UCF STIG Viewer Logo

Oracle Database 12c Security Technical Implementation Guide


Overview

Date Finding Count (142)
2021-12-13 CAT I (High): 14 CAT II (Med): 126 CAT III (Low): 2
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Classified)

Finding ID Severity Title
V-251802 High Oracle database products must be a version supported by the vendor.
V-237745 High Use of the DBMS software installation account must be restricted.
V-220308 High The DBMS software installation account must be restricted to authorized users.
V-220304 High When using command-line tools such as Oracle SQL*Plus, which can accept a plain-text password, users must use an alternative logon method that does not expose the password.
V-220303 High Applications must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
V-220263 High The DBMS, when using PKI-based authentication, must enforce authorized access to the corresponding private key.
V-219838 High The Oracle Listener must be configured to require administration authentication.
V-237696 High DBA OS accounts must be granted only those host system privileges necessary for the administration of the DBMS.
V-237697 High Oracle software must be evaluated and patched against newly found vulnerabilities.
V-237698 High DBMS default accounts must be assigned custom passwords.
V-237699 High The DBMS must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission unless the transmitted data is otherwise protected by alternative physical measures.
V-219830 High The Oracle REMOTE_OS_AUTHENT parameter must be set to FALSE.
V-219831 High The Oracle REMOTE_OS_ROLES parameter must be set to FALSE.
V-237723 High The DBMS must use multifactor authentication for access to user accounts.
V-219825 Medium Oracle instance names must not contain Oracle version numbers.
V-219824 Medium Access to default accounts used to support replication must be restricted to authorized DBAs.
V-219826 Medium Fixed user and public database links must be authorized for use.
V-237735 Medium The DBMS must enforce password maximum lifetime restrictions.
V-237734 Medium DBMS passwords must not be stored in compiled, encoded, or encrypted batch jobs or compiled, encoded, or encrypted application source code.
V-237737 Medium The DBMS must employ strong identification and authentication techniques when establishing nonlocal maintenance and diagnostic sessions.
V-237730 Medium The DBMS must support organizational requirements to enforce password complexity by the number of numeric characters used.
V-237739 Medium The DBMS must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
V-237738 Medium The DBMS must terminate the network connection associated with a communications session at the end of the session or 15 minutes of inactivity.
V-219829 Medium The Oracle WITH GRANT OPTION privilege must not be granted to non-DBA or non-Application administrator user accounts.
V-219828 Medium A minimum of two Oracle redo log groups/files must be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device.
V-237732 Medium The DBMS must support organizational requirements to enforce the number of characters that get changed when passwords are changed.
V-237736 Medium The DBMS must employ cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications.
V-220270 Medium The DBMS must produce audit records containing sufficient information to establish what type of events occurred.
V-220271 Medium The DBMS must produce audit records containing sufficient information to establish when (date and time) the events occurred.
V-220272 Medium The DBMS must produce audit records containing sufficient information to establish where the events occurred.
V-220273 Medium The DBMS must produce audit records containing sufficient information to establish the sources (origins) of the events.
V-220274 Medium The DBMS must produce audit records containing sufficient information to establish the outcome (success or failure) of the events.
V-220275 Medium The DBMS must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event.
V-220276 Medium The DBMS must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject.
V-220277 Medium The system must protect audit information from any type of unauthorized access.
V-220278 Medium The system must protect audit information from unauthorized modification.
V-220279 Medium The system must protect audit information from unauthorized deletion.
V-237746 Medium The OS must limit privileges to change the DBMS software resident within software libraries (including privileged programs).
V-237747 Medium Oracle Database must off-load audit data to a separate log management facility; this must be continuous and in near-real-time for systems with a network connection to the storage facility, and weekly or more often for stand-alone systems.
V-237740 Medium Database data files containing sensitive information must be encrypted.
V-237741 Medium The DBMS must automatically terminate emergency accounts after an organization-defined time period for each type of account.
V-237742 Medium The DBMS must protect against or limit the effects of organization-defined types of Denial of Service (DoS) attacks.
V-237743 Medium The system must verify there have not been unauthorized changes to the DBMS software and information.
V-219850 Medium The Oracle _TRACE_FILES_PUBLIC parameter if present must be set to FALSE.
V-219851 Medium Application object owner accounts must be disabled when not performing installation or maintenance actions.
V-219852 Medium DBMS production application and data directories must be protected from developers on shared production/development DBMS host systems.
V-219853 Medium Use of the DBMS installation account must be logged.
V-220309 Medium Database software directories, including DBMS configuration files, must be stored in dedicated directories, or DASD pools, separate from the host OS and other applications.
V-220305 Medium The DBMS must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
V-220306 Medium Database software, applications, and configuration files must be monitored to discover unauthorized changes.
V-220307 Medium Logic modules within the database (to include packages, procedures, functions and triggers) must be monitored to discover unauthorized changes.
V-220300 Medium The DBMS must check the validity of data inputs.
V-220301 Medium The DBMS must only generate error messages that provide information necessary for corrective actions without revealing organization-defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.
V-220302 Medium The DBMS must restrict error messages so only authorized personnel may view them.
V-220267 Medium The DBMS must provide audit record generation capability for organization-defined auditable events within the database.
V-220266 Medium The DBMS must enforce approved authorizations for logical access to the system in accordance with applicable policy.
V-220265 Medium The system must employ automated mechanisms for supporting Oracle user account management.
V-220264 Medium The DBMS must limit the number of concurrent sessions for each system account to an organization-defined number of sessions.
V-220269 Medium The DBMS must generate audit records for the DoD-selected list of auditable events, to the extent such information is available.
V-220268 Medium The DBMS must allow designated organizational personnel to select which auditable events are to be audited by the database.
V-219843 Medium Unauthorized database links must not be defined and active.
V-219842 Medium Database job/batch queues must be reviewed regularly to detect unauthorized database job submissions.
V-219841 Medium Connections by mid-tier web and application systems to the Oracle DBMS from a DMZ or external network must be encrypted.
V-219840 Medium Oracle application administration roles must be disabled if not required and authorized.
V-219847 Medium Only authorized system accounts must have the SYSTEM tablespace specified as the default tablespace.
V-219844 Medium Sensitive information from production database exports must be modified before import to a development database.
V-219849 Medium The directories assigned to the LOG_ARCHIVE_DEST* parameters must be protected from unauthorized access.
V-219848 Medium Application owner accounts must have a dedicated application tablespace.
V-219834 Medium System privileges granted using the WITH ADMIN OPTION must not be granted to unauthorized user accounts.
V-219835 Medium System Privileges must not be granted to PUBLIC.
V-220312 Medium The DBMS must separate user functionality (including user interface services) from database management functionality.
V-220311 Medium The DBMS must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-220310 Medium The DBMS must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
V-219839 Medium Application role permissions must not be assigned to the Oracle PUBLIC role.
V-219874 Medium Remote administration must be disabled for the Oracle connection manager.
V-219875 Medium Network client connections must be restricted to supported versions.
V-219872 Medium Remote database or other external access must use fully-qualified names.
V-219873 Medium The /diag subdirectory under the directory assigned to the DIAGNOSTIC_DEST parameter must be protected from unauthorized access.
V-219871 Medium Changes to DBMS security labels must be audited.
V-219868 Medium Changes to configuration options must be audited.
V-219861 Medium The DBMS data files, transaction logs and audit files must be stored in dedicated directories or disk partitions separate from software or other application files.
V-219862 Medium The directory assigned to the AUDIT_FILE_DEST parameter must be protected from unauthorized access and must be stored in a dedicated directory or disk partition separate from software or other application files.
V-219865 Medium Access to DBMS software files and directories must not be granted to unauthorized users.
V-219867 Medium Network access to the DBMS must be restricted to authorized personnel.
V-219866 Medium Replication accounts must not be granted DBA privileges.
V-237708 Medium The DBMS must restrict access to system tables and other configuration information or metadata to DBAs or other authorized users.
V-237709 Medium Administrative privileges must be assigned to database accounts via database roles.
V-237700 Medium The DBMS must support the disabling of network protocols deemed by the organization to be nonsecure.
V-237701 Medium The DBMS must provide a mechanism to automatically identify accounts designated as temporary or emergency accounts.
V-237702 Medium The DBMS must provide a mechanism to automatically remove or disable temporary user accounts after 72 hours.
V-237703 Medium The DBMS must enforce Discretionary Access Control (DAC) policy allowing users to specify and control sharing by named individuals, groups of individuals, or by both, limiting propagation of access rights and including or excluding access to the granularity of a single user.
V-237704 Medium The DBMS must restrict grants to sensitive information to authorized user roles.
V-237705 Medium A single database connection configuration file must not be used to configure all database clients.
V-237706 Medium The DBMS must be protected from unauthorized access by developers.
V-237707 Medium The DBMS must be protected from unauthorized access by developers on shared production/development host systems.
V-237731 Medium The DBMS must support organizational requirements to enforce password complexity by the number of special characters used.
V-237719 Medium The DBMS must support enforcement of logical access restrictions associated with changes to the DBMS configuration and to the database itself.
V-237718 Medium The system must provide a real-time alert when organization-defined audit failure events occur.
V-237713 Medium The DBMS must verify account lockouts persist until reset by an administrator.
V-237712 Medium OS accounts utilized to run external procedures called by the DBMS must have limited privileges.
V-237711 Medium The DBA role must not be assigned excessive or unauthorized privileges.
V-237710 Medium Administrators must utilize a separate, distinct administrative account when performing administrative activities, accessing database security functions, or accessing security-relevant information.
V-237717 Medium The DBMS itself, or the logging or alerting mechanism the application utilizes, must provide a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity.
V-237716 Medium A DBMS utilizing Discretionary Access Control (DAC) must enforce a policy that includes or excludes access to the granularity of a single user.
V-237715 Medium Databases utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights.
V-237714 Medium The DBMS must set the maximum number of consecutive invalid logon attempts to three.
V-237733 Medium Procedures for establishing temporary passwords that meet DoD password requirements for new accounts must be defined, documented, and implemented.
V-220298 Medium The DBMS must isolate security functions from nonsecurity functions by means of separate security domains.
V-220299 Medium The DBMS must prevent unauthorized and unintended information transfer via shared system resources.
V-220292 Medium The DBMS must map the authenticated identity to the user account using PKI-based authentication.
V-220293 Medium Processes (services, applications, etc.) that connect to the DBMS independently of individual users, must use valid, current DoD approved PKI certificates for authentication to the DBMS.
V-220290 Medium The DBMS must support organizational requirements to enforce password encryption for storage.
V-220291 Medium The DBMS, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor.
V-220296 Medium The DBMS must preserve any organization-defined system state information in the event of a system failure.
V-220297 Medium The DBMS must take needed steps to protect data at rest and ensure confidentiality and integrity of application data.
V-220294 Medium The DBMS must use NIST-validated FIPS 140-2-compliant cryptography for authentication mechanisms.
V-220295 Medium The DBMS must terminate user sessions upon user logoff or any other organization or policy-defined session termination events, such as idle time limit exceeded.
V-219832 Medium The Oracle SQL92_SECURITY parameter must be set to TRUE.
V-219833 Medium The Oracle password file ownership and permissions should be limited and the REMOTE_LOGIN_PASSWORDFILE parameter must be set to EXCLUSIVE or NONE.
V-219836 Medium Oracle roles granted using the WITH ADMIN OPTION must not be granted to unauthorized accounts.
V-219837 Medium Object permissions granted to PUBLIC must be restricted.
V-237728 Medium The DBMS must support organizational requirements to enforce password complexity by the number of upper-case characters used.
V-237729 Medium The DBMS must support organizational requirements to enforce password complexity by the number of lower-case characters used.
V-237726 Medium The DBMS must support organizational requirements to enforce minimum password length.
V-237727 Medium The DBMS must support organizational requirements to prohibit password reuse for the organization-defined number of generations.
V-237724 Medium The DBMS must ensure users are authenticated with an individual authenticator prior to using a shared authenticator.
V-237725 Medium The DBMS must disable user accounts after 35 days of inactivity.
V-237722 Medium DBMS backup and restoration files must be protected from unauthorized access.
V-237720 Medium Database backup procedures must be defined, documented, and implemented.
V-237721 Medium Database recovery procedures must be developed, documented, implemented, and periodically tested.
V-220289 Medium The DBMS must support the organizational requirements to specifically prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services.
V-220288 Medium Access to external executables must be disabled or restricted.
V-220285 Medium Unused database components, DBMS software, and database objects must be removed.
V-220284 Medium Default demonstration and sample databases, database objects, and applications must be removed.
V-220287 Medium Use of external executables must be authorized.
V-220286 Medium Unused database components that are integrated in the DBMS and cannot be uninstalled must be disabled.
V-220281 Medium The system must protect audit tools from unauthorized modification.
V-220280 Medium The system must protect audit tools from unauthorized access.
V-220283 Medium Database objects must be owned by accounts authorized for ownership.
V-220282 Medium The system must protect audit tools from unauthorized deletion.
V-219827 Low A minimum of two Oracle control files must be defined and configured to be stored on separate, archived disks (physical or virtual) or archived partitions on a RAID device.
V-220313 Low The DBMS must protect against an individual who uses a shared account falsely denying having performed a particular action.