| Finding ID |
Severity |
Title |
Description |
|
V-265879
|
High |
Oracle database products must be a version supported by the vendor. |
Unsupported commercial and database systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilities. Systems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities, which leaves them subject... |
|
V-237745
|
High |
Use of the DBMS software installation account must be restricted. |
This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address those situations where an access control policy, such as Role Based Access Control (RBAC), is being implemented and where a change of role provides the... |
|
V-237739
|
High |
The DBMS must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. |
Use of cryptography to provide confidentiality and non-repudiation is not effective unless strong methods are employed. Many earlier encryption methods and modules have been broken and/or overtaken by increasing computing power. The NIST FIPS 140-2 or 140-3 cryptographic standards provide proven methods and strengths to employ cryptography effectively.
Detailed information... |
|
V-237723
|
High |
The DBMS must use multifactor authentication for access to user accounts. |
Multifactor authentication is defined as using two or more factors to achieve authentication.
Factors include:
(i) Something a user knows (e.g., password/PIN);
(ii) Something a user has (e.g., cryptographic identification device, token); or
(iii) Something a user is (e.g., biometric).
The DBMS must be configured to automatically utilize organization-level account... |
|
V-237699
|
High |
The DBMS must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission unless the transmitted data is otherwise protected by alternative physical measures. |
Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSEC tunnel.
Alternative physical protection measures include Protected Distribution... |
|
V-237698
|
High |
DBMS default accounts must be assigned custom passwords. |
Password maximum lifetime is the maximum period of time, (typically in days) a user's password may be in effect before the user is forced to change it.
Passwords need to be changed at specific policy-based intervals as per policy. Any password, no matter how complex, can eventually be cracked.
One... |
|
V-237697
|
High |
Oracle software must be evaluated and patched against newly found vulnerabilities. |
Security faults with software applications and operating systems are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during... |
|
V-237696
|
High |
DBA OS accounts must be granted only those host system privileges necessary for the administration of the DBMS. |
This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address those situations where an access control policy, such as Role Based Access Control (RBAC), is being implemented and where a change of role provides the... |
|
V-220308
|
High |
The DBMS software installation account must be restricted to authorized users. |
When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system.
If the application were to allow any user to make changes to software... |
|
V-220304
|
High |
When using command-line tools such as Oracle SQL*Plus, which can accept a plain-text password, users must use an alternative logon method that does not expose the password. |
The SRG states: "To prevent the compromise of authentication information, such as passwords, during the authentication process, the feedback from the information system shall not provide any information that would allow an unauthorized user to compromise the authentication mechanism."
"Obfuscation of user-provided information when typed into the system is a... |
|
V-220303
|
High |
Applications must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. |
To prevent the compromise of authentication information, such as passwords, during the authentication process, the feedback from the information system shall not provide any information that would allow an unauthorized user to compromise the authentication mechanism.
Obfuscation of user-provided information when typed into the system is a method used in... |
|
V-220297
|
High |
The DBMS must take needed steps to protect data at rest and ensure confidentiality and integrity of application data. |
This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive) within an organizational... |
|
V-220294
|
High |
The DBMS must use NIST-validated FIPS 140-2 or 140-3 compliant cryptography for authentication mechanisms. |
Use of weak or not validated cryptographic algorithms undermines the purposes of utilizing encryption and digital signatures to protect data. Weak algorithms can be easily broken and not validated cryptographic modules may not implement algorithms correctly. Unapproved cryptographic modules or algorithms should not be relied on for authentication, confidentiality, or... |
|
V-220290
|
High |
The DBMS must support organizational requirements to enforce password encryption for storage. |
Applications must enforce password encryption when storing passwords. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read and easily compromised.
Database passwords stored in clear text are vulnerable to unauthorized disclosure. Database... |
|
V-220266
|
High |
The DBMS must enforce approved authorizations for logical access to the system in accordance with applicable policy. |
Strong access controls are critical to securing application data. Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) must be employed by applications, when applicable, to control access between users (or processes acting on behalf of users)... |
|
V-220265
|
High |
The system must employ automated mechanisms for supporting Oracle user account management. |
A comprehensive application account management process that includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed. Examples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended, or terminated, or by disabling accounts located in non-centralized... |
|
V-220263
|
High |
The DBMS, when using PKI-based authentication, must enforce authorized access to the corresponding private key. |
The cornerstone of the PKI is the private key used to encrypt or digitally sign information.
If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and can... |
|
V-219838
|
High |
The Oracle Listener must be configured to require administration authentication. |
Oracle listener authentication helps prevent unauthorized administration of the Oracle listener. Unauthorized administration of the listener could lead to DoS exploits; loss of connection audit data, unauthorized reconfiguration or other unauthorized access. This is a Category I finding because privileged access to the listener is not restricted to authorized users.... |
|
V-219831
|
High |
The Oracle REMOTE_OS_ROLES parameter must be set to FALSE. |
Setting REMOTE_OS_ROLES to TRUE allows operating system groups to control Oracle roles. The default value of FALSE causes roles to be identified and managed by the database. If REMOTE_OS_ROLES is set to TRUE, a remote user could impersonate another operating system user over a network connection. |
|
V-219830
|
High |
The Oracle REMOTE_OS_AUTHENT parameter must be set to FALSE. |
Setting this value to TRUE allows operating system authentication over an unsecured connection. Trusting remote operating systems can allow a user to impersonate another operating system user and connect to the database without having to supply a password. If REMOTE_OS_AUTHENT is set to true, the only information a remote user... |
|
V-237747
|
Medium |
Oracle Database must off-load audit data to a separate log management facility; this must be continuous and in near-real-time for systems with a network connection to the storage facility, and weekly or more often for stand-alone systems. |
Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information systems with limited audit storage capacity.
The DBMS may write audit records to database tables, files in the file system, other kinds of local repositories, or a centralized log... |
|
V-237746
|
Medium |
The OS must limit privileges to change the DBMS software resident within software libraries (including privileged programs). |
When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system.
If the application were to allow any user to make changes to software... |
|
V-237743
|
Medium |
The system must verify there have not been unauthorized changes to the DBMS software and information. |
Organizations are required to employ integrity verification applications on information systems to look for evidence of information tampering, errors, and omissions. The organization is also required to employ good software engineering practices with regard to commercial off-the-shelf integrity mechanisms (e.g., parity checks, cyclical redundancy checks, and cryptographic hashes), and to... |
|
V-237742
|
Medium |
The DBMS must protect against or limit the effects of organization-defined types of Denial of Service (DoS) attacks. |
A variety of technologies exist to limit, or in some cases, eliminate the effects of DoS attacks. For example, boundary protection devices can filter certain types of packets to protect devices on an organization's internal network from being directly affected by DoS attacks.
Employing increased capacity and bandwidth combined with... |
|
V-237741
|
Medium |
The DBMS must automatically terminate emergency accounts after an organization-defined time period for each type of account. |
Emergency application accounts are typically created due to an unforeseen operational event or could ostensibly be used in the event of a vendor support visit where a support representative requires a temporary unique account in order to perform diagnostic testing or conduct some other support-related activity. When these types of... |
|
V-237740
|
Medium |
Database data files containing sensitive information must be encrypted. |
Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data.
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data.
Data files that are not encrypted are vulnerable to theft. When data files are not encrypted they can be copied... |
|
V-237738
|
Medium |
The DBMS must terminate the network connection associated with a communications session at the end of the session or 15 minutes of inactivity. |
Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network.
The act of managing systems and applications includes the ability to access sensitive application information, such as system configuration details, diagnostic information, user information,... |
|
V-237735
|
Medium |
The DBMS must enforce password maximum lifetime restrictions. |
Password maximum lifetime is the maximum period of time, (typically in days) a user's password may be in effect before the user is forced to change it.
Passwords need to be changed at specific policy-based intervals as per policy. Any password, no matter how complex, can eventually be cracked.
One... |
|
V-237734
|
Medium |
DBMS passwords must not be stored in compiled, encoded, or encrypted batch jobs or compiled, encoded, or encrypted application source code. |
Password maximum lifetime is the maximum period of time, (typically in days) a user's password may be in effect before the user is forced to change it.
Passwords need to be changed at specific policy-based intervals as per policy. Any password, no matter how complex, can eventually be cracked.
One... |
|
V-237733
|
Medium |
Procedures for establishing temporary passwords that meet DOD password requirements for new accounts must be defined, documented, and implemented. |
Password maximum lifetime is the maximum period of time, (typically in days) a user's password may be in effect before the user is forced to change it.
Passwords need to be changed at specific policy-based intervals as per policy. Any password, no matter how complex, can eventually be cracked.
One... |
|
V-237732
|
Medium |
The DBMS must support organizational requirements to enforce the number of characters that get changed when passwords are changed. |
Passwords need to be changed at specific policy-based intervals.
If the information system or application allows the user to consecutively reuse extensive portions of their password when they change their password, the end result is a password that has not had enough elements changed to meet the policy requirements.
Changing... |
|
V-237731
|
Medium |
The DBMS must support organizational requirements to enforce password complexity by the number of special characters used. |
Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible... |
|
V-237730
|
Medium |
The DBMS must support organizational requirements to enforce password complexity by the number of numeric characters used. |
Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible... |
|
V-237729
|
Medium |
The DBMS must support organizational requirements to enforce password complexity by the number of lowercase characters used. |
Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible... |
|
V-237728
|
Medium |
The DBMS must support organizational requirements to enforce password complexity by the number of uppercase characters used. |
Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible... |
|
V-237727
|
Medium |
The DBMS must support organizational requirements to prohibit password reuse for the organization-defined number of generations. |
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
To meet password policy requirements, passwords need to be changed at specific policy-based intervals.
If the information system or application allows the user to consecutively reuse their password when... |
|
V-237726
|
Medium |
The DBMS must support organizational requirements to enforce minimum password length. |
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
To meet password policy requirements, passwords need to be changed at specific policy-based intervals.
If the information system or application allows the user to consecutively reuse their password when... |
|
V-237725
|
Medium |
The DBMS must disable user accounts after 35 days of inactivity. |
Attackers that are able to exploit an inactive DBMS account can potentially obtain and maintain undetected access to the database.
Owners of inactive DBMS accounts will not notice if unauthorized access to their user account has been obtained. All DBMS need to track periods of user inactivity and disable accounts... |
|
V-237724
|
Medium |
The DBMS must ensure users are authenticated with an individual authenticator prior to using a shared authenticator. |
To assure individual accountability and prevent unauthorized access, application users (and any processes acting on behalf of users) must be individually identified and authenticated.
A shared authenticator is a generic account used by multiple individuals. Use of a shared authenticator alone does not uniquely identify individual users. An example of... |
|
V-237722
|
Medium |
DBMS backup and restoration files must be protected from unauthorized access. |
Information system backup is a critical step in maintaining data assurance and availability.
User-level information is data generated by information system and/or application users. In order to assure availability of this data in the event of a system failure, DoD organizations are required to ensure user-generated data is backed up... |
|
V-237721
|
Medium |
Database recovery procedures must be developed, documented, implemented, and periodically tested. |
Information system backup is a critical step in maintaining data assurance and availability.
User-level information is data generated by information system and/or application users. In order to assure availability of this data in the event of a system failure, DoD organizations are required to ensure user-generated data is backed up... |
|
V-237720
|
Medium |
Database backup procedures must be defined, documented, and implemented. |
Information system backup is a critical step in maintaining data assurance and availability.
User-level information is data generated by information system and/or application users. In order to assure availability of this data in the event of a system failure, DoD organizations are required to ensure user-generated data is backed up... |
|
V-237719
|
Medium |
The DBMS must support enforcement of logical access restrictions associated with changes to the DBMS configuration and to the database itself. |
When dealing with access restrictions pertaining to change control, it should be noted any changes to the hardware, software, and/or firmware components of the information system and/or application can have significant effects on the overall security of the system.
Accordingly, only qualified and authorized individuals must be allowed to obtain... |
|
V-237718
|
Medium |
The system must provide a real-time alert when organization-defined audit failure events occur. |
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include: software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
If audit log capacity were to... |
|
V-237717
|
Medium |
The DBMS itself, or the logging or alerting mechanism the application utilizes, must provide a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity. |
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include: software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
If audit log capacity were to... |
|
V-237716
|
Medium |
A DBMS utilizing Discretionary Access Control (DAC) must enforce a policy that includes or excludes access to the granularity of a single user. |
DAC is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment.... |
|
V-237715
|
Medium |
Databases utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights. |
Discretionary Access Control (DAC) is based on the premise that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via... |
|
V-237714
|
Medium |
The DBMS must set the maximum number of consecutive invalid logon attempts to three. |
Anytime an authentication method is exposed, to allow for the utilization of an application, there is a risk that attempts will be made to obtain unauthorized access.
To defeat these attempts, organizations define the number of times a user account may consecutively fail a logon attempt. The organization also defines... |
|
V-237713
|
Medium |
The DBMS must verify account lockouts persist until reset by an administrator. |
Anytime an authentication method is exposed, to allow for the utilization of an application, there is a risk that attempts will be made to obtain unauthorized access.
To defeat these attempts, organizations define the number of times a user account may consecutively fail a logon attempt. The organization also defines... |
|
V-237712
|
Medium |
OS accounts utilized to run external procedures called by the DBMS must have limited privileges. |
This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address those situations where an access control policy, such as Role Based Access Control (RBAC) is being implemented and where a change of role provides the... |
|
V-237710
|
Medium |
Administrators must utilize a separate, distinct administrative account when performing administrative activities, accessing database security functions, or accessing security-relevant information. |
This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address those situations where an access control policy, such as Role Based Access Control (RBAC), is being implemented and where a change of role provides the... |
|
V-237709
|
Medium |
Administrative privileges must be assigned to database accounts via database roles. |
Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or... |
|
V-237708
|
Medium |
The DBMS must restrict access to system tables and other configuration information or metadata to DBAs or other authorized users. |
Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or... |
|
V-237707
|
Medium |
The DBMS must be protected from unauthorized access by developers on shared production/development host systems. |
Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or... |
|
V-237706
|
Medium |
The DBMS must be protected from unauthorized access by developers. |
Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or... |
|
V-237705
|
Medium |
A single database connection configuration file must not be used to configure all database clients. |
Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or... |
|
V-237703
|
Medium |
The DBMS must enforce Discretionary Access Control (DAC) policy allowing users to specify and control sharing by named individuals, groups of individuals, or by both, limiting propagation of access rights and including or excluding access to the granularity of a single user. |
Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) are employed by organizations to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains).
DAC is a... |
|
V-237702
|
Medium |
The DBMS must provide a mechanism to automatically remove or disable temporary user accounts after 72 hours. |
Temporary application accounts could ostensibly be used in the event of a vendor support visit where a support representative requires a temporary unique account in order to perform diagnostic testing or conduct some other support related activity. When these types of accounts are created, there is a risk that the... |
|
V-237701
|
Medium |
The DBMS must provide a mechanism to automatically identify accounts designated as temporary or emergency accounts. |
Temporary application accounts could be used in the event of a vendor support visit where a support representative requires a temporary unique account in order to perform diagnostic testing or conduct some other support-related activity. When these types of accounts are created, there is a risk that the temporary account... |
|
V-237700
|
Medium |
The DBMS must support the disabling of network protocols deemed by the organization to be nonsecure. |
This requirement is related to remote access, but more specifically to the networking protocols allowing systems to communicate. Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization controlled network (e.g., the internet). Examples of remote access methods... |
|
V-220312
|
Medium |
The DBMS must separate user functionality (including user interface services) from database management functionality. |
Information system management functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access.
The separation of user functionality from information system management functionality is either physical or logical and is accomplished by using different computers, different central processing units, different instances of... |
|
V-220311
|
Medium |
The DBMS must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). |
Non-organizational users include all information system users other than organizational users which include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations).
Non-organizational users shall be uniquely identified and authenticated for all accesses other than those accesses explicitly... |
|
V-220310
|
Medium |
The DBMS must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). |
To assure accountability and prevent unauthorized access, organizational users shall be identified and authenticated.
Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations).
Users (and any processes acting on behalf of users) are uniquely identified... |
|
V-220309
|
Medium |
Database software directories, including DBMS configuration files, must be stored in dedicated directories, or DASD pools, separate from the host OS and other applications. |
When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system.
Multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit... |
|
V-220307
|
Medium |
Logic modules within the database (to include packages, procedures, functions and triggers) must be monitored to discover unauthorized changes. |
Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. This includes the logic modules implemented within the database, such as packages, procedures, functions and triggers.
If the DBMS were to allow any... |
|
V-220306
|
Medium |
Database software, applications, and configuration files must be monitored to discover unauthorized changes. |
Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system.
If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the... |
|
V-220305
|
Medium |
The DBMS must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements. |
In order to ensure sufficient storage capacity for the audit logs, the DBMS must be able to allocate audit record storage capacity. Although another requirement (SRG-APP-000515-DB-000318) mandates audit data be off-loaded to a centralized log management system, it remains necessary to provide space on the database server to serve as... |
|
V-220302
|
Medium |
The DBMS must restrict error messages so only authorized personnel may view them. |
If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify... |
|
V-220301
|
Medium |
The DBMS must only generate error messages that provide information necessary for corrective actions without revealing organization-defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited. |
Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages needs to be carefully considered by the organization and development team.
The extent to which the... |
|
V-220300
|
Medium |
The DBMS must check the validity of data inputs. |
Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or information system compromise. Invalid user input is one of the primary methods... |
|
V-220299
|
Medium |
The DBMS must prevent unauthorized and unintended information transfer via shared system resources. |
The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current user/role (or current process) that obtains access to a... |
|
V-220298
|
Medium |
The DBMS must isolate security functions from nonsecurity functions by means of separate security domains. |
Security functions are defined as "the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based".
Developers and implementers can increase the assurance in security functions by employing well-defined security policy... |
|
V-220296
|
Medium |
The DBMS must preserve any organization-defined system state information in the event of a system failure. |
Failure in a known state can address safety or security in accordance with the mission/business needs of the organization. Failure in a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system.... |
|
V-220295
|
Medium |
The DBMS must terminate user sessions upon user logoff or any other organization or policy-defined session termination events, such as idle time limit exceeded. |
This requirement focuses on communications protection at the application session, versus network packet, level.
Session IDs are tokens generated by web applications to uniquely identify an application user's session. Applications will make application decisions and execute business logic based on the session ID. Unique session identifiers or IDs are the... |
|
V-220293
|
Medium |
Oracle Database must map the PKI-authenticated identity to an associated user account. |
The DOD standard for authentication is DOD-approved PKI certificates. Once a PKI certificate has been validated, it must be mapped to a DBMS user account for the authenticated identity to be meaningful to the DBMS and useful for authorization decisions. |
|
V-220291
|
Medium |
The DBMS, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor. |
A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC.
When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can... |
|
V-220289
|
Medium |
The DBMS must support the organizational requirements to specifically prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services. |
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
Additionally, it is sometimes convenient to provide multiple services from a single component of an... |
|
V-220288
|
Medium |
Access to external executables must be disabled or restricted. |
The Oracle external procedure capability provides use of the Oracle process account outside the operation of the DBMS process. You can use it to submit and execute applications stored externally from the database under operating system controls. The external procedure process is the subject of frequent and successful attacks as... |
|
V-220287
|
Medium |
Use of external executables must be authorized. |
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
It is detrimental for applications to provide, or install by default, functionality exceeding requirements or... |
|
V-220286
|
Medium |
Unused database components that are integrated in the DBMS and cannot be uninstalled must be disabled. |
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
It is detrimental for applications to provide, or install by default, functionality exceeding requirements or... |
|
V-220285
|
Medium |
Unused database components, DBMS software, and database objects must be removed. |
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
It is detrimental for applications to provide, or install by default, functionality exceeding requirements or... |
|
V-220284
|
Medium |
Default demonstration and sample databases, database objects, and applications must be removed. |
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
It is detrimental for applications to provide, or install by default, functionality exceeding requirements or... |
|
V-220283
|
Medium |
Database objects must be owned by accounts authorized for ownership. |
Within the database, object ownership implies full privileges to the owned object including the privilege to assign access to the owned objects to other subjects. Unmanaged or uncontrolled ownership of objects can lead to unauthorized object grants and alterations, and unauthorized modifications to data.
If critical tables or other objects... |
|
V-220282
|
Medium |
The system must protect audit tools from unauthorized deletion. |
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data.
Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data.
It is, therefore, imperative that access to... |
|
V-220281
|
Medium |
The system must protect audit tools from unauthorized modification. |
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data.
Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data.
If the tools are compromised it could... |
|
V-220280
|
Medium |
The system must protect audit tools from unauthorized access. |
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data.
Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. It is, therefore, imperative that access to... |
|
V-220279
|
Medium |
The system must protect audit information from unauthorized deletion. |
If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
To ensure the veracity of audit data the information system and/or the application must protect audit information from unauthorized deletion. This requirement can be... |
|
V-220278
|
Medium |
The system must protect audit information from unauthorized modification. |
If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized modification.
This requirement can be... |
|
V-220277
|
Medium |
The system must protect audit information from any type of unauthorized access. |
If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to audit records provides information an attacker could potentially use to his or her advantage.
To ensure the... |
|
V-220276
|
Medium |
The DBMS must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject. |
Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes: timestamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.
In addition, the... |
|
V-220275
|
Medium |
The DBMS must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event. |
Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes: timestamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.
Database software is... |
|
V-220274
|
Medium |
The DBMS must produce audit records containing sufficient information to establish the outcome (success or failure) of the events. |
Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, but is not limited to: timestamps, source and destination IP addresses, user/process identifiers, event descriptions, application specific events, success/fail indications, file names involved, access control,... |
|
V-220273
|
Medium |
The DBMS must produce audit records containing sufficient information to establish the sources (origins) of the events. |
Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes, but is not limited to: timestamps, source and destination IP addresses, user/process identifiers, event descriptions, application specific events, success/fail indications, file names involved, access control... |
|
V-220272
|
Medium |
The DBMS must produce audit records containing sufficient information to establish where the events occurred. |
Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes: timestamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.
Without sufficient information... |
|
V-220271
|
Medium |
The DBMS must produce audit records containing sufficient information to establish when (date and time) the events occurred. |
Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes: timestamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.
Database software is... |
|
V-220270
|
Medium |
The DBMS must produce audit records containing sufficient information to establish what type of events occurred. |
Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes: timestamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.
Database software is... |
|
V-220269
|
Medium |
The DBMS must generate audit records for the DoD-selected list of auditable events, to the extent such information is available. |
Audit records can be generated from various components within the information system, such as network interfaces, hard disks, modems, etc. From an application perspective, certain specific application functionalities may be audited, as well.
The list of audited events is the set of events for which audits are to be generated.... |
|
V-220268
|
Medium |
The DBMS must allow designated organizational personnel to select which auditable events are to be audited by the database. |
The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (i.e., auditable events, timestamps, source and destination addresses, user/process... |
|
V-220267
|
Medium |
The DBMS must provide audit record generation capability for organization-defined auditable events within the database. |
Audit records can be generated from various components within the information system. (e.g., network interface, hard disk, modem, etc.). From an application perspective, certain specific application functionalities may be audited as well.
The list of audited events is the set of events for which audits are to be generated. This... |
|
V-220264
|
Medium |
The DBMS must limit the number of concurrent sessions for each system account to an organization-defined number of sessions. |
Application management includes the ability to control the number of users and user sessions utilizing an application. Limiting the number of allowed users, and sessions per user, is helpful in limiting risks related to Denial of Service attacks.
This requirement addresses concurrent session control for a single information system account... |
|
V-219875
|
Medium |
Network client connections must be restricted to supported versions. |
Unsupported Oracle network client installations may introduce vulnerabilities to the database. Restriction to use of supported versions helps to protect the database and helps to enforce newer, more robust security controls. |
|
V-219874
|
Medium |
Remote administration must be disabled for the Oracle connection manager. |
Remote administration provides a potential opportunity for malicious users to make unauthorized changes to the Connection Manager configuration or interrupt its service. |
|
V-219873
|
Medium |
The /diag subdirectory under the directory assigned to the DIAGNOSTIC_DEST parameter must be protected from unauthorized access. |
|
|
V-219872
|
Medium |
Remote database or other external access must use fully-qualified names. |
The Oracle GLOBAL_NAMES parameter is used to set the requirement for database link names to be the same name as the remote database whose connection they define. By using the same name for both, ambiguity is avoided and unauthorized or unintended connections to remote databases are less likely. |
|
V-219871
|
Medium |
Changes to DBMS security labels must be audited. |
Some DBMS systems provide the feature to assign security labels to data elements. If labeling is required, implementation options include the Oracle Label Security package, or a third-party product, or custom-developed functionality. The confidentiality and integrity of the data depends upon the security label assignment where this feature is in... |
|
V-219868
|
Medium |
Changes to configuration options must be audited. |
When standard auditing is in use, the AUDIT_SYS_OPERATIONS parameter is used to enable auditing of actions taken by the user SYS. The SYS user account is a shared account by definition and holds all privileges in the Oracle database. It is the account accessed by users connecting to the database... |
|
V-219867
|
Medium |
Network access to the DBMS must be restricted to authorized personnel. |
Restricting remote access to specific, trusted systems helps prevent access by unauthorized and potentially malicious users. |
|
V-219866
|
Medium |
Replication accounts must not be granted DBA privileges. |
Replication accounts may be used to access databases defined for the replication architecture. An exploit of a replication on one database could lead to the compromise of any database participating in the replication that uses the same account name and credentials. If the replication account is compromised and it has... |
|
V-219865
|
Medium |
Access to DBMS software files and directories must not be granted to unauthorized users. |
The DBMS software libraries contain the executables used by the DBMS to operate. Unauthorized access to the libraries can result in malicious alteration or planting of operational executables. This may in turn jeopardize data stored in the DBMS and/or operation of the host system. |
|
V-219862
|
Medium |
The directory assigned to the AUDIT_FILE_DEST parameter must be protected from unauthorized access and must be stored in a dedicated directory or disk partition separate from software or other application files. |
The AUDIT_FILE_DEST parameter specifies the directory where the database audit trail file is stored (when AUDIT_TRAIL parameter is set to ‘OS’, ‘xml’ or ‘xml, extended’ where supported by the DBMS). Unauthorized access or loss of integrity of the audit trail could result in loss of accountability or the ability to... |
|
V-219861
|
Medium |
The DBMS data files, transaction logs and audit files must be stored in dedicated directories or disk partitions separate from software or other application files. |
Protection of DBMS data, transaction and audit data files stored by the host operating system is dependent on OS controls. When different applications share the same database, resource contention and security controls are required to isolate and protect an application's data from other applications. In addition, it is an Oracle... |
|
V-219853
|
Medium |
Use of the DBMS installation account must be logged. |
The DBMS installation account may be used by any authorized user to perform DBMS installation or maintenance. Without logging, accountability for actions attributed to the account is lost. |
|
V-219852
|
Medium |
DBMS production application and data directories must be protected from developers on shared production/development DBMS host systems. |
Developer roles must not be assigned DBMS administrative privileges to production DBMS application and data directories. The separation of production DBA and developer roles helps protect the production system from unauthorized, malicious or unintentional interruption due to development activities. |
|
V-219850
|
Medium |
The Oracle _TRACE_FILES_PUBLIC parameter if present must be set to FALSE. |
The _TRACE_FILES_PUBLIC parameter is used to make trace files used for debugging database applications and events available to all database users. Use of this capability precludes the discrete assignment of privileges based on job function. Additionally, its use may provide access to external files and data to unauthorized users. |
|
V-219849
|
Medium |
The directories assigned to the LOG_ARCHIVE_DEST* parameters must be protected from unauthorized access. |
The LOG_ARCHIVE_DEST parameter is used to specify the directory to which Oracle archive logs are written. Where the DBMS availability and recovery to a specific point in time is critical, the protection of archive log files is critical. Archive log files may also contain unencrypted sensitive data. If written to... |
|
V-219848
|
Medium |
Application owner accounts must have a dedicated application tablespace. |
Separation of tablespaces by application helps to protect the application from resource contention and unauthorized access that could result from storage space reuses or host system access controls. Application data must be stored separately from system and custom user-defined objects to facilitate administration and management of its data storage. The... |
|
V-219847
|
Medium |
Only authorized system accounts must have the SYSTEM tablespace specified as the default tablespace. |
The Oracle SYSTEM tablespace is used by the database to store all DBMS system objects. Other use of the system tablespace may compromise system availability and the effectiveness of host system access controls to the tablespace files. |
|
V-219844
|
Medium |
Sensitive information from production database exports must be modified before import to a development database. |
Data export from production databases may include sensitive data. Application developers do not have a need to know to sensitive data. Any access they may have to production data would be considered unauthorized access and subject the sensitive data to unlawful or unauthorized disclosure. See DODD 8500.1 for a definition... |
|
V-219843
|
Medium |
Unauthorized database links must not be defined and active. |
DBMS links provide a communication and data transfer path definition between two databases that may be used by malicious users to discover and obtain unauthorized access to remote systems. Database links between production and development DBMSs provide a means for developers to access production data not authorized for their access... |
|
V-219842
|
Medium |
Database job/batch queues must be reviewed regularly to detect unauthorized database job submissions. |
Unauthorized users may bypass security mechanisms by submitting jobs to job queues managed by the database to be run under a more privileged security context of the database or host system. These queues must be monitored regularly to detect any such unauthorized job submissions. |
|
V-219841
|
Medium |
Connections by mid-tier web and application systems to the Oracle DBMS from a DMZ or external network must be encrypted.
|
Multi-tier systems may be configured with the database and connecting middle-tier system located on an internal network, with the database located on an internal network behind a firewall and the middle-tier system located in a DMZ. In cases where either or both systems are located in the DMZ (or on... |
|
V-219840
|
Medium |
Oracle application administration roles must be disabled if not required and authorized. |
Application administration roles, which are assigned system or elevated application object privileges, must be protected from default activation. Application administration roles are determined by system privilege assignment (create / alter / drop user) and application user role ADMIN OPTION privileges. |
|
V-219839
|
Medium |
Application role permissions must not be assigned to the Oracle PUBLIC role. |
Permissions granted to PUBLIC are granted to all users of the database. Custom roles must be used to assign application permissions to functional groups of application users. The installation of Oracle does not assign role permissions to PUBLIC. |
|
V-219837
|
Medium |
Object permissions granted to PUBLIC must be restricted. |
Permissions on objects may be granted to the user group PUBLIC. Because every database user is a member of the PUBLIC group, granting object permissions to PUBLIC gives all users in the database access to that object. In a secure environment, granting object permissions to PUBLIC must be restricted to... |
|
V-219836
|
Medium |
Oracle roles granted using the WITH ADMIN OPTION must not be granted to unauthorized accounts. |
The WITH ADMIN OPTION allows the grantee to grant a role to another database account. Best security practice restricts the privilege of assigning privileges to authorized personnel. Authorized personnel include DBAs, object owners, and, where designed and included in the application's functions, application administrators. Restricting privilege-granting functions to authorized accounts... |
|
V-219835
|
Medium |
System Privileges must not be granted to PUBLIC. |
System privileges can be granted to users and roles and to the user group PUBLIC. All privileges granted to PUBLIC are accessible to every user in the database. Many of these privileges convey considerable authority over the database and should be granted only to those persons responsible for administering the... |
|
V-219834
|
Medium |
System privileges granted using the WITH ADMIN OPTION must not be granted to unauthorized user accounts. |
The WITH ADMIN OPTION allows the grantee to grant a privilege to another database account. Best security practice restricts the privilege of assigning privileges to authorized personnel. Authorized personnel include DBAs, object owners, and, where designed and included in the application's functions, application administrators. Restricting privilege-granting functions to authorized accounts... |
|
V-219833
|
Medium |
The Oracle password file ownership and permissions should be limited and the REMOTE_LOGIN_PASSWORDFILE parameter must be set to EXCLUSIVE or NONE. |
It is critically important to the security of your system that you protect your password file and the environment variables that identify the location of the password file. Any user with access to these could potentially compromise the security of the connection.
The REMOTE_LOGIN_PASSWORDFILE setting of "NONE" disallows remote administration... |
|
V-219832
|
Medium |
The Oracle SQL92_SECURITY parameter must be set to TRUE. |
The configuration option SQL92_SECURITY specifies whether table-level SELECT privileges are required to execute an update or delete that references table column values. If this option is disabled (set to FALSE), the UPDATE privilege can be used to determine values that should require SELECT privileges.
The SQL92_SECURITY setting of TRUE prevents... |
|
V-219829
|
Medium |
The Oracle WITH GRANT OPTION privilege must not be granted to non-DBA or non-Application administrator user accounts. |
An account permission to grant privileges within the database is an administrative function. Minimizing the number and privileges of administrative accounts reduces the chances of privileged account exploitation. Application user accounts must never require WITH GRANT OPTION privileges since, by definition, they require only privileges to execute procedures or view... |
|
V-219828
|
Medium |
A minimum of two Oracle redo log groups/files must be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device. |
The Oracle redo log files store the detailed information on changes made to the database. This information is critical to database recovery in case of a database failure. |
|
V-219826
|
Medium |
Fixed user and public database links must be authorized for use. |
Database links define connections that may be used by the local database to access remote Oracle databases. These links provide a means for a compromise to the local database to spread to remote databases in the distributed database environment. Limiting or eliminating use of database links where they are not... |
|
V-219825
|
Medium |
Oracle instance names must not contain Oracle version numbers. |
Service names may be discovered by unauthenticated users. If the service name includes version numbers or other database product information, a malicious user may use that information to develop a targeted attack. |
|
V-219824
|
Medium |
Access to default accounts used to support replication must be restricted to authorized DBAs. |
Replication database accounts are used for database connections between databases. Replication requires the configuration of these accounts using the same username and password on all databases participating in the replication. Replication connections use fixed user database links. This means that access to the replication account on one server provides access... |
|
V-220313
|
Low |
The DBMS must protect against an individual who uses a shared account falsely denying having performed a particular action. |
Non-repudiation of actions taken is required in order to maintain application integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message.
Non-repudiation protects individuals against later claims by an author of not having... |
|
V-219827
|
Low |
A minimum of two Oracle control files must be defined and configured to be stored on separate, archived disks (physical or virtual) or archived partitions on a RAID device. |
Oracle control files are used to store information critical to Oracle database integrity. Oracle uses these files to maintain time synchronization of database files as well as at system startup to verify the validity of system data and log files. Loss of access to the control files can affect database... |
