| Finding ID |
Severity |
Title |
Description |
|
V-270585
|
High |
Oracle Database software must be evaluated and patched against newly found vulnerabilities. |
Security flaws with software applications, including database management systems, are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered... |
|
V-270579
|
High |
Oracle Database must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission unless the transmitted data is otherwise protected by alternative physical measures. |
Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism to protect the information during transmission. This is usually achieved using Transport Layer Security (TLS), secure sockets layer (SSL) virtual private network (VPN), or IPsec tunnel.
Alternative physical protection measures include Protected... |
|
V-270574
|
High |
Oracle Database must take needed steps to protect data at rest and ensure confidentiality and integrity of application data. |
This control is intended to address the confidentiality and integrity of information at rest in nonmobile devices and covers user information and system information. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive) within an organizational... |
|
V-270571
|
High |
Oracle Database must implement NIST FIPS 140-2/140-3 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owner's requirements. |
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
It is the responsibility of the data owner... |
|
V-270569
|
High |
Oracle Database must use NIST-validated FIPS 140-2/140-3 compliant cryptography for authentication mechanisms. |
Use of weak or not validated cryptographic algorithms undermines the purposes of using encryption and digital signatures to protect data. Weak algorithms can be easily broken and not validated cryptographic modules may not implement algorithms correctly. Unapproved cryptographic modules or algorithms should not be relied on for authentication, confidentiality, or... |
|
V-270568
|
High |
When using command-line tools such as Oracle SQL*Plus, which can accept a plain-text password, users must use an alternative logon method that does not expose the password. |
The DOD standard for authentication is DOD-approved public key infrastructure (PKI) certificates.
Normally, with PKI authentication, the interaction with the user for authentication will be handled by a software component separate from the database management system (DBMS), such as ActivIdentity ActivClient. However, in cases where the DBMS controls the interaction,... |
|
V-270566
|
High |
Oracle Database, when using public key infrastructure (PKI)-based authentication, must enforce authorized access to the corresponding private key. |
The cornerstone of the PKI is the private key used to encrypt or digitally sign information.
If the private key is stolen, this will lead to the compromise of the authentication and nonrepudiation gained through PKI because the attacker can use the private key to digitally sign documents and can... |
|
V-270564
|
High |
Oracle Database must for password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash. |
The DOD standard for authentication is DOD-approved public key infrastructure (PKI) certificates.
Authentication based on user ID and password may be used only when it is not possible to employ a PKI certificate and requires authorizing official (AO) approval.
In such cases, database passwords stored in clear text, using reversible... |
|
V-270545
|
High |
Oracle Database default accounts must be assigned custom passwords. |
Password maximum lifetime is the maximum period of time, (typically in days) a user's password may be in effect before the user is forced to change it.
Passwords need to be changed at specific policy-based intervals as per policy. Any password, no matter how complex, can eventually be cracked.
One... |
|
V-270544
|
High |
Database administrator (DBA) OS accounts must be granted only those host system privileges necessary for the administration of the Oracle Database. |
This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address those situations where an access control policy, such as Role Based Access Control (RBAC), is being implemented and where a change of role provides the... |
|
V-270531
|
High |
The Oracle Listener must be configured to require administration authentication. |
Oracle listener authentication helps prevent unauthorized administration of the Oracle listener. Unauthorized administration of the listener could lead to denial-of-service (DoS) exploits, loss of connection audit data, unauthorized reconfiguration, or other unauthorized access. This is a Category I finding because privileged access to the listener is not restricted to authorized... |
|
V-270516
|
High |
The Oracle Database software installation account must be restricted to authorized users. |
When dealing with change control issues, it should be noted any changes to the hardware, software, and/or firmware components of the information system and/or application can have significant effects on the overall security of the system.
If the system were to allow any user to make changes to software libraries,... |
|
V-270513
|
High |
Oracle Database products must be a version supported by the vendor. |
Unsupported commercial and database systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilities. Systems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities, which leaves them subject... |
|
V-270500
|
High |
Oracle Database must enforce approved authorizations for logical access to the system in accordance with applicable policy. |
Authentication with a DOD-approved public key infrastructure (PKI) certificate does not necessarily imply authorization to access the database management system (DBMS). To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems, including databases, must be properly configured... |
|
V-270499
|
High |
Oracle Database must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals. |
Enterprise environments make account management for applications and databases challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. Managing accounts for the same person in multiple places is inefficient and prone to problems with consistency and synchronization.
A comprehensive... |
|
V-270589
|
Medium |
Oracle Database must include only approved trust anchors in trust stores or certificate stores managed by the organization. |
Public key infrastructure (PKI) certificates are certificates with visibility external to organizational systems and certificates related to the internal operations of systems, such as application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed... |
|
V-270588
|
Medium |
Oracle Database must, for password-based authentication, require immediate selection of a new password upon account recovery. |
Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication (MFA). Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character... |
|
V-270587
|
Medium |
Oracle Database must, for password-based authentication, verify that when users create or update passwords, the passwords are not found on the list of commonly used, expected, or compromised passwords in IA-5 (1) (a). |
Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication (MFA). Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character... |
|
V-270586
|
Medium |
Oracle Database must disable accounts when the accounts have expired. |
Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality, which reduce the attack surface of the system. |
|
V-270584
|
Medium |
Oracle Database must restrict error messages so only authorized personnel may view them. |
Any database management system (DBMS) or associated application providing too much information in error messages on the screen or printout risks compromising the data and security of the system. The structure and content of error messages need to be carefully considered by the organization and development team.
Databases can inadvertently... |
|
V-270583
|
Medium |
Oracle Database must only generate error messages that provide information necessary for corrective actions without revealing organization-defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited. |
Any database management system (DBMS) or associated application providing too much information in error messages on the screen or printout risks compromising the data and security of the system. The structure and content of error messages need to be carefully considered by the organization and development team.
Databases can inadvertently... |
|
V-270582
|
Medium |
The database management system (DBMS) and associated applications, when making use of dynamic code execution, must take steps against invalid values that may be used in a SQL injection attack, therefore resulting in steps to prevent a SQL injection attack. |
With respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of the dynamic execution capabilities of various programming languages, including dialects of SQL. In such cases, the attacker deduces the manner in which SQL statements are being... |
|
V-270581
|
Medium |
The database management system (DBMS) and associated applications must reserve the use of dynamic code execution for situations that require it. |
With respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of the dynamic execution capabilities of various programming languages, including dialects of SQL. In such cases, the attacker deduces the manner in which SQL statements are being... |
|
V-270580
|
Medium |
Oracle Database must check the validity of data inputs. |
Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or information system compromise. Invalid user input is one of the primary methods... |
|
V-270578
|
Medium |
Access to Oracle Database files must be limited to relevant processes and to authorized, administrative users. |
Applications, including database management systems (DBMSs), must prevent unauthorized and unintended information transfer via shared system resources. Permitting only DBMS processes and authorized, administrative users to have access to the files where the database resides helps ensure that those files are not shared inappropriately and are not open to backdoor... |
|
V-270577
|
Medium |
Oracle Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy. |
Applications, including database management systems (DBMSs), must prevent unauthorized and unintended information transfer via shared system resources.
Data used for the development and testing of applications often involves copying data from production. It is important that specific procedures exist for this process, to include the conditions under which such transfer... |
|
V-270576
|
Medium |
Oracle Database must isolate security functions from nonsecurity functions by means of separate security domains. |
An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions.
Security functions are the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the... |
|
V-270575
|
Medium |
Oracle Database must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components. |
Database management systems (DBMSs) handling data requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to the DBMS or implemented via additional software or operating system/file system settings, as appropriate to the situation.... |
|
V-270573
|
Medium |
Oracle Database must preserve any organization-defined system state information in the event of a system failure. |
Failure in a known state can address safety or security in accordance with the mission/business needs of the organization. Failure in a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system.... |
|
V-270572
|
Medium |
Oracle Database must separate user functionality (including user interface services) from database management functionality. |
Information system management functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access.
The separation of user functionality from information system management functionality is either physical or logical and is accomplished by using different computers, different central processing units, different instances of... |
|
V-270570
|
Medium |
Oracle Database must uniquely identify and authenticate nonorganizational users (or processes acting on behalf of nonorganizational users). |
Nonorganizational users include all information system users other than organizational users which include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations).
Nonorganizational users must be uniquely identified and authenticated for all accesses other than those accesses explicitly... |
|
V-270567
|
Medium |
Oracle Database must map the authenticated identity to the user account using public key infrastructure (PKI)-based authentication. |
The DOD standard for authentication is DOD-approved PKI certificates. Once a PKI certificate has been validated, it must be mapped to a database management system (DBMS) user account for the authenticated identity to be meaningful to the DBMS and useful for authorization decisions. |
|
V-270565
|
Medium |
If passwords are used for authentication, the Oracle Database must transmit only encrypted representations of passwords. |
The DOD standard for authentication is DOD-approved public key infrastructure (PKI) certificates.
Authentication based on user ID and password may be used only when it is not possible to employ a PKI certificate, and requires authorizing official (AO) approval.
In such cases, passwords need to be protected at all times,... |
|
V-270563
|
Medium |
Oracle Database must enforce password maximum lifetime restrictions. |
Password maximum lifetime is the maximum period of time, (typically in days) a user's password may be in effect before the user is forced to change it.
Passwords need to be changed at specific policy-based intervals as per policy. Any password, no matter how complex, can eventually be cracked.
One... |
|
V-270562
|
Medium |
Procedures for establishing temporary passwords that meet DOD password requirements for new accounts must be defined, documented, and implemented. |
Password maximum lifetime is the maximum period of time, (typically in days) a user's password may be in effect before the user is forced to change it.
Passwords need to be changed at specific policy-based intervals as per policy. Any password, no matter how complex, can eventually be cracked.
One... |
|
V-270561
|
Medium |
Oracle Database must enforce the DOD standards for password complexity. |
OS/enterprise authentication and identification must be used (SRG-APP-000023-DB-000001). Native database management system (DBMS) authentication may be used only when circumstances make it unavoidable; and must be documented and authorizing official (AO)-approved.
The DOD standard for authentication is DOD-approved PKI certificates. Authentication based on User ID and Password may be used... |
|
V-270560
|
Medium |
Oracle Database must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). |
To ensure accountability and prevent unauthorized access, organizational users must be identified and authenticated.
Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations).
Users (and any processes acting on behalf of users) are uniquely identified... |
|
V-270559
|
Medium |
Oracle Database must ensure users are authenticated with an individual authenticator prior to using a shared authenticator. |
To assure individual accountability and prevent unauthorized access, application users (and any processes acting on behalf of users) must be individually identified and authenticated.
A shared authenticator is a generic account used by multiple individuals. Use of a shared authenticator alone does not uniquely identify individual users. An example of... |
|
V-270558
|
Medium |
Oracle Database must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL) and vulnerability assessments. |
To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols/services on information systems.
Applications are capable of providing a wide variety of functions and services. Some of... |
|
V-270557
|
Medium |
Access to external executables must be disabled or restricted. |
The Oracle external procedure capability provides use of the Oracle process account outside the operation of the database management system (DBMS) process. It can be used to submit and execute applications stored externally from the database under operating system controls. The external procedure process is the subject of frequent and... |
|
V-270556
|
Medium |
Use of external executables must be authorized. |
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
It is detrimental for applications to provide, or install by default, functionality exceeding requirements or... |
|
V-270555
|
Medium |
OS accounts used to run external procedures called by Oracle Database must have limited privileges. |
This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address those situations where an access control policy, such as Role Based Access Control (RBAC) is being implemented and where a change of role provides the... |
|
V-270554
|
Medium |
Unused database components that are integrated in the database management system (DBMS) and cannot be uninstalled must be disabled. |
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
It is detrimental for applications to provide, or install by default, any functionality exceeding requirements... |
|
V-270553
|
Medium |
Unused database components, database management system (DBMS) software, and database objects must be removed. |
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
It is detrimental for applications to provide, or install by default, functionality exceeding requirements or... |
|
V-270552
|
Medium |
Oracle Database default demonstration and sample databases, database objects, and applications must be removed. |
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
It is detrimental for applications to provide, or install by default, functionality exceeding requirements or... |
|
V-270551
|
Medium |
Oracle Database must disable user accounts after 35 days of inactivity. |
Attackers that are able to exploit an inactive database management system (DBMS) account can potentially obtain and maintain undetected access to the database.
Owners of inactive DBMS accounts will not notice if unauthorized access to their user account has been obtained. All DBMS need to track periods of user inactivity... |
|
V-270550
|
Medium |
Oracle Database must set the maximum number of consecutive invalid logon attempts to three. |
Anytime an authentication method is exposed, to allow for the use of an application, there is a risk that attempts will be made to obtain unauthorized access.
To defeat these attempts, organizations define the number of times a user account may consecutively fail a logon attempt. The organization also defines... |
|
V-270549
|
Medium |
Oracle Database must verify account lockouts persist until reset by an administrator. |
Anytime an authentication method is exposed, to allow for the use of an application, there is a risk that attempts will be made to obtain unauthorized access.
To defeat these attempts, organizations define the number of times a user account may consecutively fail a logon attempt. The organization also defines... |
|
V-270548
|
Medium |
Oracle Database must be protected from unauthorized access by developers on shared production/development host systems. |
Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions and/or... |
|
V-270547
|
Medium |
Oracle Database must provide a mechanism to automatically remove or disable temporary user accounts after 72 hours. |
Temporary application accounts could ostensibly be used in the event of a vendor support visit where a support representative requires a temporary unique account to perform diagnostic testing or conduct some other support related activity. When these types of accounts are created, there is a risk that the temporary account... |
|
V-270546
|
Medium |
Oracle Database must provide a mechanism to automatically identify accounts designated as temporary or emergency accounts. |
Temporary application accounts could be used in the event of a vendor support visit where a support representative requires a temporary unique account to perform diagnostic testing or conduct some other support-related activity. When these types of accounts are created, there is a risk that the temporary account may remain... |
|
V-270543
|
Medium |
Network client connections must be restricted to supported versions. |
Unsupported Oracle network client installations may introduce vulnerabilities to the database. Restriction to use of supported versions helps to protect the database and helps to enforce newer, more robust security controls. |
|
V-270542
|
Medium |
Remote administration must be disabled for the Oracle connection manager. |
Remote administration provides a potential opportunity for malicious users to make unauthorized changes to the Connection Manager configuration or interrupt its service. |
|
V-270541
|
Medium |
The /diag subdirectory under the directory assigned to the DIAGNOSTIC_DEST parameter must be protected from unauthorized access. |
|
|
V-270540
|
Medium |
Changes to configuration options must be audited. |
When standard auditing is in use, the AUDIT_SYS_OPERATIONS parameter is used to enable auditing of actions taken by the user SYS. The SYS user account is a shared account by definition and holds all privileges in the Oracle database. It is the account accessed by users connecting to the database... |
|
V-270539
|
Medium |
Network access to Oracle Database must be restricted to authorized personnel. |
Restricting remote access to specific, trusted systems helps prevent access by unauthorized and potentially malicious users. |
|
V-270538
|
Medium |
The Oracle Database data files, transaction logs and audit files must be stored in dedicated directories or disk partitions separate from software or other application files. |
Protection of database management system (DBMS) data, transaction and audit data files stored by the host operating system is dependent on OS controls. When different applications share the same database, resource contention and security controls are required to isolate and protect an application's data from other applications. In addition, it... |
|
V-270537
|
Medium |
Use of the Oracle Database installation account must be logged. |
The database management system (DBMS) installation account may be used by any authorized user to perform DBMS installation or maintenance. Without logging, accountability for actions attributed to the account is lost. |
|
V-270536
|
Medium |
Oracle Database production application and data directories must be protected from developers on shared production/development database management system (DBMS) host systems. |
Developer roles must not be assigned DBMS administrative privileges to production DBMS application and data directories. The separation of production database administrator (DBA) and developer roles helps protect the production system from unauthorized, malicious, or unintentional interruption due to development activities. |
|
V-270535
|
Medium |
The Oracle _TRACE_FILES_PUBLIC parameter if present must be set to FALSE. |
The _TRACE_FILES_PUBLIC parameter is used to make trace files used for debugging database applications and events available to all database users. Use of this capability precludes the discrete assignment of privileges based on job function. Additionally, its use may provide access to external files and data to unauthorized users. |
|
V-270534
|
Medium |
The directories assigned to the LOG_ARCHIVE_DEST* parameters must be protected from unauthorized access. |
The LOG_ARCHIVE_DEST parameter is used to specify the directory to which Oracle archive logs are written. Where the database management system (DBMS) availability and recovery to a specific point in time is critical, the protection of archive log files is critical. Archive log files may also contain unencrypted sensitive data.... |
|
V-270533
|
Medium |
Oracle application administration roles must be disabled if not required and authorized. |
Application administration roles, which are assigned system or elevated application object privileges, must be protected from default activation. Application administration roles are determined by system privilege assignment (create/alter/drop user) and application user role ADMIN OPTION privileges. |
|
V-270532
|
Medium |
Application role permissions must not be assigned to the Oracle PUBLIC role. |
Permissions granted to PUBLIC are granted to all users of the database. Custom roles must be used to assign application permissions to functional groups of application users. The installation of Oracle does not assign role permissions to PUBLIC. |
|
V-270530
|
Medium |
Object permissions granted to PUBLIC must be restricted. |
Permissions on objects may be granted to the user group PUBLIC. Because every database user is a member of the PUBLIC group, granting object permissions to PUBLIC gives all users in the database access to that object. In a secure environment, granting object permissions to PUBLIC must be restricted to... |
|
V-270529
|
Medium |
Oracle roles granted using the WITH ADMIN OPTION must not be granted to unauthorized accounts. |
The WITH ADMIN OPTION allows the grantee to grant a role to another database account. Best security practice restricts the privilege of assigning privileges to authorized personnel. Authorized personnel include database administrators (DBAs), object owners, and application administrators (where designed and included in the application's functions). Restricting privilege-granting functions to... |
|
V-270528
|
Medium |
System Privileges must not be granted to PUBLIC. |
System privileges can be granted to users and roles and to the user group PUBLIC. All privileges granted to PUBLIC are accessible to every user in the database. Many of these privileges convey considerable authority over the database and should be granted only to those persons responsible for administering the... |
|
V-270527
|
Medium |
System privileges granted using the WITH ADMIN OPTION must not be granted to unauthorized user accounts. |
The WITH ADMIN OPTION allows the grantee to grant a privilege to another database account. Best security practice restricts the privilege of assigning privileges to authorized personnel. Authorized personnel include database administrators (DBAs), object owners, and, where designed and included in the application's functions, application administrators. Restricting privilege-granting functions to... |
|
V-270526
|
Medium |
The Oracle password file ownership and permissions should be limited and the REMOTE_LOGIN_PASSWORDFILE parameter must be set to EXCLUSIVE or NONE. |
It is critically important to the security of the system to protect the password file and the environment variables that identify the location of the password file. Any user with access to these could potentially compromise the security of the connection.
The REMOTE_LOGIN_PASSWORDFILE setting of "NONE" disallows remote administration of... |
|
V-270525
|
Medium |
The Oracle SQL92_SECURITY parameter must be set to TRUE. |
The configuration option SQL92_SECURITY specifies whether table-level SELECT privileges are required to execute an update or delete those references table column values. If this option is disabled (set to FALSE), the UPDATE privilege can be used to determine values that should require SELECT privileges.
The SQL92_SECURITY setting of TRUE prevents... |
|
V-270524
|
Medium |
The Oracle REMOTE_OS_ROLES parameter must be set to FALSE. |
Setting REMOTE_OS_ROLES to TRUE allows operating system groups to control Oracle roles. The default value of FALSE causes roles to be identified and managed by the database. If REMOTE_OS_ROLES is set to TRUE, a remote user could impersonate another operating system user over a network connection.
DOD requires the REMOTE_OS_ROLES... |
|
V-270523
|
Medium |
The Oracle WITH GRANT OPTION privilege must not be granted to nondatabase administrator (DBA) or nonapplication administrator user accounts. |
An account permission to grant privileges within the database is an administrative function. Minimizing the number and privileges of administrative accounts reduces the chances of privileged account exploitation. Application user accounts must never require WITH GRANT OPTION privileges since, by definition, they require only privileges to execute procedures or view/edit... |
|
V-270522
|
Medium |
Database links must be authorized for use. |
Database links define connections that may be used by the local database to access remote Oracle databases. These links provide a means for a compromise to the local database to spread to remote databases in the distributed database environment. Limiting or eliminating use of database links where they are not... |
|
V-270521
|
Medium |
Oracle instance names must not contain Oracle version numbers. |
Service names may be discovered by unauthenticated users. If the service name includes version numbers or other database product information, a malicious user may use that information to develop a targeted attack. |
|
V-270520
|
Medium |
Oracle Database must be configured in accordance with the security configuration settings based on DOD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, DTMs, and IAVMs. |
Configuring the database management system (DBMS) to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DOD that reflects the most restrictive security posture consistent with operational requirements. In addition to this SRG, sources of guidance on security and... |
|
V-270519
|
Medium |
The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to the DBMS, etc.) must be restricted to authorized users. |
If the database management system (DBMS) were to allow any user to make changes to database structure or logic, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
Accordingly, only qualified and authorized individuals must be allowed... |
|
V-270518
|
Medium |
Database objects must be owned by accounts authorized for ownership. |
Within the database, object ownership implies full privileges to the owned object including the privilege to assign access to the owned objects to other subjects. Unmanaged or uncontrolled ownership of objects can lead to unauthorized object grants and alterations, and unauthorized modifications to data.
If critical tables or other objects... |
|
V-270517
|
Medium |
Database software directories, including database management system (DBMS) configuration files, must be stored in dedicated directories, or DASD pools, separate from the host OS and other applications. |
When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system.
Multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit... |
|
V-270515
|
Medium |
The OS must limit privileges to change the database management system (DBMS) software resident within software libraries (including privileged programs). |
If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
Accordingly, only qualified and authorized individuals must be allowed to obtain access to information... |
|
V-270514
|
Medium |
Database software, applications, and configuration files must be monitored to discover unauthorized changes. |
If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
Accordingly, only qualified and authorized individuals must be allowed to obtain access to information... |
|
V-270512
|
Medium |
Oracle Database must support enforcement of logical access restrictions associated with changes to the database management system (DBMS) configuration and to the database itself. |
Failure to provide logical access restrictions associated with changes to configuration may have significant effects on the overall security of the system.
When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system can... |
|
V-270511
|
Medium |
The system must protect audit tools from unauthorized access, modification, or deletion. |
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data.
Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. It is, therefore, imperative that access to... |
|
V-270510
|
Medium |
The audit information produced by the Oracle Database must be protected from unauthorized access, modification, or deletion. |
If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to audit records provides information an attacker could potentially use to his or her advantage.
To ensure the... |
|
V-270509
|
Medium |
Oracle Database must provide an immediate real-time alert to appropriate support staff of all audit log failures. |
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.
The appropriate... |
|
V-270508
|
Medium |
The Oracle Database, or the logging or alerting mechanism the application uses, must provide a warning when allocated audit record storage volume record storage volume reaches 75 percent of maximum audit record storage capacity. |
Organizations are required to use a central log management system, so, under normal conditions, the audit space allocated to the database management system (DBMS) on its own server will not be an issue. However, space will still be required on the DBMS server for audit records in transit, and, under... |
|
V-270507
|
Medium |
Oracle Database must off-load audit data to a separate log management facility; this must be continuous and in near-real-time for systems with a network connection to the storage facility, and weekly or more often for stand-alone systems. |
Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information systems with limited audit storage capacity.
The database management system (DBMS) may write audit records to database tables, files in the file system, other kinds of local repositories, or... |
|
V-270506
|
Medium |
Oracle Database must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements. |
To ensure sufficient storage capacity for the audit logs, Oracle Database must be able to allocate audit record storage capacity. Although another requirement (SRG-APP-000515-DB-000318) mandates audit data be off-loaded to a centralized log management system, it remains necessary to provide space on the database server to serve as a buffer... |
|
V-270505
|
Medium |
Oracle Database must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject. |
Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes timestamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked.
In addition, the... |
|
V-270504
|
Medium |
Oracle Database must generate audit records for the DOD-selected list of auditable events, when successfully accessed, added, modified, or deleted, to the extent such information is available. |
Audit records can be generated from various components within the information system, such as network interfaces, hard disks, modems, etc. From an application perspective, certain specific application functionalities may be audited, as well.
The list of audited events is the set of events for which audits are to be generated.... |
|
V-270503
|
Medium |
Oracle Database must allow designated organizational personnel to select which auditable events are to be audited by the database. |
Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent or interfere with the auditing of critical events.
Suppression of auditing could permit an adversary to evade detection.
Misconfigured audits can degrade the system's performance by overwhelming the... |
|
V-270502
|
Medium |
Oracle Database must provide audit record generation capability for organization-defined auditable events within the database. |
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Audit records can be generated from various components within the database management system (DBMS) (e.g., process, module). Certain specific application functionalities may... |
|
V-270498
|
Medium |
Oracle Database must associate organization-defined types of security labels having organization-defined security label values with information in storage. |
Without the association of security labels to information, there is no basis for the database management system (DBMS) to make security-related access-control decisions.
Security labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information.
These labels are typically associated... |
|
V-270497
|
Medium |
Oracle Database must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect. |
This addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational... |
|
V-270496
|
Medium |
Oracle Database must protect against or limit the effects of organization-defined types of denial-of-service (DoS) attacks. |
A variety of technologies exist to limit, or in some cases, eliminate the effects of DoS attacks. For example, boundary protection devices can filter certain types of packets to protect devices on an organization's internal network from being directly affected by DoS attacks.
Employing increased capacity and bandwidth combined with... |
|
V-270495
|
Medium |
Oracle Database must limit the number of concurrent sessions for each system account to an organization-defined number of sessions. |
Database management includes the ability to control the number of users and user sessions using a database management system (DBMS). Unlimited concurrent connections to the DBMS could allow a successful denial-of-service (DoS) attack by exhausting connection resources; and a system can also fail or be degraded by an overload of... |
|
V-270501
|
Low |
Oracle Database must protect against an individual who uses a shared account falsely denying having performed a particular action. |
Nonrepudiation of actions taken is required to maintain application integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message.
Nonrepudiation protects individuals against later claims by an author of not having authored a... |
