UCF STIG Viewer Logo

Processes (services, applications, etc.) that connect to the DBMS independently of individual users, must use valid, current DoD approved PKI certificates for authentication to the DBMS.


Finding ID Version Rule ID IA Controls Severity
V-220293 O121-C2-015501 SV-220293r666959_rule Medium
Just as individual users must be authenticated, and just as they must use PKI-based authentication, so must any processes that connect to the DBMS. The DoD standard for authentication of a process or device communicating with another process or device is the presentation of a valid, current, DoD-issued Public Key Infrastructure (PKI) certificate that has previously been verified as Trusted by an administrator of the other process or device. This applies both to processes that run on the same server as the DBMS and to processes running on other computers. The Oracle-supplied accounts, SYS, SYSBACKUP, SYSDG, and SYSKM, are exceptions. These cannot currently use certificate-based authentication. For this reason among others, use of these accounts should be restricted to where it is truly needed.
Oracle Database 12c Security Technical Implementation Guide 2022-06-13


Check Text ( C-22008r666958_chk )
Review configuration to confirm that accounts used by processes to connect to the DBMS are authenticated using valid, current DoD approved PKI certificates.

If any such account (other than SYS, SYSBACKUP, SYSDG, and SYSKM) is not certificate-based, this is a finding.
Fix Text (F-22000r392011_fix)
For each such account, use DoD certificate-based authentication.