The DBMS must employ cryptographic mechanisms preventing the unauthorized disclosure of information at rest unless the data is otherwise protected by alternative physical measures.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-61773	O121-C2-018400	SV-76263r1_rule		Medium

Description
This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive) within an organizational information system. Alternative physical protection measures include protected distribution systems.

Description

This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive) within an organizational information system. Alternative physical protection measures include protected distribution systems.

STIG	Date
Oracle Database 12c Security Technical Implementation Guide	2015-12-21

Details

Check Text ( C-62651r2_chk )
Check DBMS settings to determine whether cryptographic mechanisms are used to prevent the unauthorized disclosure of information at rest. Determine whether physical measures are being used instead of cryptographic mechanisms. If neither cryptographic nor physical measures are being utilized, this is a finding. Oracle recommends using Transparent Data Encryption to protect data at rest. In order to check to see if the data is encrypted, for example, upon an auditor's request, Oracle provides views that document the encryption status of the database. For TDE column encryption, use the view 'dba_encrypted_columns', which lists the owner, table name, column name, encryption algorithm, and salt for all encrypted columns. For TDE tablespace encryption, the following SQL statement lists all encrypted tablespaces with their encryption algorithm and corresponding, encrypted, data files. Issue the following commands to check to see if the data at rest is encrypted. $ sqlplus connect as sysdba SQL> SELECT t.name "TSName", e.encryptionalg "Algorithm", d.file_name "File Name" FROM v$tablespace t, v$encrypted_tablespaces e, dba_data_files d WHERE t.ts# = e.ts# and t.name = d.tablespace_name; The next SQL statement lists the table owner, tables within encrypted tablespaces, and the encryption algorithm: SQL> SELECT a.owner "Owner", a.table_name "Table Name", e.encryptionalg "Algorithm" FROM dba_tables a, v$encrypted_tablespaces e WHERE a.tablespace_name in (select t.name from v$tablespace t, v$encrypted_tablespaces e where t.ts# = e.ts#);

Check Text ( C-62651r2_chk )

Check DBMS settings to determine whether cryptographic mechanisms are used to prevent the unauthorized disclosure of information at rest. Determine whether physical measures are being used instead of cryptographic mechanisms.

If neither cryptographic nor physical measures are being utilized, this is a finding.

Oracle recommends using Transparent Data Encryption to protect data at rest.

In order to check to see if the data is encrypted, for example, upon an auditor's request, Oracle provides views that document the encryption status of the database. For TDE column encryption, use the view 'dba_encrypted_columns', which lists the owner, table name, column name, encryption algorithm, and salt for all encrypted columns. For TDE tablespace encryption, the following SQL statement lists all encrypted tablespaces with their encryption algorithm and corresponding, encrypted, data files. Issue the following commands to check to see if the data at rest is encrypted.

$ sqlplus connect as sysdba

SQL> SELECT t.name "TSName",
e.encryptionalg "Algorithm",
d.file_name "File Name"
FROM v$tablespace t,
v$encrypted_tablespaces e,
dba_data_files d
WHERE t.ts# = e.ts#
and t.name = d.tablespace_name;

The next SQL statement lists the table owner, tables within encrypted tablespaces, and the encryption algorithm:

SQL> SELECT a.owner "Owner",
a.table_name "Table Name",
e.encryptionalg "Algorithm"
FROM dba_tables a,
v$encrypted_tablespaces e
WHERE a.tablespace_name in (select t.name from v$tablespace t, v$encrypted_tablespaces e where t.ts# = e.ts#);

Fix Text (F-67689r1_fix)
Configure DBMS to use cryptographic mechanisms to prevent unauthorized disclosure of information at rest where physical measures are not being utilized. Deploy Oracle Advanced Security option, a locally developed encryption system, or a third-party product to encrypt data at rest. If ASO is not an option, use site-specific procedures to secure data at rest.