21

Details

Check Text ( C-62399r1_chk )
If no data is identified as being sensitive or classified by the Information Owner, in the System Security Plan or in the AIS Functional Architecture documentation, this check is not a finding. If Standard Auditing is used: From SQLPlus: select from dba_sa_audit_options; If no records are returned or if output from the SQL statement above does not show classification labels being audited as required in the System Security Plan, this is a finding. If Unified Auditing is used: To see if Oracle is configured to capture audit data, enter the following SQLPlus command: SELECT FROM V$OPTION WHERE PARAMETER = 'Unified Auditing'; If Oracle returns the value "TRUE", this is not a finding. To confirm that Oracle audit is capturing sufficient information to establish that changes to classification labels are being audited, perform a successful auditable action and an auditable action that results in an SQL error, and then view the results in the SYS.UNIFIED_AUDIT_TRAIL view. If no ACTION#, or the wrong value, is returned for the auditable actions, this is a finding.

Check Text ( C-62399r1_chk )

If no data is identified as being sensitive or classified by the Information Owner, in the System Security Plan or in the AIS Functional Architecture documentation, this check is not a finding.

If Standard Auditing is used:
From SQL*Plus:

select * from dba_sa_audit_options;

If no records are returned or if output from the SQL statement above does not show classification labels being audited as required in the System Security Plan, this is a finding.

If Unified Auditing is used:
To see if Oracle is configured to capture audit data, enter the following SQL*Plus command:
SELECT * FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';
If Oracle returns the value "TRUE", this is not a finding.

To confirm that Oracle audit is capturing sufficient information to establish that changes to classification labels are being audited, perform a successful auditable action and an auditable action that results in an SQL error, and then view the results in the SYS.UNIFIED_AUDIT_TRAIL view. If no ACTION#, or the wrong value, is returned for the auditable actions, this is a finding.

Fix Text (F-67443r1_fix)
Define the policy for auditing changes to security labels defined for the data. Document the audit requirements in the System Security Plan and configure database auditing in accordance with the policy. If using Standard Auditing: If there is no Unified Auditing policy deployed to audit changes to security labels, the create one using the following syntax: SA_AUDIT_ADMIN.AUDIT ( policy_name IN VARCHAR2, users IN VARCHAR2 DEFAULT NULL, audit_option IN VARCHAR2 DEFAULT NULL, audit_type IN VARCHAR2 DEFAULT NULL, success IN VARCHAR2 DEFAULT NULL); For additional information on creating audit policies, refer to the Oracle Database Security Guide http://docs.oracle.com/database/121/OLSAG/packages.htm#i1011868 If Unified Auditing is used: If there is no Unified Auditing policy deployed to audit changes to security labels, the create one using the following syntax: CREATE AUDIT POLICY policy_name ACTIONS action1 [,action2 ] ACTIONS COMPONENT=OLS component_action1 [, action2]; For additional information on creating audit policies, refer to the Oracle Database Security Guide http://docs.oracle.com/database/121/DBSEG/audit_config.htm#CHDGBAAC

Fix Text (F-67443r1_fix)

Define the policy for auditing changes to security labels defined for the data.

Document the audit requirements in the System Security Plan and configure database auditing in accordance with the policy.

If using Standard Auditing:
If there is no Unified Auditing policy deployed to audit changes to security labels, the create one using the following syntax:
SA_AUDIT_ADMIN.AUDIT (
policy_name IN VARCHAR2,
users IN VARCHAR2 DEFAULT NULL,
audit_option IN VARCHAR2 DEFAULT NULL,
audit_type IN VARCHAR2 DEFAULT NULL,
success IN VARCHAR2 DEFAULT NULL);

For additional information on creating audit policies, refer to the Oracle Database Security Guide
http://docs.oracle.com/database/121/OLSAG/packages.htm#i1011868

If Unified Auditing is used:
If there is no Unified Auditing policy deployed to audit changes to security labels, the create one using the following syntax:
CREATE AUDIT POLICY policy_name
ACTIONS action1 [,action2 ]
ACTIONS COMPONENT=OLS component_action1 [, action2];

For additional information on creating audit policies, refer to the Oracle Database Security Guide
http://docs.oracle.com/database/121/DBSEG/audit_config.htm#CHDGBAAC