Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Oracle Database 10g Installation STIG

  • Version/Release: V8R1.11
  • Published: 2014-04-02
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

a
Database executable and configuration files should be monitored for unauthorized modifications.
Low - V-2420 - SV-24596r1_rule
RMF Control
Severity
Low
CCI
Version
DG0010-ORACLE10
Vuln IDs
  • V-2420
Rule IDs
  • SV-24596r1_rule
Changes to files in the DBMS software directory including executable, configuration, script, or batch files can indicate malicious compromise of the software files. Changes to non-executable files, such as log files and data files, do not usually reflect unauthorized changes, but are modified by the DBMS as part of normal operation. These modifications can be ignored.Information Assurance OfficerDCSL-1
Checks: C-17064r1_chk

Ask the DBA to describe/demonstrate any software modification detection procedures in place and request documents of these procedures for review. Verify by reviewing reports for inclusion of the DBMS executable and configuration files. If documented procedures and proof of implementation does not exist that includes review of the database software directories and database application directories, this is a Finding.

Fix: F-2640r1_fix

Develop, document and implement procedures to monitor changes made to the DBMS software. Identify all database files and directories to be included in the host system or database backups and provide these to the person responsible for backups. For Windows systems, you can use the dir /s > filename.txt run weekly to store and compare file modification/creation dates and file sizes using the DOS fc command. For UNIX systems, you can use the ls –as >filename.txt command to store and compare (diff command) file statistics for comparison. These are not as comprehensive as some tools available, but may be enhanced by including checks for checksums or file hashes.

b
The DBMS software installation account should be restricted to authorized users.
Medium - V-2422 - SV-24373r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0040-ORACLE10
Vuln IDs
  • V-2422
Rule IDs
  • SV-24373r1_rule
DBA and other privileged administrative or application owner accounts are granted privileges that allow actions that can have a greater impact on database security and operation. It is especially important to grant access to privileged accounts to only those persons who are qualified and authorized to use them.Information Assurance OfficerECLP-1, ECPA-1
Checks: C-29112r1_chk

Review documented and implemented procedures for controlling and granting access of the Oracle DBMS software installation account. If access or use of this account is not restricted to the minimum number of personnel required or unauthorized access to the account has been granted, this is a Finding. On UNIX systems: If the account is not disabled when not in use, this is a Finding. On Windows systems: The Oracle DBMS software is usually installed using an account with administrator privileges. Ownership is assigned to the account used to install the DBMS software. The creation of a dedicated Oracle OS account and change of ownership of all files in the %ORACLE_HOME% and %ORACLE_BASE% directories and subdirectories should be performed prior to placing the DBMS system into production. See checks DG0019, DO0120 and DG0102 for details on establishing a dedicated OS account for Oracle services on Windows platforms.

Fix: F-26115r1_fix

Develop, document and implement procedures to restrict use of the Oracle DBMS software installation account. Ensure that the Oracle DBMS software installation account is locked when not in use.

b
Database software, applications and configuration files should be monitored to discover unauthorized changes.
Medium - V-2423 - SV-24382r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0050-ORACLE10
Vuln IDs
  • V-2423
Rule IDs
  • SV-24382r1_rule
Unmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations.Database AdministratorDCSL-1, DCSW-1
Checks: C-29146r1_chk

Review documented software and configuration monitoring procedures and implementation evidence to verify that monitoring of changes to database software libraries, related applications and configuration files is being performed weekly or more often. Verify that a list of files and directories being monitored is complete. If monitoring is not being performed weekly or more often, this is a Finding. If implementation evidence is not complete, this is a Finding.

Fix: F-26155r1_fix

Develop, document and implement procedures to monitor for unauthorized changes to DBMS software libraries, related software application libraries and configuration files. If a third-party automated tool is not employed, an automated job that reports file information on the directories and files of interest and compares them to the baseline report for the same will meet the requirement. File hashes or checksums should be used for comparisons as file dates may be manipulated by malicious users.

c
The Oracle Listener should be configured to require administration authentication.
High - V-2608 - SV-24933r1_rule
RMF Control
Severity
High
CCI
Version
DO3630-ORACLE10
Vuln IDs
  • V-2608
Rule IDs
  • SV-24933r1_rule
Oracle listener authentication helps prevent unauthorized administration of the Oracle listener. Unauthorized administration of the listener could lead to DoS exploits; loss of connection audit data, unauthorized reconfiguration or other unauthorized access. This is a Category I finding because privileged access to the listener is not restricted to authorized users. Unauthorized access can result in stopping of the listener (DoS) and overwriting of listener audit logs.Database AdministratorEBRP-1
Checks: C-26562r1_chk

If a listener is not running on the local database host server, this check is Not a Finding. NOTE: This check needs to be done only once per host system and once per listener. Multiple listeners may be defined on a single host system. They must all be reviewed, but only once per database home review. For subsequent database home reviews on the same host system, mark this check as Not a Finding. Determine all Listeners running on the host. For Windows hosts, view all Windows services with TNSListener embedded in the service name - The service name format is: Oracle[ORACLE_HOME_NAME]TNSListener For UNIX hosts, the Oracle Listener process will indicate the TNSLSNR executable. At a command prompt, issue the command: ps -ef | grep tnslsnr | grep –v grep The alias for the listener follows tnslsnr in the command output. You must be logged on the host system using the account that owns the tnslsnr executable (UNIX). If the account is denied local login, have the system SA assist you in this task by 'su' to the listener account from the root account. On Windows platforms, log in using an account with administrator privileges to complete the check. From a system command prompt, execute the listener control utility: lsnrctl status [LISTENER NAME] Review the results for the value of Security. If Security = OFF is displayed, this is a Finding. If Security = ON: Local OS Authentication is displayed, this is not a Finding. If Security = ON: Password or Local OS Authentication, this is a Finding (do not set a password on Oracle versions 10.1 and higher. Instead, use Local OS Authentication). Repeat the execution of the lsnrctl utility for all active listeners.

Fix: F-22855r1_fix

Configure the listener to use Local OS Authentication. This setting prevents remote administration of the listener, restricts management to the Oracle listener owner account (UNIX) and accounts with administrator privileges (WIN). Remote administration of the listener should not be permitted. If listener administration from a remote system is required, granting secure remote access to the Oracle DBMS server and performing local administration is preferred. Authorize and document this requirement in the System Security Plan.

b
Oracle SQLNet and listener log files should not be accessible to unauthorized users.
Medium - V-2612 - SV-24945r1_rule
RMF Control
Severity
Medium
CCI
Version
DO5037-ORACLE10
Vuln IDs
  • V-2612
Rule IDs
  • SV-24945r1_rule
The SQLNet and Listener log files provide audit data useful to the discovery of suspicious behavior. The log files may contain usernames and passwords in clear text as well as other information that could aid a malicious user with unauthorized access attempts to the database. Generation and protection of these files helps support security monitoring efforts.Database AdministratorECTP-1
Checks: C-26571r1_chk

Locate the Listener and SQLNet log files. View the contents of the sqlnet.ora and listener.ora configuration files located in the ORACLE_HOME/network/admin directory or the directory specified by the TNS_ADMIN environment variable (if set) for the listener process/service account: If the sqlnet.ora parameter TRACE_LEVEL_SERVER is not defined or is set to OFF OR 0, SQLNet logging is not enabled and the check for these parameters below is Not a Finding, otherwise, verify the directories specified in the following parameters of the sqlnet.ora file exist: LOG_FILE_SERVER = sqlnet [filename is sqlnet.log] LOG_DIRECTORY_SERVER = [directory on a volume with enough free space] Verify the directories and files specified in the following parameters of the listener.ora exist: LOG_DIRECTORY_[listener name] = [directory on a volume with enough free space] LOG_FILE_[listener name] = listener TRACE_DIRECTORY_[listener name] = [directory on a volume with enough free space] Default log file locations (by Oracle Version): -- listener log directory and file: ORACLE_HOME/network/log/listener.log -- listener trace directory and files: ORACLE_HOME/network/trace/listener.trc -- sqlnet log file: ORACLE_HOME/network/log/sqlnet.log -- sqlnet trace file: ORACLE_HOME/network/trace/sqlnet.trc -- listener and sqlnet log files: ORACLE_HOME/network/log -- sqlnet log file: ORACLE_HOME/network/log/sqlnet.log -- sqlnet trace file: ORACLE_HOME/network/trace/*.trc The listener log file location may also be determined using the lsnrctl utility, STATUS command, and viewing the value displayed for listener log file. Review access permissions assigned to the files and directories: - For UNIX, verify that the permissions on the directory and log files are restricted to the Oracle software owner and OS DBA and/or Listener process group. - For Windows, verify that the file permissions on the listener.log and sqlnet.log files restrict access to the Oracle software owner and OS DBA and/or Listener process group. If access to the files is not restricted as listed above, this is a Finding.

Fix: F-26554r1_fix

Restrict access to the listener and sqlnet log files. Restrict access to the tnslsnr service account to DBAs, SAs and auditors where they are required by assigned responsibilities.

b
Connections by mid-tier web and application systems to the Oracle DBMS should be protected, encrypted and authenticated according to database, web, application, enclave and network requirements.
Medium - V-3440 - SV-24536r2_rule
RMF Control
Severity
Medium
CCI
Version
DO0360-ORACLE10
Vuln IDs
  • V-3440
Rule IDs
  • SV-24536r2_rule
Multi-tier systems may be configured with the database and connecting middle-tier system located on an internal network, with the database located on an internal network behind a firewall and the middle-tier system located in a DMZ. In cases where systems are located in the DMZ, network communications between both systems must be encrypted. In all cases, the application account requires PKI authentication. IP address restriction to the backend database system, under a separate requirement, provides an additional level of protection.trueDatabase AdministratorInformation Assurance OfficerIAGA-1
Checks: C-29452r2_chk

Review the System Security Plan for remote applications that access and use the database. If none of the applications accessing the database uses a single account for access by multiple persons or processes, this check is Not a Finding. Verify that the application account uses PKI authentication: From SQL*Plus: select name, ext_username from user$ where ext_username <> NULL; If the ext_username indicates a directory name, then verify that the directory name is authenticated using PKI. You may require the DBA or directory server administrator to display the username definition in the directory service to you. If the ext_username does not specify a certificate or PKI-authenticated user account, this is a Finding.

Fix: F-26516r1_fix

Configure PKI authentication to help protect access to the shared account. PKI authentication may be accomplished using Oracle Advanced Security on most platforms. On a Windows host, user authentication using PKI may be used with Active Directory or NTS authentication using the DoD CAC. On UNIX and other hosts, Oracle Advanced Security may used to authenticate via LDAP or SSL. The application may require storage of the authentication certificate in the Oracle Wallet or on a hardware security module (HSM) to authenticate. Please see the Oracle Security Guides and the Oracle Advanced Security Guides for instructions on configuring PKI authentication.

b
The Oracle Listener ADMIN_RESTRICTIONS parameter if present should be set to ON.
Medium - V-3497 - SV-24948r1_rule
RMF Control
Severity
Medium
CCI
Version
DO6740-ORACLE10
Vuln IDs
  • V-3497
Rule IDs
  • SV-24948r1_rule
The Oracle listener process can be dynamically configured. By connecting to the listener process directly, usually through the Oracle LSNRCTL utility, a user may change any of the parameters available through the set command. This vulnerability has been used to overwrite the listener log and trace files. The ADMIN_RESTRICTIONS parameter, set in the listener.ora file, prohibits dynamic listener configuration changes and protects the configuration using host operating system security controls.Database AdministratorEBRP-1
Checks: C-29488r1_chk

If a listener is not running on the local database host server, this check is Not a Finding. Use the LSNRCTL utility and issue the STATUS [listener-name] command to locate the listener.ora file. Open the listener.ora file in a text editor or viewer. Locate the line with ADMIN_RESTRICTIONS_[listener-name] = ON where listener-name is the alias of the listener supplied by the DBA. If no such line is found, this is a Finding. Repeat for each listener listed in the LISTENER.ORA file.

Fix: F-26556r1_fix

Edit the listener.ora file and add the following line for each listener in use on the system: ADMIN_RESTRICTIONS_[listener-name] = ON Restart the listener to activate the setting.

a
Configuration management procedures should be defined and implemented for database software modifications.
Low - V-3726 - SV-24598r1_rule
RMF Control
Severity
Low
CCI
Version
DG0011-ORACLE10
Vuln IDs
  • V-3726
Rule IDs
  • SV-24598r1_rule
Uncontrolled, untested, or unmanaged changes result in an unreliable security posture. All changes to software libraries related to the database and its use need to be reviewed, considered, and the responsibility for CM assigned. CM responsibilities may appear to cross boundaries. It is important, however, for the boundaries of CM responsibility to be clearly defined and assigned to ensure no libraries or configurations are left unaddressed. Related database application libraries may include third-party DBMS management tools, DBMS stored procedures, or other end-user applications.Information Assurance OfficerDCPR-1
Checks: C-17266r1_chk

Interview the IAO and review documentation to determine if a configuration management (CM) process is implemented for the DBMS system that includes requirements for: (1) Formally documented CM roles, responsibilities, and procedures to include the management of IA information and documentation; (2) A configuration control board that implements procedures to ensure a security review and approval of all proposed DoD information system changes, to include interconnections to other DoD information systems; (3) A testing process to verify proposed configuration changes prior to implementation in the operational environment; and (4) A verification process to provide additional assurance that the CM process is working effectively and that changes outside the CM process are technically or procedurally not permitted. If documented evidence for procedures or processes outlined above are not present or are incomplete, this is a Finding.

Fix: F-3779r1_fix

Develop, document and implement configuration management procedures or processes. Ensure the 4 major requirements listed in the check are documented at a minimum. Assign responsibilities for oversight and approval for any and all changes made to DBMS software and configuration.

a
Unused database components, database application software and database objects should be removed from the DBMS system.
Low - V-3728 - SV-24358r1_rule
RMF Control
Severity
Low
CCI
Version
DG0016-ORACLE10
Vuln IDs
  • V-3728
Rule IDs
  • SV-24358r1_rule
Unused, unnecessary DBMS components increase the attack vector for the DBMS by introducing additional targets for attack. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced.Database AdministratorDCFA-1
Checks: C-25878r1_chk

Use the Oracle Universal Installer or OPATCH utility to display the list of installed products. Review the list of installed products with the DBA and verify any installed products listed below are required and licensed. If any are installed and are not required or not licensed, this is a Finding. From Command Prompt: $ORACLE_HOME/OPatch/opatch lsinventory –detail | more (UNIX) %ORACLE_HOME%/OPatch/opatch lsinventory –detail | more (Windows) Requires additional License on Enterprise Edition: Oracle Real Application Clusters Oracle In-Memory Database Cache Oracle Advanced Security Oracle Label Security Oracle Change Management Pack Oracle Configuration Management Pack Oracle Diagnostic Pack Oracle Tuning Pack Oracle Provisioning and Patch Automation Pack Oracle Partitioning Oracle OLAP Oracle Data Mining Oracle Data Quality and Profiling Oracle Data Watch and Repair Connector Oracle Spatial Oracle Content Database Suite Oracle Records DB Requires additional License: Oracle Transparent Gateways Confirm requirements for these products: Database Workspace Manager Enterprise Manager Agent iSQL*Plus LDAP Oracle HTTP Server Oracle interMedia Oracle Internet Directory Oracle Starter Database Oracle Text Oracle Wallet Manager (Requires Advanced Security when using PKI and transparent encryption) Oracle XML Development Sample Schema NOTE: This list does not take into account product dependencies that when selected for de-install, remove required database software. A custom installation without selection of unnecessary components is required to ensure a clean install of only required and licensed products. The list of product dependencies may be subject to change by Oracle and is not addressed here.

Fix: F-23716r1_fix

Review the list of installed products available for the DBMS install. If any are required and licensed for operation of applications that will be accessing the DBMS, include them in the application design specification and list them in the System Security Plan. If any are not, but have been installed, uninstall them and remove any database SCHEMA, objects and applications that exclusively support them.

b
A production DBMS installation should not coexist on the same DBMS host with other, non-production DBMS installations.
Medium - V-3803 - SV-24605r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0017-ORACLE10
Vuln IDs
  • V-3803
Rule IDs
  • SV-24605r1_rule
Production, development and other non-production DBMS installations have different access and security requirements. Shared production/non-production DBMS installations secured at a production-level can impede development efforts whereas production/non-production DBMS installations secured at a development-level can lead to exploitation of production-level installations. Production DBMS installations should be kept separate from development, QA, TEST and other non-production DBMS systems.Database AdministratorInformation Assurance OfficerECSD-1, ECSD-2
Checks: C-902r1_chk

Review the System Security Plan and interview the DBA and IAO to determine if the DBMS host contains production and non-production DBMS installations. If the DBMS host contains both production and non-production DBMS installations or the production DBMS installation is being used for non-production efforts, determine if this allowance is documented in the System Security Plan and authorized by the IAO. If not documented and authorized, this is a Finding. NOTE: Though shared production/non-production DBMS installations was allowed under previous database STIG guidance, doing so may place it in violation of OS, Application, Network or Enclave STIG guidance. Ensure that any shared production/non-production DBMS installations meets STIG guidance requirements at all levels or mitigate any conflicts in STIG guidance with your DAA.

Fix: F-26103r1_fix

Recommend establishing a dedicated DBMS host for production DBMS installations (See Checks DG0109 and DG0110). A dedicated host system in this case refers to an instance of the operating system at a minimum. The operating system may reside on a virtual host machine where supported by the DBMS vendor.

a
Application software should be owned by a Software Application account.
Low - V-3805 - SV-24362r1_rule
RMF Control
Severity
Low
CCI
Version
DG0019-ORACLE10
Vuln IDs
  • V-3805
Rule IDs
  • SV-24362r1_rule
File and directory ownership imparts full privileges to the owner. These privileges should be restricted to a single, dedicated account to preserve proper chains of ownership and privilege assignment management.Database AdministratorDCSL-1, ECSD-1, ECSD-2
Checks: C-29103r1_chk

Ask the DBA/SA to demonstrate file and group ownership of the Oracle DBMS software and files and directories. On Windows systems: Launch a Windows Explorer window. In the Right Pane, Right-Click on one of the display headers and select Owner from the list. Move the Owner column after the Name column. Size the Owner column to fit the current contents. NOTE: This will show the owner column for this folder only. If you want to see the owner column in all folders, select Tools -> Options -> View tab and click on the Apply to All Folders button. The Oracle DBMS software is usually installed using an account with administrator privileges and ownership is assigned either to the account used to install the DBMS software or to the Administrators group. For DBMS systems with multiple Oracle Homes using a common Oracle Base, ensure an ownership review for files and directories in the %ORACLE_BASE% that are not addressed above is performed. If any files or directories belonging to an Oracle DBMS software installation are not owned by a dedicated Oracle OS owner account, this is a Finding. On UNIX systems: find $ORACLE_HOME /var/opt/oracle /etc/ora* /usr/local/bin/*ora* usr/local/bin/db* ! -user oracle -o ! -group oinstall | xargs ls -lR -d Where "oracle" is the known Oracle Owner account name and "oinstall" is the known Oracle Group account name. Review the resulting output and note the file/directory ownership. For DBMS systems with multiple Oracle Homes using a common Oracle Base, ensure an ownership review for files and directories in the %ORACLE_BASE% that are not addressed above is performed. If any files or directories belonging to an Oracle DBMS software installation are not owned by a dedicated Oracle OS owner account, this is a Finding. The owner and group ownership as well as file permissions for the following files (if present) should not be changed: extjob jssu nmb nmhs nmo oradism externaljob.ora coraenv dbhome oraenv

Fix: F-26106r1_fix

Assign DBMS file and directory ownership to a dedicated Oracle OS owner account. Document the locations of Oracle DBMS files and directories in the System Security Plan. On Windows systems: The creation of a dedicated Oracle OS account and change of ownership of all files in the %ORACLE_HOME% directories and subdirectories should be performed prior to placing the DBMS system into production. See checks DO0120 and DG0102 for details on establishing a dedicated OS account for Oracle services on Windows platforms. Using the dedicated Oracle OS owner account to install and maintain the DBMS software libraries and configuration files will help maintain file and directory ownership. On UNIX systems: Assign DBMS file and directory ownership to a dedicated Oracle host OS software installation and maintenance account. The owner and group ownership as well as file permissions for the following files (if present) should not be changed: extjob jssu nmb nmhs nmo oradism externaljob.ora coraenv dbhome oraenv Using the dedicated Oracle host OS software installation and maintenance account to install and maintain the DBMS software libraries and configuration files will help maintain file and directory ownership.

b
A baseline of database application software should be documented and maintained.
Medium - V-3806 - SV-24609r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0021-ORACLE10
Vuln IDs
  • V-3806
Rule IDs
  • SV-24609r1_rule
Without maintenance of a baseline of current DBMS application software, monitoring for changes cannot be complete and unauthorized changes to the software can go undetected. Changes to the DBMS executables could be the result of intentional or unintentional actions.Database AdministratorInformation Assurance OfficerDCSW-1
Checks: C-29110r1_chk

Review DBMS software baseline procedures and implementation evidence. Review the list of files, directories and details included in the current baseline for completeness. If DBMS software configuration baseline procedures do not exist, evidence of implementation does not exist, or baseline is not documented and current, this is a Finding.

Fix: F-26113r1_fix

Develop, document and implement DBMS software baseline procedures that include all DBMS software files and directories under the ORACLE_BASE and ORACLE_HOME environment variables and any custom and platform-specific directories. Generate a list of files, directories and details for the DBMS software configuration baseline. Update the configuration baseline after new installations, upgrades/updates or maintenance activities that include changes to the baseline software.

b
All applications that access the database should be logged in the audit trail.
Medium - V-3807 - SV-24625r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0052-ORACLE10
Vuln IDs
  • V-3807
Rule IDs
  • SV-24625r1_rule
Protections and privileges are designed within the database to correspond to access via authorized software. Use of unauthorized software to access the database could indicate an attempt to bypass established permissions. Reviewing the use of application software to the database can lead to discovery of unauthorized access attempts.Database AdministratorECAT-1, ECAT-2
Checks: C-29149r1_chk

Review the DBMS audit trail to determine if the names [or unique identifiers] of applications used to connect to the database are included. If an alternate method other than DBMS logging is authorized and implemented, review the audit trail to determine if the names [or unique identifiers] of applications used to connect to the database are included. If application access to the DBMS is not being audited, this is a Finding. If auditing does not capture the name [or unique identifier] of applications accessing the DBMS at a minimum, this is a Finding.

Fix: F-26160r1_fix

Modify auditing to ensure audit records include identification of applications used to access the DBMS. Ensure auditing captures the name [or unique identifier] of applications accessing the DBMS at a minimum. Develop or procure a 3rd-party solution where native DBMS logging is not employed or does not capture required information.

b
A single database connection configuration file should not be used to configure all database clients.
Medium - V-3809 - SV-24627r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0053-ORACLE10
Vuln IDs
  • V-3809
Rule IDs
  • SV-24627r1_rule
Many sites distribute a single client database connection configuration file to all site database users that contains network access information for all databases on the site. Such a file provides information to access databases not required by all users that may assist in unauthorized access attempts.Information Assurance OfficerECAN-1
Checks: C-29153r1_chk

Review documented and implemented procedures contained or noted in the System Security Plan for providing database client connection information to users and user workstations. Oracle client connection information is stored in the file: $ORACLE_HOME/network/admin/tnsnames.ora (UNIX) %ORACLE_HOME%\network\admin\tnsnames.ora (Windows) If procedures do not indicate and implement restrictions in distribution of connection definitions to personnel/machines authorized to connect to the database, this is a Finding.

Fix: F-26164r1_fix

Develop, document and implement procedures to distribute client connection definitions or definition files that contain only connection definitions authorized for that user or user workstation. Include or note these procedures in the System Security Plan.

b
Procedures for establishing temporary passwords that meet DoD password requirements for new accounts should be defined, documented and implemented.
Medium - V-3811 - SV-24638r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0066-ORACLE10
Vuln IDs
  • V-3811
Rule IDs
  • SV-24638r1_rule
New accounts authenticated by passwords that are created without a password or with an easily guessed password are vulnerable to unauthorized access. Procedures for creating new accounts with passwords should include the required assignment of a temporary password to be modified by the user upon first use.Database AdministratorIAIA-1, IAIA-2
Checks: C-29162r1_chk

If all database accounts are configured to authenticate using certificates or other credentials besides passwords, this check is Not a Finding. Review documented procedures and evidence of implementation for assignment of temporary passwords for password-authenticated accounts. Confirm temporary passwords meet DoD password requirements. Review documented procedures for distribution of temporary passwords to users. Have the DBA demonstrate that the DBMS or applications accessing the database are configured to require a change of password by the user upon first use. If documented procedures and evidence do not exist or are not complete, temporary passwords do not meet DoD password requirements, or the DBMS or applications accessing the database are not configured to require a change of password by the user upon first use, this is a Finding.

Fix: F-26174r1_fix

Develop, document and implement procedures for assigning, distributing and changing of temporary passwords for new database user accounts. Procedures should include instruction that meet current DoD password length and complexity requirements and provide a secure method to relay the temporary password to the user. Temporary passwords should also be short-lived and require immediate update by the user upon first use. Consider using account authentication using certificates or other credentials in place of password authentication.

c
Database account passwords should be stored in encoded or encrypted format whether stored in database objects, external host files, environment variables or any other storage locations.
High - V-3812 - SV-24640r1_rule
RMF Control
Severity
High
CCI
Version
DG0067-ORACLE10
Vuln IDs
  • V-3812
Rule IDs
  • SV-24640r1_rule
Database passwords stored in clear text are vulnerable to unauthorized disclosure. Database passwords should always be encoded or encrypted when stored internally or externally to the DBMS.Database AdministratorInformation Assurance OfficerIAIA-1, IAIA-2
Checks: C-29164r1_chk

This check applies specifically to the Oracle DBMS installation and its associated files, scripts and environments. This check does not apply to compiled, encoded or encrypted application source code and batch job code covered in Check DG0130. Ask the DBA to review the list of DBMS database objects, database configuration files, associated scripts and applications defined within and external to the DBMS that access the database. The list should also include files or settings used to configure the operational environment for the DBMS and for interactive DBMS user accounts. Ask the DBA and/or IAO to determine if any DBMS database objects, database configuration files, associated scripts and applications defined within or external to the DBMS that access the database, and DBMS / user environment files/settings contain database passwords. If any do, confirm that DBMS passwords stored internally or externally to the DBMS are encoded or encrypted. If any passwords are stored in clear text, this is a Finding. If a list of DBMS database objects, database configuration files, associated scripts and applications defined within or external to the DBMS that access the database, and DBMS / user environment files/settings is not maintained in the System Security Plan, this is a Finding.

Fix: F-26176r1_fix

Develop, document and maintain a list of DBMS database objects, database configuration files, associated scripts and applications defined within or external to the DBMS that access the database, and DBMS / user environment files/settings in the System Security Plan. Record whether they do or do not contain DBMS passwords. If passwords are present, ensure they are encoded or encrypted and protected by host system security. Consider using vendor or 3rd party tools to support external authentication (i.e. Oracle Database Vault).

b
DBMS tools or applications that echo or require a password entry in clear text should be protected from password display.
Medium - V-3813 - SV-24642r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0068-ORACLE10
Vuln IDs
  • V-3813
Rule IDs
  • SV-24642r1_rule
Database applications may allow for entry of the account name and password as a visible parameter of the application execution command. This practice should be prohibited and disabled, if possible, by the application. If it cannot be disabled, then users should be strictly instructed not to use this feature. Typically, the application will prompt for this information and accept it without echoing it on the users computer screen.Database AdministratorIAIA-1, IAIA-2
Checks: C-29166r1_chk

Review policy and instructions included or noted in the System Security Plan used to inform users and administrators not to enter database passwords at the command line. Review documented and implemented procedures used to monitor the DBMS system for such activity. If policy or instructions do not exist, proof of users and administrators being briefed does not exist or monitoring for compliance is not being performed to dissuade the practice of entering database passwords on the command line, this is a Finding.

Fix: F-26178r1_fix

Develop, document and implement policy and instructions to train users not to enter database passwords on the command line. Develop, document and implement monitoring for compliance. Alter command-line utilities to prevent or report when a password has been entered on a command line or disable its use.

b
Remote adminstrative connections to the database should be encrypted.
Medium - V-3825 - SV-24686r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0093-ORACLE10
Vuln IDs
  • V-3825
Rule IDs
  • SV-24686r1_rule
Communications between a client and database service across the network may contain sensitive information including passwords. This is particularly true in the case of administrative activities. Encryption of remote administrative connections to the database ensures confidentiality of configuration, management, and other administrative data.Database AdministratorECCT-1, ECCT-2
Checks: C-29217r1_chk

Ask the DBA if the DBMS is accessed remotely for administration purposes. If it is not, this check is Not a Finding. If it is, ask the DBA if the remote access to DBA accounts is made using remote access to the DBMS host or made directly to the database from a remote database client. If administration is performed using remote access to the DBMS host, review policy and procedures documented or noted in the System Security Plan, along with evidence that remote administration of the DBMS is performed only via an encrypted connection protocol such as SSH or IPSec. If it is not, this is a Finding. If administration is performed from a remote database client, confirm that a dedicated database listener that encrypts communications exists for remote administrative communications. If a DBMS listener that encrypts traffic is not configured, this is a Finding. If any listeners on the DBMS host are configured to accept unencrypted traffic, review documented policy, procedures and evidence of training DBAs not to use the unencrypted listener for remote access to DBA accounts. If no such policy exists or the DBAs have not been instructed not to use the unencrypted connections, this is a Finding. Note: Out-Of-Band (OOB) is allowed for remote administration, however, OOB alone does not maintain encryption of network traffic from source to destination and is a Finding for this check. Ensure unclassified, sensitive data transmitted through a commercial or wireless network are encrypted using NIST-certified cryptography.

Fix: F-22698r1_fix

Where remote access to DBA accounts is not allowed, develop, document and implement policies and train DBAs that remote access to DBA accounts is prohibited. Where remote access to DBA accounts is allowed, the remote connection must be encrypted. Ensure unclassified, sensitive data transmitted through a commercial or wireless network are encrypted using NIST-certified cryptography. If remote access is established via the database listener, then install a dedicated listener configured to encrypt all traffic for use by DBAs for remote access. This requires use of Oracle Advanced Security and Oracle Wallet Manager. See the Oracle Advanced Security Guide, Configuring Network Data Encryption and Integrity for Oracle Servers and Clients for details. Configure the listener to require SSL for the DBA connections by specifying the TCPS as the network protocol. Sample listener.ora entries: DBALSNR = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS) (HOST = [IP]) (PORT = 1575)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = [SID]) ) ) Configure the server's SQLNET.ORA file to use FIPS 140-2 compliant settings to encrypt the traffic and ensure integrity of the transmission. In the SQLNET.ORA file in the ORACLE_HOME/ldap/admin directory or the directory specified in the TNS_ADMIN environment variable for the dedicated listener on the server, add the following line (both client and server): SQLNET.SSLFIPS_140=TRUE Monitor the listener log files for evidence of any unencrypted remote access to DBA accounts.

b
Audit trail data should be reviewed daily or more frequently.
Medium - V-3827 - SV-24404r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0095-ORACLE10
Vuln IDs
  • V-3827
Rule IDs
  • SV-24404r1_rule
Review of audit trail data provides a means for detection of unauthorized access or attempted access. Frequent and regularly scheduled reviews ensures that such access is discovered in a timely manner.Information Assurance OfficerECAT-1
Checks: C-24307r1_chk

If the database being reviewed is not a production database, this check is Not a Finding. Review policy and procedures documented or noted in the System Security plan as well as evidence of implementation for daily audit trail monitoring. If policy and procedures are not documented or evidence of implementation is not available, this is a Finding.

Fix: F-20460r1_fix

Develop, document and implement policy and procedures to monitor audit trail data daily.

b
The Oracle software installation account should not be granted excessive host system privileges.
Medium - V-3842 - SV-24463r1_rule
RMF Control
Severity
Medium
CCI
Version
DO0120-ORACLE10
Vuln IDs
  • V-3842
Rule IDs
  • SV-24463r1_rule
A compromise of the Oracle database process could be used to gain access to the host operating system under the security account of the process owner. Limitation of the privileges assigned to the process account can help contain access to other processes and host system resources. This can in turn help to limit any resulting malicious activity.Database AdministratorDCFA-1
Checks: C-29406r1_chk

Review the Oracle process/owner account. For UNIX Systems: Log into the Oracle installation account and from a system prompt enter: groups If root is returned in the list, this is a Finding. For Windows Systems: Log in using an account with administrator privileges. Open the Services snap-in. If the Oracle services are not assigned a dedicated OS account (view the Log on As tab), this is a Finding. If the account is assigned group membership to other than the local administrator account and Oracle DBA groups, this is a Finding. View user rights assigned to the service accounts. If Deny Logon Locally is not assigned to the Oracle service account, this is a Finding. If the service account is a domain rather than local user account, confirm with the DBA that domain resources are required and that the account is not assigned to any domain groups not required for Oracle operation (e.g. the domain users or domain administrators groups). If the service account is a domain account and the account is assigned to domain groups not required for Oracle operations, this is a Finding.

Fix: F-26433r1_fix

Remove root privileges from the Oracle software owner account on UNIX systems. Create and assign a dedicated OS account for all Oracle processes (Windows). Grant the dedicated OS account Oracle DBA privileges and assign the Deny Logon Locally user right to the dedicated OS account.

a
OS DBA group membership should be restricted to authorized accounts.
Low - V-3845 - SV-24852r1_rule
RMF Control
Severity
Low
CCI
Version
DO0145-ORACLE10
Vuln IDs
  • V-3845
Rule IDs
  • SV-24852r1_rule
Oracle SYSDBA privileges include privileges to administer the database outside of database controls (when the database is shut down) in addition to all privileges controlled under database operation. Assignment of membership to the OS dba group to unauthorized persons can compromise all DBMS activities.Information Assurance OfficerDCSD-1
Checks: C-29410r1_chk

Review the membership for the Oracle DBA host system OS group. On UNIX systems: cat /etc/group | grep -i dba [where dba is the default group name from Oracle] To display the group name if dba is not the default, use the command: cat $ORACLE_HOME/rdbms/lib/config.[cs] | grep SS_DBA_GRP On Windows Systems: Open Computer Management, expand System Tools, expand Local Users and Groups, select the Group folder. Double-click on the ORA_DBA group to view group members. Compare the list of members with the list of authorized DBA accounts documented in the System Security Plan with the IAO. If any users are assigned to the group that are not authorized by the IAO and documented in the System Security Plan for the system, this is a Finding.

Fix: F-26437r1_fix

Document user accounts that are authorized by the IAO to be assigned DBA privileges in the System Security Plan. Remove any accounts assigned membership in the operating system DBA group that has not been authorized by the IAO. Develop, document and implement procedures for periodic review of accounts assigned membership to the DBA group.

b
The Oracle INBOUND_CONNECT_TIMEOUT and SQLNET.INBOUND_CONNECT_TIMEOUT parameters should be set to a value greater than 0.
Medium - V-3862 - SV-24889r1_rule
RMF Control
Severity
Medium
CCI
Version
DO0286-ORACLE10
Vuln IDs
  • V-3862
Rule IDs
  • SV-24889r1_rule
The INBOUND_CONNECT_TIMEOUT_[listener-name] and SQLNET.INBOUND_CONNECT_TIMEOUT defines the limit the database listener and database server respectively will wait for a client connection to complete after a connection request is made. This limit protects the listener and database server from a Denial-of-Service attack where multiple connection requests are made that are not used or closed from a client. Server resources can be exhausted if unused connections are maintained.Database AdministratorECLO-1
Checks: C-29442r1_chk

Review the listener.ora file and the sqlnet.ora file. If the INBOUND_CONNECT_TIMEOUT_[listener-name] parameter does not exist for each listener found in the listener.ora and contain a value greater than 0, this is a Finding. If the SQLNET.INBOUND_CONNECT_TIMEOUT parameter does not exist in the sqlnet.ora and contain a value greater than 0, this is a Finding. NOTE: although the default value may provide adequate protection, assuming the default could lead to unanticipated changes in future product updates. Specify a value to manage the setting.

Fix: F-26504r1_fix

Using a text editor or administrative tool, modify the listener.ora file to include a limit for connection request timeouts for the listener. Example entry (value unit is in seconds): INBOUND_CONNECT_TIMEOUT_LISTENER = 2 Modify the sqlnet.ora file to include a limit for connection request timeouts for the listener. Example entry (value unit is in seconds): SQLNET.INBOUND_CONNECT_TIMEOUT = 3 Review the Oracle Net Services Administrator's Guide for information about configuring these parameters.

b
The Oracle SQLNET.EXPIRE_TIME parameter should be set to a value greater than 0.
Medium - V-3863 - SV-24892r1_rule
RMF Control
Severity
Medium
CCI
Version
DO0287-ORACLE10
Vuln IDs
  • V-3863
Rule IDs
  • SV-24892r1_rule
The SQLNET.EXPIRE_TIME parameter defines a limit for the frequency of active connection verification of a client connection. This prevents indefinite open connections to the database where client connections have not been terminated properly. Indefinite open connections could lead to an exhaustion of system resources or leave an open connection available for compromise.Database AdministratorECLO-1
Checks: C-29444r1_chk

View the SQLNET.ORA file to verify if a SQLNET.EXPIRE_TIME has been set to the value greater than 0. If the parameter does not exist or is set to 0, this is a Finding.

Fix: F-26506r1_fix

Using a text editor or administrative tool, modify the SQLNET.ORA file on the database host server to include a limit for connection request timeouts for the listener. Example entry (value unit is in minutes): SQLNET.EXPIRE_TIME = 3 NOTE: Use the lowest number possible that does not generate so much network traffic that performance becomes unacceptable. The lower the number, the less likely an exhaustion of resources will occur. Set the value to the lowest number greater than 0 that is supported by the target system environment.

a
The Oracle Management Agent should be uninstalled if not required and authorized or is installed on a database accessible from the Internet.
Low - V-3866 - SV-24545r1_rule
RMF Control
Severity
Low
CCI
Version
DO0430-ORACLE10
Vuln IDs
  • V-3866
Rule IDs
  • SV-24545r1_rule
The Oracle Management Agent (Oracle Intelligent Agent in earlier versions) provides the mechanism for local and/or remote management of the local Oracle Database by Oracle Enterprise Manager or other SNMP management platforms. Because it provides access to operating system and database functions, it should be uninstalled if not in use.Database AdministratorDCFA-1
Checks: C-29456r1_chk

Determine if the Oracle Management Agent is installed: From SQL*Plus: select account_status from dba_users where upper(username) = 'DBSNMP'; If no rows are returned, this is not a Finding. If the DBSNMP account exists and the account_status is OPEN, then verify in the System Security Plan that operation and use of the Oracle Enterprise Manager Management Agent or another SNMP management program is documented and authorized. If it is not documented in the System Security Plan as being required, this is a Finding. If the DBSNMP account exists and the account_status is not OPEN, schedule the FIX action below then mark as not a Finding. Despite any justification or authorization, if a Management Agent is installed on a DBMS server that is in a DMZ and Internet facing, this is a Finding.

Fix: F-26518r1_fix

Use the ORACLE_HOME/rdbms/admin/catnsnmp.sql script to remove all Oracle SNMP management agent objects in the database. Delete the executable file ORACLE_HOME/bin/dbsnmp or dbsnmp.exe if it exists from any Oracle Home not authorized for SNMP management. Uninstall any SNMP management agents installed on Oracle database servers installed in a DMZ that serve applications to Internet users. Uninstall any SNMP management agents that have not been authorized and documented in the System Security Plan. Document any authorized use of the SNMP management agent on database servers that do not support Internet applications in a DMZ in the System Security Plan. NOTE: Removal of SNMP management objects will prevent the ability to generate database statistics within Oracle Enterprise Manager.

b
Database software directories including DBMS configuration files are stored in dedicated directories separate from the host OS and other applications.
Medium - V-4754 - SV-24349r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0012-ORACLE10
Vuln IDs
  • V-4754
Rule IDs
  • SV-24349r1_rule
Multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit to one application can lead to an exploit of other applications sharing the same security context. For example, an exploit to a web server process that leads to unauthorized administrative access to host system directories can most likely lead to a compromise of all applications hosted by the same system. Database software not installed using dedicated directoriies both threatens and is threatened by other hosted applications. Access controls defined for one application may by default provide access to the other application’s database objects or directories. Any method that provides any level of separation of security context assists in the protection between applications.Database AdministratorDCPA-1
Checks: C-19566r1_chk

For UNIX Systems: ls $ORACLE_BASE ls $ORACLE_HOME If the ORACLE_BASE directory contains subdirectories other than ORACLE_HOME directories, a flash_recovery_area directory and an admin directory, verify they are used by the DBMS. If they are not part of the Oracle DBMS software product, this is a Finding. NOTE: Oracle DBMS data file storage may be placed on a separate, dedicated disk partition and linked to ORACLE_BASE. Refer to check DG0112. For Windows Systems: echo %ORACLE_BASE% echo %ORACLE_HOME% ORACLE_BASE, if defined, is usually set to C:\Program Files\Oracle. If ORACLE_HOME is not in a dedicated directory separate from the OS software and other applications where supported by the DBMS, this is a Finding. All Systems: Recommend dedicating a separate partition for the DBMS software libraries where supported by the DBMS on all platforms.

Fix: F-3796r1_fix

Install Oracle DBMS software using directories separate from the OS and other application software library directories. Re-locate any directories or re-install other application software that currently shares the DBMS software library directory to separate directories. Recommend dedicating a separate partition for the DBMS software libraries where supported by the DBMS.

b
An upgrade/migration plan should be developed to address an unsupported DBMS software version.
Medium - V-4758 - SV-24340r2_rule
RMF Control
Severity
Medium
CCI
Version
DG0002-ORACLE10
Vuln IDs
  • V-4758
Rule IDs
  • SV-24340r2_rule
Unsupported software versions are not patched by vendors to address newly discovered security versions. An unpatched version is vulnerable to attack. Developing and implementing an upgrade plan prior to a lapse in support helps to protect against published vulnerabilities.trueInformation Assurance OfficerVIVM-1
Checks: C-26058r2_chk

From SQL*Plus: select substr(version,1,4) from v$instance; If the Oracle version is at 10.2 or less, review evidence that an upgrade/migration plan has been documented. If it is not, this is a Finding. For any version where Oracle Extended Support ends within 6 months, review evidence than an upgrade to a supported version is in progress. If it is not, this is a Finding. Product: Oracle Database Highest Supported Version: 11.2 (See Oracle MetaLink Note 161818.1 for Oracle RDBMS Release support status) Product Versions / Premier Support Ends / Extended Support Ends: 11.2.0.X / Aug 2012 / Aug 2015 11.1.0.X / Aug 2012 / Aug 2015 10.2.0.X / Jul 2010 / Jul 2013 10.1.0.X / Jan 2009 / Jan 2012 (NOTE: 10.1.0.5 is terminal patch set)

Fix: F-16158r1_fix

Develop, document and implement an upgrade/migration plan for obsolete or expiring Oracle versions. Use the table above as a guideline for Oracle version support. The cost of the version upgrade should be budgeted including any additional testing and development required supporting the version upgrade. A plan for testing the version upgrade should also be scheduled. Any other steps for the version upgrade should be included in the plan and the plan for the version upgrade should be scheduled for completion prior to expiration of the current Oracle database server product.

c
Vendor supported software is evaluated and patched against newly found vulnerabilities.
High - V-5658 - SV-24338r2_rule
RMF Control
Severity
High
CCI
Version
DG0001-ORACLE10
Vuln IDs
  • V-5658
Rule IDs
  • SV-24338r2_rule
Unsupported software versions are not patched by vendors to address newly discovered security versions. An unpatched version is vulnerable to attack.trueInformation Assurance OfficerVIVM-1
Checks: C-26055r2_chk

From SQL*Plus: select banner from v$version where banner like 'Oracle%'; Currently supported Oracle 10g versions as of 6/2010 are: 10.1 - Premier Support for 10.1 ended 31 Jan 2009 Extended Support for 10.1 available after 31 Jan 2009 Sustaining Support for 10.1 available after 31 Jan 2012 Terminal Patch Set: 10.1.0.5 10.2 - Premier Support for 10.2 ended 31 Jul 2010 Extended Support for 10.2 available after 31 Jul 2010 Sustaining Support for 10.2 available after 31 Jul 2013 If the Oracle version is not in the list above or is not supported with a purchased extended support contract, this is a Finding. Note: Sustaining Support does not include security updates. Any product in Sustaining Support is a Finding. A patchset is an 'amended code set', consisting of a number of bug fixes, which is subjected to a rigorous QA and certification process. Oracle patch sets update the Oracle version number (e.g. 10.2.0.3 to 10.2.0.4) and are usually bundled together to support a product family (for example, Oracle DBMS includes Enterprise, Standard, Personal and Client Editions). Currently supported patched versions as of 6/2010 are: 10.2.0.4.0 10.2.0.3.0 (IBM z/OS 390 Server) 10.1.0.5.0 (Terminal Patch Set / Extended Support only) If the Oracle patchset level is less than that listed above, this is a Finding.

Fix: F-22569r1_fix

Upgrade to a supported Oracle version. Purchase an Oracle Extended Support Contract where required. See http://www.oracle.com/technology/support/patches.htm for a definitive list of version patch sets for Oracle DBMS software. See http://www.oracle.com/support/library/brochure/lifetime-support-technology.pdf for Oracle support policies and timelines.

b
The latest security patches should be installed.
Medium - V-5659 - SV-24341r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0003-ORACLE10
Vuln IDs
  • V-5659
Rule IDs
  • SV-24341r1_rule
Maintaining the currency of the software version protects the database from known vulnerabilities.Database AdministratorVIVM-1
Checks: C-26059r1_chk

Oracle provides patches in service patchsets, Critical Patch Updates (CPU) as well as providing patch set exceptions for installed DBMS products. A patchset is an 'amended code set', consisting of a number of bug fixes, which is subjected to a rigorous QA and certification process. Oracle patch sets update the Oracle version number (e.g. 10.2.0.3 to 10.2.0.4) and are usually bundled together to support a product family (for example, Oracle DBMS includes Enterprise, Standard, Personal and Client Editions). This is covered in Check DG0001. Oracle security patches are published quarterly in January, April, July and October as Critical Patch Updates (CPU). CPUs may be viewed at: http://www.oracle.com/technology/deploy/security/alerts.htm Most Oracle CPU patches are also listed in DoD IAVM alerts. Patch set exceptions are fixes per a particular DBMS product based on reported bugs and do not undergo the rigorous QA and certification process that patchsets do. These are installed as needed to correct reported or observed bugs in Oracle DBMS products. This check applies to the application of the CPU patches only. You must comply with Check DG0001 prior to applying Oracle Critical Patch Updates. For Oracle Critical Patch Updates (CPU): 1. Go to the website http://www.oracle.com/technology/deploy/security/alerts.htm. 2. Click on the latest Critical Patch Update link. 3. Click on the [Database] link in the Supported Products and Components Affected section. 4. Enter your Oracle MetaLink credentials. 5. Locate the Critical Patch Update Availability table. 6. Identify your OS Platform and Oracle version to see if there is a CPU release. 7. If there is none, this check is Not a Finding. If there is one, note the patch number for the steps below. View the installed patch numbers for the database using the Oracle opatch utility. On UNIX systems: $ORACLE_HOME/OPatch/opatch lsinventory –detail | grep [PATCHNUM] On Windows systems (From Windows Command Prompt): %ORACLE_HOME%\OPatch\opatch lsinventory –detail | findstr [PATCHNUM] Replace [PATCHNUM] with the Patch number noted above. If the output shows the installed patch is present, this check is Not a Finding. No output indicates that the patch has not been applied and is a Finding.

Fix: F-16159r1_fix

Apply the most current Oracle Critical Patch update to the database software when available. Follow vendor-provided patch installation instructions.

b
Only necessary privileges to the host system should be granted to DBA OS accounts.
Medium - V-6756 - SV-24345r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0005-ORACLE10
Vuln IDs
  • V-6756
Rule IDs
  • SV-24345r1_rule
Database administration accounts are frequently granted more permissions to the local host system than are necessary. This allows inadvertent or malicious changes to the host operating system.System AdministratorDatabase AdministratorECLP-1
Checks: C-28570r1_chk

Review host system privileges assigned to the Oracle DBA group and all individual Oracle DBA accounts. NOTE: do not include the Oracle software installation account in any results for this check. For UNIX systems (as root): cat /etc/group | grep -i dba groups root If "root" is returned in the first list, this is a Finding. If any accounts listed in the first list are also listed in the second list, this is a Finding. Investigate any user account group memberships other than DBA or root groups that are returned by the following command (also as root): groups [dba user account] Replace [dba user account] with the user account name of each DBA account. If individual DBA accounts are assigned to groups that grant access or privileges for purposes other than DBA responsibilities, this is a Finding. For Windows Systems (click or select): Start / Settings / Control Panel / Administrative Tools / Computer Management / Local Users and Groups / Groups / ORA_DBA Start / Settings / Control Panel / Administrative Tools / Computer Management / Local Users and Groups / Groups / ORA_[SID]_DBA (if present) NOTE: Users assigned DBA privileges on a Windows host are granted membership in the ORA_DBA and/or ORA_[SID]_DBA groups. The ORA_DBA group grants DBA privileges to any database on the system. The ORA_[SID]_DBA groups grant DBA privileges to specific Oracle instances only. Make a note of each user listed. For each user (click or select): Start / Settings / Control Panel / Administrative Tools / Computer Management / Local Users and Groups / Users / [DBA user name] / Member of If DBA users belong to any groups other than DBA groups and the Windows Users group, this is a Finding. Examine User Rights assigned to DBA groups or group members: Start / Settings / Control Panel / Administrative Tools / Local Security Policy / Security Settings / Local Policies / User Rights Assignments If any User Rights are assigned directly to the DBA group(s) or DBA user accounts, this is a Finding.

Fix: F-24655r1_fix

Revoke all host system privileges from the DBA group accounts and DBA user accounts not required for DBMS administration. Revoke all OS group memberships that assign excessive privileges to the DBA group accounts and DBA user accounts. Remove any directly applied permissions or user rights from the DBA group accounts and DBA user accounts. You should document all DBA group accounts and individual DBA account assigned privileges in the System Security Plan.

b
The database should be secured in accordance with DoD, vendor and/or commercially accepted practices where applicable.
Medium - V-6767 - SV-25031r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0007-ORACLE10
Vuln IDs
  • V-6767
Rule IDs
  • SV-25031r1_rule
DBMS systems that do not follow DoD, vendor and/or public best security practices are vulnerable to related published vulnerabilities. A DoD reference document such as a security technical implementation guide or security recommendation guide constitutes the primary source for security configuration or implementation guidance for the deployment of newly acquired IA- and IA-enabled IT products that require use of the product's IA capabilities. Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-1043r1_chk

Review security and administration documentation maintained for the DBMS system for indications that security guidance has been applied to the DBMS system. If DoD security guidance is not available, the following are acceptable in descending order as available: (1) Commercially accepted practices (e.g., SANS); (2) Independent testing results (e.g., ICSA); or (3) Vendor literature If the DBMS system has not been secured using available security guidance as listed above, this is a Finding.

Fix: F-17960r1_fix

Apply available security guidance to the DBMS system. If DoD security guidance is not available, the following are acceptable in descending order as available: (1) Commercially accepted practices (e.g., SANS); (2) Independent testing results (e.g., ICSA); or (3) Vendor literature

b
Automated notification of suspicious activity detected in the audit trail should be implemented.
Medium - V-15102 - SV-24669r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0083-ORACLE10
Vuln IDs
  • V-15102
Rule IDs
  • SV-24669r1_rule
Audit record collection may quickly overwhelm storage resources and an auditor's ability to review it in a productive manner. Automated tools can provide the means to manage the audit data collected as well as present it to an auditor in an efficient way.Information Assurance OfficerECRG-1
Checks: C-29189r1_chk

If the database being reviewed is not a production database, this check is Not a Finding. Interview the auditor or IAO to determine if an automated tool or procedure is used to report audit trail data. If an automated tool or procedure is not used, this is a Finding.

Fix: F-26205r1_fix

Develop, document and implement database or host system procedures to report audit trail data in a form usable to detect unauthorized access to or usage of DBMS privileges, procedures or data. You may also want to consider procuring a third-party auditing tool like Oracle Audit Vault with support for Oracle and other DBMS products within your environment. NOTE: Audit data may contain sensitive information. The use of a single repository for audit data should be protected at the highest level based on the sensitivity of the databases being audited.

b
An automated tool that monitors audit data and immediately reports suspicious activity should be employed for the DBMS.
Medium - V-15103 - SV-24814r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0161-ORACLE10
Vuln IDs
  • V-15103
Rule IDs
  • SV-24814r1_rule
Audit logs only capture information on suspicious events. Without an automated monitoring and alerting tool, malicious activity may go undetected and without response until compromise of the database or data is severe.Information Assurance OfficerECAT-2
Checks: C-29378r1_chk

Review evidence or operation of an automated, continuous on-line monitoring and audit trail creation capability for the DBMS is deployed with the capability to immediately alert personnel of any unusual or inappropriate activity with potential IA implications, and with a user-configurable capability to automatically disable the system if serious IA violations are detected. If the requirements listed above are not fully met, this is a Finding.

Fix: F-26403r1_fix

Develop or procure, document and implement an automated, continuous on-line monitoring and audit trail creation capability for the DBMS is deployed with the capability to immediately alert personnel of any unusual or inappropriate activity with potential IA implications, and with a user-configurable capability to automatically disable the system if serious IA violations are detected.

c
Sensitive data served by the DBMS should be protected by encryption when transmitted across the network.
High - V-15104 - SV-24820r1_rule
RMF Control
Severity
High
CCI
Version
DG0167-ORACLE10
Vuln IDs
  • V-15104
Rule IDs
  • SV-24820r1_rule
Sensitive data served by the DBMS and transmitted across the network in clear text is vulnerable to unauthorized capture and review.Database AdministratorECCT-1, ECCT-2
Checks: C-29384r1_chk

If no data is identified as being sensitive or classified by the Information Owner, in the System Security Plan or in the AIS Functional Architecture documentation, this check is Not a Finding. If no identified sensitive or classified data requires encryption by the Information Owner in the System Security Plan and/or AIS Functional Architecture documentation, this check is Not a Finding. If encryption requirements are listed and specify configuration at the host system or network device level, then review evidence that the configuration meets the specification. It may be necessary to review network device configuration evidence or host communications configuration evidence. If the evidence review does not meet the requirement or specification as listed in the System Security Plan, this is a Finding.

Fix: F-26409r1_fix

Configure encryption of sensitive data served by the DBMS in accordance with the specifications provided in the System Security Plan and AIS Functional Architecture documentation. Document acceptance of risk by the Information Owner where sensitive or classified data is not encrypted. Have the IAO document assurance that the unencrypted sensitive or classified information is otherwise inaccessible to those who do not have Need-to-Know access to the data.

b
Unauthorized access to external database objects should be removed from application user roles.
Medium - V-15105 - SV-24749r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0120-ORACLE10
Vuln IDs
  • V-15105
Rule IDs
  • SV-24749r1_rule
Access to objects stored and/or executed outside of the DBMS security context may provide an avenue of attack to host system resources not controlled by the DBMS. Any access to external resources from the DBMS can lead to a compromise of the host system or its resources.Database AdministratorECLP-1
Checks: C-1013r1_chk

Review definitions and access restrictions to objects stored outside of DBMS control. View object application data types defined in the database, but stored outside of the DBMS. View data objects that include host file and directory references in their definitions. If any external objects exist that are not referenced and authorized in the System Security Plan, this is a Finding.

Fix: F-24519r1_fix

Evaluate the associated risk in allowing access to external objects. Consider the security context under which the object is accessed or whether the privileges required to access the object are available for assignment based on job function. Where feasible, modify the application to use only objects stored internally to the database. Where not feasible, note the risk assessment and acceptance in the System Security Plan for access to external objects.

b
DBA roles should be periodically monitored to detect assignment of unauthorized or excess privileges.
Medium - V-15106 - SV-24674r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0086-ORACLE10
Vuln IDs
  • V-15106
Rule IDs
  • SV-24674r1_rule
Excess privilege assignment can lead to intentional or unintentional unauthorized actions. Such actions may compromise the operation or integrity of the DBMS and its data. Monitoring assigned privileges assists in the detection of unauthorized privilege assignment. The DBA role is assigned privileges that allow DBAs to modify privileges assigned to them. Ensure that the DBA Role is monitored for any unauthorized changes.Information Assurance OfficerECLP-1
Checks: C-29191r1_chk

Review documented procedures and implementation evidence of DBA role privilege monitoring. If procedures are not documented or noted in the System Security Plan or are not complete, this is a Finding. If evidence of implementation for monitoring does not exist, this is a Finding. If monitoring does not occur monthly (~30 days) or more often, this is a Finding.

Fix: F-26207r1_fix

Design, document and implement procedures for monitoring DBA role privilege assignments. Grant the DBA role the minimum privileges required to perform administrative functions. Establish monitoring of DBA role privileges monthly or more often.

b
DBMS privileges to restore database data or other DBMS configurations, features or objects should be restricted to authorized DBMS accounts.
Medium - V-15107 - SV-24634r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0063-ORACLE10
Vuln IDs
  • V-15107
Rule IDs
  • SV-24634r1_rule
Unauthorized restoration of database data, objects, or other configuration or features can result in a loss of data integrity, unauthorized configuration, or other DBMS interruption or compromise.Database AdministratorECLP-1
Checks: C-24213r1_chk

Review DBMS accounts with elevated permissions (accounts granted ROLE permissions, DBA accounts, SCHEMA accounts, etc.). If any accounts are not documented and authorized for RESTORE permissions, this is a Finding.

Fix: F-2869r1_fix

Utilize DBMS roles that are authorized for database restore functions. Restrict assignment of restore privileges. Assign DBMS restoration roles only to authorized DBMS accounts. Document assignments in the System Security Plan.

b
Privileges assigned to developers on shared production and development DBMS hosts and the DBMS should be monitored every three months or more frequently for unauthorized changes.
Medium - V-15108 - SV-24839r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0194-ORACLE10
Vuln IDs
  • V-15108
Rule IDs
  • SV-24839r1_rule
The developer role does not include need-to-know or administrative privileges to production databases. Assigning excess privileges can lead to unauthorized access to sensitive data or compromise of database operations.Information Assurance OfficerECPC-1, ECPC-2
Checks: C-29400r1_chk

If the DBMS or DBMS host is not shared by production and development activities, this check is Not a Finding. Review policy and procedures documented or noted in the System Security Plan and evidence of monitoring of developer privileges on shared development and production DBMS and DBMS host systems. If developer privileges are not monitored every three months or more frequently, this is a Finding. NOTE: Though shared production/non-production DBMS installations was allowed under previous database STIG guidance, doing so may place it in violation of OS, Application, Network or Enclave STIG guidance. Ensure that any shared production/non-production DBMS installations meets STIG guidance requirements at all levels or mitigate any conflicts in STIG guidance with your DAA.

Fix: F-26425r1_fix

Develop, document and implement procedures to monitor DBMS and DBMS host privileges assigned to developers on shared production and development systems to detect unauthorized assignments every three months or more often. Recommend establishing a dedicated DBMS host for production DBMS installations (See Checks DG0109 and DG0110). A dedicated host system in this case refers to an instance of the operating system at a minimum. The operating system may reside on a virtual host machine where supported by the DBMS vendor.

b
DBMS production application and data directories should be protected from developers on shared production/development DBMS host systems.
Medium - V-15109 - SV-24841r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0195-ORACLE10
Vuln IDs
  • V-15109
Rule IDs
  • SV-24841r1_rule
Developer roles should not be assigned DBMS administrative privileges to production DBMS application and data directories. The separation of production DBA and developer roles helps protect the production system from unauthorized, malicious or unintentional interruption due to development activities.System AdministratorDatabase AdministratorECPC-1, ECPC-2
Checks: C-29402r1_chk

If the DBMS or DBMS host is not shared by production and development activities, this check is Not a Finding. Review OS DBA group membership. If any developer accounts as identified in the System Security Plan have been assigned DBA privileges, this is a Finding. NOTE: Though shared production/non-production DBMS installations was allowed under previous database STIG guidance, doing so may place it in violation of OS, Application, Network or Enclave STIG guidance. Ensure that any shared production/non-production DBMS installations meets STIG guidance requirements at all levels or mitigate any conflicts in STIG guidance with your DAA.

Fix: F-26427r1_fix

Create separate DBMS host OS groups for developer and production DBAs. Do not assign production DBA OS group membership to accounts used for development. Remove development accounts from production DBA OS group membership. Recommend establishing a dedicated DBMS host for production DBMS installations (See Checks DG0109 and DG0110). A dedicated host system in this case refers to an instance of the operating system at a minimum. The operating system may reside on a virtual host machine where supported by the DBMS vendor.

b
Use of the DBMS installation account should be logged.
Medium - V-15110 - SV-24376r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0041-ORACLE10
Vuln IDs
  • V-15110
Rule IDs
  • SV-24376r1_rule
The DBMS installation account may be used by any authorized user to perform DBMS installation or maintenance. Without logging, accountability for actions attributed to the account is lost.Information Assurance OfficerECLP-1
Checks: C-29142r1_chk

Review documented and implemented procedures for monitoring the use of the DBMS software installation account in the System Security Plan. If use of this account is not monitored or procedures for monitoring its use do not exist or are incomplete, this is a Finding. NOTE: On Windows systems, The Oracle DBMS software is installed using an account with administrator privileges. Ownership should be reassigned to a dedicated OS account used to operate the DBMS software. If monitoring does not include all accounts with administrator privileges on the DBMS host, this is a Finding.

Fix: F-26151r1_fix

Develop, document and implement a logging procedure for use of the DBMS software installation account that provides accountability to individuals for any actions taken by the account. Host system audit logs should be included in the DBMS account usage log along with an indication of the person who accessed the account and an explanation for the access. Ensure all accounts with administrator privileges are monitored for DBMS host on Windows OS platforms.

b
Use of the DBMS software installation account should be restricted to DBMS software installation, upgrade and maintenance actions.
Medium - V-15111 - SV-24378r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0042-ORACLE10
Vuln IDs
  • V-15111
Rule IDs
  • SV-24378r1_rule
The DBMS software installation account is granted privileges not required for DBA or other functions. Use of accounts configured with excess privileges may result in unauthorized or unintentional compromise of the DBMS.Information Assurance OfficerECLP-1
Checks: C-29144r1_chk

Review the DBMS account usage log for use of the Oracle DBMS software installation account. Interview personnel authorized to access the DBMS software installation account to ask how the account is used. If any usage of the account is to support daily operations or general DBA responsibilities, this is a Finding. NOTE: On Windows systems, the Oracle DBMS software is installed using an account with administrator privileges. Ownership should be reassigned to a dedicated OS account used to operate the DBMS software. Except where a change in ownership is made to files/directories during a software update, any check results are not a Finding.

Fix: F-26153r1_fix

Develop, document, implement procedures, and train authorized users to restrict usage of the DBMS software installation account for DBMS software installation, upgrade and maintenance only where applicable. For Windows systems, reapplication of the fix for Check DG0019 may be necessary to reestablish correct file/directory ownership.

a
The DBMS should be periodically tested for vulnerability management and IA compliance.
Low - V-15112 - SV-24677r1_rule
RMF Control
Severity
Low
CCI
Version
DG0088-ORACLE10
Vuln IDs
  • V-15112
Rule IDs
  • SV-24677r1_rule
The DBMS security configuration may be altered either intentionally or unintentionally over time. The DBMS may also be the subject of published vulnerabilities that require the installation of a security patch or a reconfiguration to mitigate the vulnerability. If the DBMS is not monitored for required or unintentional changes that render it not compliant with requirements, then it can be vulnerable to attack or compromise.Information Assurance OfficerECMT-1, ECMT-2
Checks: C-29193r1_chk

Review procedures and evidence of implementation for DBMS IA and vulnerability management compliance. This should include periodic, unannounced, in-depth monitoring and provide for specific penetration testing to ensure compliance with all vulnerability mitigation procedures such as the DoD IAVA or other DoD IA practices is planned, scheduled and conducted. Testing is intended to ensure that the system's IA capabilities continue to provide adequate assurance against constantly evolving threats and vulnerabilities. The results for Classified systems are required to be independently validated. If the requirments listed above are not being met, this is a Finding.

Fix: F-26209r1_fix

Develop, document and implement procedures for periodic testing of the DBMS for current vulnerability management and security configuration compliance as stated in the check. Coordinate 3rd-party validation testing for Classified systems.

b
The DBMS host platform and other dependent applications should be configured in compliance with applicable STIG requirements.
Medium - V-15116 - SV-24822r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0175-ORACLE10
Vuln IDs
  • V-15116
Rule IDs
  • SV-24822r1_rule
The security of the data stored in the DBMS is also vulnerable to attacks against the host platform, calling applications, and other application or optional components.Information Assurance OfficerECSC-1
Checks: C-29387r1_chk

If the DBMS host being reviewed is not a production DBMS host, this check is Not a Finding. Review evidence of security hardening and auditing of the DBMS host platform with the IAO. If the DBMS host platform has not been hardened and received a security audit, this is a Finding. Review evidence of security hardening and auditing for all application(s) that store data in the database and all other separately configured components that access the database including web servers, application servers, report servers, etc. If any have not been hardened and received a security audit, this is a Finding. Review evidence of security hardening and auditing for all application(s) installed on the local DBMS host where security hardening and auditing guidance exists. If any have not been hardened and received a security audit, this is a Finding.

Fix: F-26413r1_fix

Configure all related application components and the DBMS host platform in accordance with the applicable DoD STIG. Regularly audit the security configuration of related applications and the host platform to confirm continued compliance with security requirements.

b
The DBMS audit logs should be included in backup operations.
Medium - V-15117 - SV-24824r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0176-ORACLE10
Vuln IDs
  • V-15117
Rule IDs
  • SV-24824r1_rule
DBMS audit logs are essential to the investigation and prosecution of unauthorized access to the DBMS data. Unless audit logs are available for review, the extent of data compromise may not be determined and the vulnerability exploited may not be discovered. Undiscovered vulnerabilities could lead to additional or prolonged compromise of the data.Database AdministratorECTB-1
Checks: C-29389r1_chk

Oracle audit events are logged to error logs, trace files, host system logs and may be stored in database tables. For each Oracle database on the host, determine the location of the database audit trail. From SQL*Plus: select value from v$parameter where name = 'audit_trail'; If the audit trail is directed to database tables (DB*), ensure the audit table data is included in the database backups. Backups of host system log files are covered in host system security reviews and are not covered here. Other Oracle log files include: - Listener trace file (specified in the listener.ora file) - SQLNet trace file (specified in the sqlnet.ora file) - Oracle database alert and trace files (specified in Oracle parameters): -- audit_file_dest -- db_recovery_file_dest -- diagnostic_dest – 11.1 and higher -- log_archive_dest -- log_archive_dest_n If evidence of inclusion of all audit log files in regular DBMS or host backups does not exist, this is a Finding.

Fix: F-26415r1_fix

Document and implement locations of trace, log and alert locations in the System Security Plan. Include all trace, log and alert files in regular backups.

b
Remote administrative access to the database should be monitored by the IAO or IAM.
Medium - V-15118 - SV-24809r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0159-ORACLE10
Vuln IDs
  • V-15118
Rule IDs
  • SV-24809r1_rule
Remote administrative access to systems provides a path for access to and exploit of DBA privileges. Where the risk has been accepted to allow remote administrative access, it is imperative to implement increased monitoring of this access to detect any abuse or compromise.Information Assurance OfficerInformation Assurance ManagerEBRP-1
Checks: C-29376r1_chk

If remote administrative access to the database is prohibited and is disabled (See Check DG0093), this check is Not a Finding. Review policy, procedure and evidence of implementation for monitoring of remote administrative access to the database. If monitoring procedures for remote administrative access are not documented or implemented, this is a Finding.

Fix: F-26401r1_fix

Develop, document and implement policy and procedures to monitor remote administrative access to the DBMS. The automated generation of a log report with automatic dissemination to the IAO/IAM may be used. Require and store an acknowledgement of receipt and confirmation of review for the log report.

b
DBMS backup and restoration files should be protected from unauthorized access.
Medium - V-15120 - SV-24636r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0064-ORACLE10
Vuln IDs
  • V-15120
Rule IDs
  • SV-24636r1_rule
Lost or compromised DBMS backup and restoration files may lead to not only the loss of data, but also the unauthorized access to sensitive data. Backup files need the same protections against unauthorized access when stored on backup media as when online and actively in use by the database system. In addition, the backup media needs to be protected against physical loss. Most DBMSs maintain online copies of critical control files to provide transparent or easy recovery from hard disk loss or other interruptions to database operation.Database AdministratorCOBR-1
Checks: C-29160r1_chk

Review documented backup and restoration procedures to determine ownership and access during all phases of backup and recovery. Review file protections assigned to online backup and restoration files and tools. Review access, physical security protections and documented procedures for offline backup and restoration files and tools. If implementation evidence indicates that backup or restoration files are subject to corruption, unauthorized access or physical loss, this is a Finding.

Fix: F-26172r1_fix

Develop, document and implement protection for backup and restoration files. Document personnel and the level of access authorized for each to backup and restoration files and tools. In addition to physical and host system protections, consider other methods including password protection of the files.

b
DBMS software libraries should be periodically backed up.
Medium - V-15121 - SV-24831r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0187-ORACLE10
Vuln IDs
  • V-15121
Rule IDs
  • SV-24831r1_rule
The DBMS application depends upon the availability and integrity of its software libraries. Without backups, compromise or loss of the software libraries can prevent a successful recovery of DBMS operations.Database AdministratorCOSW-1
Checks: C-29393r1_chk

Review evidence of Oracle database and dependent application files and directories. For UNIX Systems: These files are found in the directories $ORACLE_BASE and $ORACLE_HOME. For Windows Systems: The Oracle software directory is specified on a Windows host in the registry value HKLM\SOFTWARE\Oracle\KEY_[ORACLE_HOME_NAME]\ORACLE_HOME. Other Oracle software including, but not limited to Oracle tools and utilities, are usually found on Windows platforms in the C:\Program Files\Oracle directory and subdirectories. Third-party applications may be located in other directory structures. Review the System Security Plan for a list of all DBMS application software libraries to be included in software library backups. If any software library files are not included in regular backups, this is a Finding.

Fix: F-26419r1_fix

Configure backups to include all ORACLE home directories and subdirectories and any other Oracle application and third-party database application software libraries.

b
The database should not be directly accessible from public or unauthorized networks.
Medium - V-15122 - SV-24448r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0186-ORACLE10
Vuln IDs
  • V-15122
Rule IDs
  • SV-24448r1_rule
Databases often store critical and/or sensitive information used by the organization. For this reason, databases are targeted for attacks by malicious users. Additional protections provided by network defenses that limit accessibility help protect the database and its data from unnecessary exposure and risk.Information Assurance OfficerEBBD-1, EBBD-2, EBBD-3
Checks: C-29391r1_chk

Review the System Security Plan to determine if the DBMS serves data to users or applications outside the local enclave. If the DBMS is not accessed outside of the local enclave, this check is Not a Finding. If the DBMS serves applications available from a public network (e.g. the Internet), then confirm that the application servers are located in a DMZ. If the DBMS is located inside the local enclave and is directly accessible to public users, this is a Finding. If the DBMS serves public-facing applications and is not protected from direct client connections and unauthorized networks, this is a Finding. If the DBMS serves public-facing applications and contains sensitive or classified information, this is a Finding.

Fix: F-26417r1_fix

Do not allow direct connections from users originating from the Internet or other public network to the DBMS. Include in the System Security Plan for the system whether the DBMS serves public-facing applications or applications serving users from other untrusted networks. Do not store sensitive or classified data on a DBMS server that serves public-facing applications.

b
Database backup procedures should be defined, documented and implemented.
Medium - V-15126 - SV-24600r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0013-ORACLE10
Vuln IDs
  • V-15126
Rule IDs
  • SV-24600r1_rule
Database backups provide the required means to restore databases after compromise or loss. Backups help reduce the vulnerability to unauthorized access or hardware loss.System AdministratorDatabase AdministratorCODB-1, CODB-2, CODB-3
Checks: C-2949r1_chk

Review the database backup procedures and implementation evidence. Evidence of implementation includes records of backup events and physical review of backup media. Evidence should match the backup plan as recorded in the System Security Plan. If backup procedures do not exist or not implemented in accordance with the procedures, this is a Finding. If backups do not include a redundant secondary system maintained at a separate physical site that can be activated without interruption or loss of data if the primary system fails, this is a Finding.

Fix: F-3798r1_fix

Develop, document and implement database backup procedures. Include a secondary server installed at a separate location (IAW COOP guidelines) that can be brought online to prevent any disruption to availability or loss of data.

b
The IAM should review changes to DBA role assignments.
Medium - V-15127 - SV-24741r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0118-ORACLE10
Vuln IDs
  • V-15127
Rule IDs
  • SV-24741r1_rule
Unauthorized assignment of DBA privileges can lead to a compromise of DBMS integrity. Providing oversight to the authorization and assignment of privileges provides the separation of duty to support sufficient oversight.Information Assurance ManagerECPA-1
Checks: C-29352r1_chk

Review policy and procedures documented or noted in the System Security Plan as well as evidence of implementation for monitoring changes to DBA role assignments and procedures for notifying the IAM of the changes for review. If policy, procedures or implementation evidence do not exist, this is a Finding.

Fix: F-26377r1_fix

Develop, document and implement procedures to monitor changes to DBA role assignments. Develop, document and implement procedures to notify the IAM of changes to DBA role assignments. Include in the procedures methods that provide evidence of monitoring and notification.

b
Backup and recovery procedures should be developed, documented, implemented and periodically tested.
Medium - V-15129 - SV-24607r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0020-ORACLE10
Vuln IDs
  • V-15129
Rule IDs
  • SV-24607r1_rule
Problems with backup procedures or backup media may not be discovered until after a recovery is needed. Testing and verification of procedures provides the opportunity to discover oversights, conflicts, or other issues in the backup procedures or use of media designed to be used.Database AdministratorCODP-1, CODP-2, CODP-3
Checks: C-29107r1_chk

Review documented backup testing and recovery verification procedures noted or documented in the System Security Plan. Review evidence of implementation of testing and verification procedures by reviewing logs from backup and recovery implementation. Logs may be in electronic or hardcopy and may include email or other notification. If backup testing and recovery verification are not documented or noted in the System Security Plan, this is a Finding. If evidence of backup testing and recovery verification does not exist, this is a Finding.

Fix: F-26110r1_fix

Develop, document and implement backup testing and recovery verification procedures for the DBMS host and all individual database instances and either include or note the name, location, version and current revision date of any external documentation in the System Security Plan. Include any requirements for documenting database backup and recovery testing and verification activities in the procedures.

b
Sensitive information stored in the database should be protected by encryption.
Medium - V-15131 - SV-24055r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0090-ORACLE10
Vuln IDs
  • V-15131
Rule IDs
  • SV-24055r1_rule
Sensitive data stored in unencrypted format within the database is vulnerable to unauthorized viewing.Database AdministratorInformation Assurance OfficerECCR-1, ECCR-2, ECCR-3
Checks: C-24305r1_chk

If no data is identified as being sensitive or classified by the Information Owner, in the System Security Plan or in the AIS Functional Architecture documentation, this check is Not a Finding. If no identified sensitive or classified data requires encryption by the Information Owner in the System Security Plan and/or AIS Functional Architecture documentation, this check is Not a Finding. Review sensitive data stored in the database as identified in the System Security Plan using select statements. Note in the System Security Plan if the data is encrypted by column or by transparent encryption. Transparent data encryption is available only in Oracle versions 10.2 and later using Oracle Advanced Security. If transparent data encryption is specified, then verify it is enabled. By data columns: From SQL*Plus (Oracle 10.2 and higher): select owner, table_name, column_name from dba_encrypted_columns; If columns within tables, tables and/or tablespaces listed in the System Security Plan are required to be encrypted transparently are not listed above, this is a Finding. If the DBMS products are used to encrypt data, view the sensitive data fields required to be encrypted using select statements. If any data is displayed in human-readable format, this is a Finding. If encryption is required by the information owner, NIST-certified cryptography is used to encrypt stored sensitive information. If encryption is required by the information owner, NIST-certified cryptography is used to encrypt stored classified non-sources and methods intelligence information. If a classified enclave contains sources and methods intelligence data and is accessed by individuals lacking an appropriate clearance for sources and methods intelligence, then NSA-approved cryptography is used to encrypt all sources and methods intelligence stored within the enclave. NOTE: This check result may be marked not a Finding and the requirement of encryption in the database waived where the database has only database administrative accounts and application accounts that have a need-to-know to the data. This waiver does not preclude the requirement for encryption of the associated database data file (see DG0092).

Fix: F-26213r1_fix

Identify all sensitive data and the method to be used to encrypt specified sensitive data in the System Security Plan. Use only NIST-certified or NSA-approved cryptography to provide encryption. Oracle transparent data encryption (available in Oracle version 10.2 and later) requires Oracle Advanced Security. See the chapter on Transparent Data Encryption in the Oracle Database Advanced Security Guide Administrator's Guide for details on using and configuring transparent data encryption. Document acceptance of risk by the Information Owner where sensitive or classified data is not encrypted. Have the Information Owner document assurance that the unencrypted sensitive or classified information is otherwise inaccessible to those without need-to-know access to the data. Developers should consider using a record-specific encryption method to protect individual records. For example, by employing the session username or other individualized element as part of the encryption key, then decryption of a data element is only possible by that user or other data accessible only by that user. Consider applying additional auditing of access to any unencrypted sensitive or classified data when accessed by unauthorized users (without need-to-know).

b
Database data files containing sensitive information should be encrypted.
Medium - V-15132 - SV-24683r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0092-ORACLE10
Vuln IDs
  • V-15132
Rule IDs
  • SV-24683r1_rule
Where system and DBMS access controls do not provide complete protection of sensitive or classified information, the Information Owner may require encryption to provide additional protection. Encryption of sensitive data helps protect disclosure to privileged users who do not have a need-to-know requirement to the data, but may be able to access DBMS data files using OS file tools. NOTE: The decision to encrypt data is the responsibility of the Information Owner and should be based on other access controls employed to protect the data.Database AdministratorECCR-1, ECCR-2, ECCR-3
Checks: C-29215r1_chk

Review the System Security Plan and/or the AIS Functional Architecture documentation to discover sensitive or classified data identified by the Information Owner that requires encryption. If no sensitive or classified data is identified as requiring encryption by the Information Owner, this check is Not a Finding. Have the DBA use select statements in the database to review sensitive data stored in tables as identified in the System Security Plan and/or AIS Functional Architecture documentation. If all sensitive data as identified is encrypted within the database objects, encryption of the DBMS data files is optional and Not a Finding. If all sensitive data is not encrypted within database objects, review encryption applied to the DBMS host data files. If no encryption is applied, this is a Finding. If encryption is required by the information owner, NIST-certified cryptography is used to encrypt stored sensitive information. If encryption is required by the information owner, NIST-certified cryptography is used to encrypt stored classified non-sources and methods intelligence information. If a classified enclave contains sources and methods intelligence data and is accessed by individuals lacking an appropriate clearance for sources and methods intelligence, then NSA-approved cryptography is used to encrypt all sources and methods intelligence stored within the enclave. Determine which DBMS data files contain sensitive data. Not all DBMS data files will require encryption.

Fix: F-26236r1_fix

Use third-party tools or native DBMS features to encrypt sensitive or classified data stored in the database. Use only NIST-certified or NSA-approved cryptography to provide encryption. Document acceptance of risk by the Information Owner where sensitive or classified data is not encrypted. Have the IAO document assurance that the unencrypted sensitive or classified information is otherwise inaccessible to those who do not have Need-to-Know access to the data. To lessen the impact on system performance, separate sensitive data where file encryption is required into dedicated DBMS data files. Consider applying additional auditing of access to any unencrypted sensitive or classified data when accessed by users (with and/or without Need-to-Know).

a
The DBMS IA policies and procedures should be reviewed annually or more frequently.
Low - V-15138 - SV-24688r1_rule
RMF Control
Severity
Low
CCI
Version
DG0096-ORACLE10
Vuln IDs
  • V-15138
Rule IDs
  • SV-24688r1_rule
A regular review of current database security policies and procedures is necessary to maintain the desired security posture of the DBMS. Policies and procedures should be measured against current DoD policy, STIG guidance, vendor-specific guidance and recommendations, and site-specific or other security policies.Information Assurance OfficerDCAR-1
Checks: C-29225r1_chk

Review documented policy and procedures included or noted in the System Security Plan as well as evidence of implementation for annual reviews of DBMS IA policy and procedures. If policy and procedures do not exist, are incomplete, or are not implemented and followed annually or more frequently, this is a Finding.

Fix: F-26246r1_fix

Develop, document and implement procedures to review DBMS IA policies and procedures.

b
Plans and procedures for testing DBMS installations, upgrades and patches should be defined and followed prior to production implementation.
Medium - V-15139 - SV-24690r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0097-ORACLE10
Vuln IDs
  • V-15139
Rule IDs
  • SV-24690r1_rule
Updates and patches to existing software have the intention of improving the security or enhancing or adding features to the product. However, it is unfortunately common that updates or patches can render production systems inoperable or even introduce serious vulnerabilities. Some updates also set security configurations back to unacceptable settings that do not meet security requirements. For these reasons, it is a good practice to test updates and patches offline before introducing them in a production environment.Information Assurance OfficerDCCT-1
Checks: C-29232r1_chk

Review policy and procedures documented or noted in the System Security Plan and evidence of implementation for testing DBMS installations, upgrades and patches prior to production deployment. If policy and procedures do not exist or evidence of implementation does not exist, this is a Finding.

Fix: F-26254r1_fix

Develop, document and implement procedures for testing DBMS installations, upgrades and patches prior to deployment on production systems.

b
Procedures and restrictions for import of production data to development databases should be documented, implemented and followed.
Medium - V-15140 - SV-24644r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0069-ORACLE10
Vuln IDs
  • V-15140
Rule IDs
  • SV-24644r1_rule
Data export from production databases may include sensitive data. Application developers may not be cleared for or have need-to-know to sensitive data. Any access they may have to production data would be considered unauthorized access and subject the sensitive data to unlawful or unauthorized disclosure.Database AdministratorECAN-1
Checks: C-29168r1_chk

If the database being reviewed is not a production database or does not contain sensitive data, this check is Not a Finding. Review documented policy, procedures and proof of implementation for restrictions placed on data exports from the production database. Policy and procedures should include that only authorized users have access to DBMS export utilities and that export data is properly sanitized prior to import to a development database. Policy and procedures may also include that developers be granted the necessary clearance and need-to-know prior to import of production data. If documented policy, procedures and proof of implementation are not present or complete, this is a Finding. If methods to sanitize sensitive data are required and not documented or followed, this is a Finding.

Fix: F-26180r1_fix

Develop, document and implement policy and procedures that provide restrictions for production data export. Require users and administrators assigned privileges that allow the export of production data from a production database to acknowledge understanding of export restrictions. Restrict permissions allowing use or access to database export procedures or functions to authorized users. Ensure sensitive data from production is sanitized prior to import to a development database (See check DG0076). Grant access and need-to-know to developers where allowed by policy.

b
DBMS processes or services should run under custom, dedicated OS accounts.
Medium - V-15141 - SV-24701r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0102-ORACLE10
Vuln IDs
  • V-15141
Rule IDs
  • SV-24701r1_rule
Shared accounts do not provide separation of duties nor allow for assignment of least privileges for use by database processes and services. Without separation and least privilege, the exploit of one service or process is more likely to be able to compromise another or all other services.Database AdministratorDCFA-1
Checks: C-29294r1_chk

Ask the DBA/SA to demonstrate process ownership for the Oracle DBMS software. On UNIX Systems (enter at command prompt): ps ef | grep -i pmon | grep -v grep (all database processes) ps ef | grep -i tns | grep -v grep (all listener processes) ps ef | grep -i dbsnmp | grep -v grep (Oracle Intelligent Agents) Sample output (database processes): oracle 5593 1 0 08:15 ? 00:00:00 ora_pmon_oraprod1 Sample output (listener processes): oracle 5505 1 0 08:15 ? 00:00:00 /var/opt/oracle/product/10.2.0/db_1/bin/tnslsnr LISTENER -inherit Sample output (agent processes): oracle 1734 1 0 08:16 ? 00:00:00 /var/opt/oracle/product/10.2.0/db_1/bin/dbsnmp In the above samples, the occurrence of "oracle" indicate the user account that owns the process. If any Oracle processes are not using a dedicated OS account, this is a Finding. For Windows Systems: Log in using account with administrator privileges. Open the Services snap-in. Review the Oracle processes. All Oracle processes should be run (Log On As) by a dedicated Oracle Windows OS account and not as LocalSystem. If any Oracle service is not run by a dedicated Oracle Windows OS account, this is a Finding. If any Oracle service is run as LocalSystem, this is a Finding.

Fix: F-26326r1_fix

On UNIX Systems: Ensure the Oracle Owner account is used for all Oracle processes. The Oracle SNMP agent (Intelligent or Management Agent) is required (by Oracle Corp per MetaLink Note 548928.1) to use the Oracle Process owner account. On Windows Systems: Create and assign a dedicated Oracle Windows OS account for all Oracle processes.

b
Database data encryption controls should be configured in accordance with application requirements.
Medium - V-15143 - SV-24706r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0106-ORACLE10
Vuln IDs
  • V-15143
Rule IDs
  • SV-24706r1_rule
Access to sensitive data may not always be sufficiently protected by authorizations and require encryption. In some cases, the required encryption may be provided by the application accessing the database. In others, the DBMS may be configured to provide the data encryption. When the DBMS provides the encryption, the requirement must be implemented as identified by the Information Owner to prevent unauthorized disclosure or access.Database AdministratorDCFA-1
Checks: C-29312r1_chk

Review the System Security Plan and note sensitive data identified by the Information Owner as requiring encryption using DBMS features administered by the DBA. If no sensitive data is present or encryption of sensitive data is not required by the Information Owner, this check is Not a Finding. Review the encryption configuration against the System Security Plan specification. If the specified encryption is not configured, this is a Finding.

Fix: F-26344r1_fix

Configure DBMS encryption features and functions as required by the System Security Plan. Discrepancies between what features are and are not available should be resolved with the Information Owner, Application Developer and DBA as overseen by the IAO.

b
Sensitive data is stored in the database and should be identified in the System Security Plan and AIS Functional Architecture documentation.
Medium - V-15144 - SV-24709r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0107-ORACLE10
Vuln IDs
  • V-15144
Rule IDs
  • SV-24709r1_rule
A DBMS that does not have the correct confidentiality level identified or any confidentiality level assigned is not being secured at a level appropriate to the risk it poses.Information Assurance OfficerDCFA-1
Checks: C-29344r1_chk

If no sensitive or classified data is stored in the database, listed in the System Security Plan and listed in the AIS Functional Architecture documentation, this check is Not a Finding. Review AIS Functional Architecture documentation for the DBMS and note any sensitive data that is identified. Review database table column data or descriptions that indicate sensitive data. For example, a data column labeled "SSN" could indicate social security numbers are stored in the column. Question the IAO or DBA where any questions arise. General categories of sensitive data requiring identification include any personal data (health, financial, social security number and date of birth), proprietary or financially sensitive business data or data that might be classified. If any data is considered sensitive and is not documented in the AISFA, this is a Finding.

Fix: F-26369r1_fix

Include identification of any sensitive data in the AIS Functional Architecture and the System Security Plan. Include data that appear to be sensitive with a discussion as to why it is not marked as such.

a
The DBMS restoration priority should be assigned.
Low - V-15145 - SV-24712r1_rule
RMF Control
Severity
Low
CCI
Version
DG0108-ORACLE10
Vuln IDs
  • V-15145
Rule IDs
  • SV-24712r1_rule
When DBMS service is disrupted, the impact it has on the overall mission of the organization can be severe. Without proper assignment of the priority placed on restoration of the DBMS and its subsystems, restoration of DBMS services may not meet mission requirements.Information Assurance OfficerDCFA-1
Checks: C-29346r1_chk

Review the System Security Plan to discover the restoration priority assigned to the DBMS. If a restoration priority is not assigned, this is a Finding.

Fix: F-26371r1_fix

Review the mission criticality of the DBMS in relation to the overall mission of the organization and assign it a restoration priority.

b
The DBMS should not be operated without authorization on a host system supporting other application services.
Medium - V-15146 - SV-24714r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0109-ORACLE10
Vuln IDs
  • V-15146
Rule IDs
  • SV-24714r1_rule
In the same way that added security layers can provide a cumulative positive effect on security posture, multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit to one application can lead to an exploit of other applications sharing the same security context. For example, an exploit to a web server process that leads to unauthorized administrative access to the host system can most likely lead to a compromise of all applications hosted by the same system. A DBMS not installed on a dedicated host is threatened by other hosted applications. Applications that share a single DBMS may also create risk to one another. Access controls defined for one application by default may provide access to the other application's database objects or directories. Any method that provides any level of separation of security context assists in the protection between applications.Information Assurance OfficerDCPA-1
Checks: C-29348r1_chk

Review a list of Windows service or UNIX processes running on the DBMS host. For Windows, review the Services snap-in. Investigate with the DBA/SA any unknown services. For UNIX, issue the ps -ef command. Investigate with the DBA/SA any unknown processes. If web, application, ftp, domain, print or other non-DBMS services or processes are identified as supporting other optional applications or functions not authorized in the System Security Plan, this is a Finding. NOTE: Only applications that are technically required to share the same host system may be authorized to do so. Applications that share the same host for administrative, financial or other non-technical reasons may not be authorized and are a Finding.

Fix: F-26373r1_fix

A dedicated host system in this case refers to an instance of the operating system at a minimum. The operating system may reside on a virtual host machine where supported by the DBMS vendor. Remove any unauthorized processes or services and install on a separate host system. Where separation is not supported, update the System Security Plan to provide the technical requirement for having the application share a host with the DBMS.

b
The DBMS data files, transaction logs and audit files should be stored in dedicated directories or disk partitions separate from software or other application files.
Medium - V-15147 - SV-24719r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0111-ORACLE10
Vuln IDs
  • V-15147
Rule IDs
  • SV-24719r1_rule
Protection of DBMS data, transaction and audit data files stored by the host operating system is dependent on OS controls. When different applications share the same database process, resource contention and differing security controls may be required to isolate and protect one application's data and audit logs from another. DBMS software libraries and configuration files also require differing access control lists.Database AdministratorDCPA-1
Checks: C-883r1_chk

Review the disk/directory specification where database data, transaction log and audit files are stored. If DBMS data, transaction or audit data files are stored in the same directory, this is a Finding. If separation of data, transaction and audit data is not supported by the DBMS, this check is Not a Finding. If stored separately and access permissions for each directory is the same, this is a Finding.

Fix: F-3421r1_fix

Specify dedicated directories for storage of database data, transaction and audit files. Configure DBMS default file storage locations to use dedicated directories where supported by the DBMS. Ensure access permissions for each directory is customized to allow access only by authorized users and processes.

b
DBMS network communications should comply with PPS usage restrictions.
Medium - V-15148 - SV-24807r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0152-ORACLE10
Vuln IDs
  • V-15148
Rule IDs
  • SV-24807r1_rule
Use of default ports is required in DoD networks to support network security device management.Database AdministratorDCPP-1
Checks: C-29372r1_chk

If Oracle Listener, JAVA Listener, Oracle Names and Connection Manager are not running on the local database host server, this check is Not a Finding. Review the listener.ora file located by default in the ORACLE_HOME\network\admin directory or in the directory specified in the environment variable TNS_ADMIN defined for the listener process or service. View the "PORT=" parameter for any protocols defined. If any do not match an entry in the following list, then confirm that it is not a default or registered port for the service. View the cman.ora file in the ORACLE_HOME/network/admin directory. If the file does not exist, the database is not accessed via Oracle Connection Manager and this part of the check is Not a Finding. View the "PORT=" parameter for any protocols defined. If any do not match an entry in the following list, then confirm that it is not a default or registered port for the service. If any non-default or non-registered ports are listed, this is a Finding. Default Oracle Listener Ports: 1521, 2483, 2484 Default Java Listener Ports: 2481, 2482 Default Oracle Names Listener Port: 1575 Default Connection Manager Ports: 1521, 1830 Registered ports MAY be listed at http://www.iana.org/assignments/port-numbers or in the DoD Ports, Protocols, and Services Category Assurance List (CAL).

Fix: F-26397r1_fix

Specify a default or registered port for TCP/IP protocols in the listener.ora and cman.ora files in the PORT= parameter of the address specification.

a
The DBMS requires a System Security Plan containing all required information.
Low - V-15150 - SV-24436r1_rule
RMF Control
Severity
Low
CCI
Version
DG0154-ORACLE10
Vuln IDs
  • V-15150
Rule IDs
  • SV-24436r1_rule
A System Security Plan identifies security control applicability and configuration for the DBMS. It also contains security control documentation requirements. Security controls applicable to the DBMS may not be documented, tracked or followed if not identified in the System Security Plan. Any omission of security control consideration could lead to an exploit of DBMS vulnerabilities.Information Assurance OfficerDCSD-1
Checks: C-29374r1_chk

Review the System Security Plan for the DBMS. Review coverage of the following in the System Security Plan: - Technical, administrative and procedural IA program and policies that govern the DBMS - Identification of all IA personnel (IAM, IAO, DBA, SA) assigned responsibility to the DBMS - Specific IA requirements and objectives (e.g., requirements for data handling or dissemination (to include identification of sensitive data stored in the database, database application user job functions/roles and privileges), system redundancy and backup, or emergency response) If a System Security Plan does not exist or does not identify or reference all relevant security controls, this is a Finding.

Fix: F-26399r1_fix

Develop, document and implement a System Security Plan for the DBMS. Include IA documentation related to the DBMS in the System Security Plan for the system that the DBMS supports. Review section 3.4 - System Security Plan Overview in the ORACLE DATABASE SECURITY CHECKLIST for more information.

b
The DBMS should not share a host supporting an independent security service.
Medium - V-15179 - SV-24716r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0110-ORACLE10
Vuln IDs
  • V-15179
Rule IDs
  • SV-24716r1_rule
The Security Support Structure is a security control function or service provided by an external system or application. An example of this would be a Windows domain controller that provides identification and authentication that can be used by other systems to control access. The associated risk of a DBMS installed on a system that provides security support is significantly higher than when installed on separate systems. In cases where the DBMS is dedicated to local support of a security support function (e.g. a directory service), separation may not be possible.Information Assurance OfficerDCSP-1
Checks: C-29350r1_chk

Review the services and processes active on the DBMS host system. If the host system is a Windows domain controller, this is a Finding. If the host system is supporting any other security or directory services that do not use the DBMS to store information, this is a Finding. NOTE: This does not include client security applications like firewall and antivirus software.

Fix: F-26375r1_fix

Either move the DBMS installation to a dedicated host system or move the directory or security services to another host system. A dedicated host system in this case refers to an instance of the operating system at a minimum. The operating system may reside on a virtual host machine where supported by the DBMS vendor.

b
Access to DBMS software files and directories should not be granted to unauthorized users.
Medium - V-15608 - SV-24594r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0009-ORACLE10
Vuln IDs
  • V-15608
Rule IDs
  • SV-24594r1_rule
The DBMS software libraries contain the executables used by the DBMS to operate. Unauthorized access to the libraries can result in malicious alteration or planting of operational executables. This may in turn jeopardize data stored in the DBMS and/or operation of the host system.System AdministratorDatabase AdministratorDCSL-1
Checks: C-1053r1_chk

For UNIX Systems: Log in using the Oracle software owner account and enter the command: umask If the value returned is 022 or more restrictive, this is not a Finding. If the value returned is less restrictive than 022, this is a Finding. The first number sets the mask for user/owner file permissions. The second number sets the mask for group file permissions. The third number sets file permission mask for other users. The list below shows the available settings: 0 = read/write/execute 1 = read/write 2 = read/execute 3 = read 4 = write/execute 5 = write 6 = execute 7 = no permissions Setting the umask to 022 effectively sets files for user/owner to read/write, group to read and other to read. Directories are set for user/owner to read/write/execute, group to read/execute and other to read/execute. For Windows Systems: Review the permissions that control access to the Oracle installation software directories (e.g. \Program Files\Oracle\). DBA accounts, the DBMS process account, the DBMS software installation/maintenance account, SA accounts if access by them is required for some operational level of support such as backups, and the host system itself require access. Compare the access control employed with that documented in the System Security Plan. If access controls do not match the documented requirement, this is a Finding. If access controls appear excessive without justification, this is a Finding.

Fix: F-2635r1_fix

For UNIX Systems: Set the umask of the Oracle software owner account to 022. Determine the shell being used for the Oracle software owner account: env | grep -i shell Startup files for each shell are as follows (located in users $HOME directory): C-Shell (CSH) = .cshrc Bourne Shell (SH) = .profile Korn Shell (KSH) = .kshrc TC Shell (TCS) = .tcshrc BASH Shell = .bash_profile or .bashrc Edit the shell startup file for the account and add or modify the line: umask 022 Log off and login, then enter the umask command to confirm the setting. NOTE: To effect this change for all Oracle processes, a reboot of the DBMS server may be required. For Windows Systems: Restrict access to the DBMS software directories to the fewest accounts that clearly require access based on job function. Document authorized access control and justify any access grants that do not fall under DBA, DBMS process, ownership, or SA accounts.

b
DBMS should use NIST FIPS 140-2 validated cryptography.
Medium - V-15610 - SV-24611r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0025-ORACLE10
Vuln IDs
  • V-15610
Rule IDs
  • SV-24611r1_rule
Use of cryptography to provide confidentiality and non-repudiation is not effective unless strong methods are employed with its use. Many earlier encryption methods and modules have been broken and/or overtaken by increasing computing power. The NIST FIPS 140-2 cryptographic standards provide proven methods and strengths to employ cryptography effectively.Database AdministratorInformation Assurance OfficerDCNR-1
Checks: C-26267r1_chk

If cryptography being used by the DBMS is not NIST FIPS 140-2 certified, this is a Finding. Maintain a copy of the FIPS 140-2 Validation Certificate for the cryptographic modules in use as proof of certification. Detailed information on the NIST Cryptographic Module Validation Program (CMVP) is available at the following website: http://csrc.nist.gov/groups/STM/cmvp/index.html -- Review the DBMS documentation to determine where cryptography may be used and/or configured. Review network communication encryption options, data object encryption (both tables and application code objects), and encryption key management. For UNIX systems: $ORACLE_HOME/OPatch/opatch lsinventory –detail | grep “Oracle Advanced Security” For Windows Systems: %ORACLE_HOME%/OPatch/opatch lsinventory –detail | find “Oracle Advanced Security” If DBMS data/network encryption is required and Oracle Advanced Security is not installed, this is a Finding. View the SQLNET.ORA file. If SQLNET.SSLFIPS_140 = TRUE is not set, this is a Finding. If SSL_CIPHER_SUITES is not defined, this is a Finding. If any cipher suites listed in SSL_CIPHER_SUITES value list is not included in the cipher suite list included below (and in this order), this is a Finding. FIPS 140-2 validated cipher suites for the Oracle SSL Libraries in the order of strongest to weakest: SSL_RSA_WITH_AES_256_CBC_SHA SSL_RSA_WITH_AES_128_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_DES_CBC_SHA SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_RC4_128_MD5 SSL_DH_anon_WITH_DES_CBC_SHA Detailed information on the FIPS 140-2 standard is available at the following website: http://csrc.nist.gov/groups/SMA/index.html

Fix: F-22673r1_fix

Obtain and utilize native or third-party NIST FIPS 140-2 validated cryptography solution for the DBMS. Installation of Oracle Advanced Security product (which may require additional Oracle licensing consideration) is required to use native Oracle encryption. Please see the Oracle Advanced Security Administrator's Guide for configuration and use of encryption in the database. The Oracle Advanced Security Administrator's Guide provides references to the encryption features provided by Oracle Advanced Security. Instructions for the configuration of FIPS 140-2 compliance for encryption of network communications are provided in a dedicated appendix of the Oracle Advanced Security Administrator's Guide. All cipher suites listed above include FIPS 140-2 validated algorithms available for data encryption. Note: FIPS 140-2 compliance or non-compliance for the host and network is outside the purview of the Database STIG. FIPS 140-2 non-compliance at the host/network level does not negate this requirement.

a
The audit logs should be periodically monitored to discover DBMS access using unauthorized applications.
Low - V-15611 - SV-24629r1_rule
RMF Control
Severity
Low
CCI
Version
DG0054-ORACLE10
Vuln IDs
  • V-15611
Rule IDs
  • SV-24629r1_rule
Regular and timely reviews of audit records increases the likelihood of early discovery of suspicious activity. Discovery of suspicious behavior can in turn trigger protection responses to minimize or eliminate a negative impact from malicious activity. Use of unauthorized application to access the DBMS may indicate an attempt to bypass security controls.Information Assurance OfficerECAT-1, ECAT-2
Checks: C-29156r1_chk

If application access audit data is not available due to the lack of a local listener process or alternate method of auditing database access, this check is Not a Finding (see check DG0052). Review the list of applications authorized to connect to the Oracle database as listed or noted in the System Security Plan. If no list exists, this is a Finding. Review evidence of audit log monitoring to detect use of unauthorized applications to access the database. If no evidence exists or is incomplete, this is a Finding.

Fix: F-26167r1_fix

Document applications authorized to access the DBMS in the System Security Plan. Develop, document and implement a process to review log and trace files or the results from any alternate methods used to support database access auditing to detect connections from unauthorized applications. Include in this process a method to generate and provide evidence of monitoring. This may include automated or manual processes acknowledged by the auditor or IAO.

b
Access to external DBMS executables should be disabled or restricted.
Medium - V-15618 - SV-24697r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0099-ORACLE10
Vuln IDs
  • V-15618
Rule IDs
  • SV-24697r1_rule
The Oracle external procedure capability provides use of the Oracle process account outside the operation of the DBMS process. You can use it to submit and execute applications stored externally from the database under operating system controls. The external procedure process is the subject of frequent and successful attacks as it allows unauthenticated use of the Oracle process account on the operating system. As of Oracle version 11.1, the external procedure agent may be run directly from the database and not require use of the Oracle listener. This reduces the risk of unauthorized access to the procedure from outside of the database process.Database AdministratorDCFA-1
Checks: C-26369r1_chk

Review the System Security Plan to determine if the use of the external procedure agent is authorized. Review the ORACLE_HOME/bin directory or search the ORACLE_BASE path for the executable extproc (UNIX) or extproc.exe (Windows). If external procedure agent is not authorized for use in the System Security Plan and the executable file exists and is not restricted, this is a Finding. If use of the external procedure agent is authorized, ensure extproc is restricted to execution of authorized applications. External jobs are run using the account nobody by default. Review the contents of the file ORACLE_HOME/rdbms/admin/externaljob.ora for the lines run_user= and run_group=. If the user assigned to these parameters is not "nobody", this is a Finding. Determine if the external procedure agent is in use: - Review the listener.ora file. - If any entries reference "extproc", then the agent is in use. - If external procedure agent is not authorized for use in the System Security Plan and references to "extproc" exist, this is a Finding. Sample listener.ora entries with extproc included: LISTENER = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = 127.0.0.1)(PORT = 1521)) ) EXTLSNR = (DESCRIPTION = (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC)) ) SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (GLOBAL_DBNAME = ORCL) (ORACLE_HOME = /home/oracle/app/oracle/product/10.2.0/db_1) (SID_NAME = ORCL) ) ) SID_LIST_EXTLSNR = (SID_LIST = (SID_DESC = (PROGRAM = extproc) (SID_NAME = PLSExtProc) VL05 Page 64 of 137 https://vms.disa.mil/VL05.aspx 6/14/2010 (ORACLE_HOME = /home/oracle/app/oracle/product/10.2.0/db_1) (ENVS="EXTPROC_DLLS=ONLY:/home/app1/app1lib.so:/home/app2/app2lib.so, LD_LIBRARY_PATH=/private/app2/lib:/private/app1, MYPATH=/usr/fso:/usr/local/packages") ) ) Sample tnsnames.ora entries with extproc included: ORCL = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = 127.0.0.1)(PORT = 1521)) ) (CONNECT_DATA = (SERVICE_NAME = ORCL) ) ) EXTPROC_CONNECTION_DATA = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = IPC)(KEY = extproc)) ) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = PLSExtProc) ) ) If EXTPROC is in use, confirm that a listener is dedicated to serving the external procedure agent (as shown above). View the protocols configured for the listener. For the listener to be dedicated, the only entries will be to specify extproc. If there is not a dedicated listener in use for the external procedure agent, this is a Finding. If the PROTOCOL= specified is other than IPC, this is a Finding. Verify and ensure extproc is restricted executing authorized external applications only and extproc is restricted to execution of authorized applications. Review the listener.ora file. If the following entry does not exist, this is a Finding: EXTPROC_DLLS=ONLY:[dll full file name1]:[dll full file name2]:... NOTE: [dll full file name] represents a full path and file name. This list of file names is separated by ":". NOTE: If "ONLY" is specified, then the list is restricted to allow execution of only the DLLs specified in the list and is not a Finding. If "ANY" is specified, then there are no restrictions for execution except what is controlled by operating system permissions and is a Finding. If no specification is made, any files located in the %ORACLE_HOME%\bin directory on Windows systems or $ORACLE_HOME/lib directory on UNIX systems can be executed (the default) and is a Finding. View the listener.ora file (usually in ORACLE_HOME/network/admin or directory specified by the TNS_ADMIN environment variable). If multiple listener processes are running, then the listener.ora file for each must be viewed. For each process, determine the directory specified in the ORACLE_HOME or TNS_ADMIN environment variable defined for the process account to locate the listener.ora file.

Fix: F-22703r1_fix

If the use of external procedure agent is required, then authorize and document the requirement in the System Security Plan. If use of the Oracle External Procedure agent is not required: - Stop the Oracle Listener process - Remove all references to extproc in the listener.ora and tnsnames.ora files - Alter the permissions on the executable files: UNIX – Remove read/write/execute permissions from owner, group and world Windows – Remove Groups/Users from the executable (except groups SYSTEM and ADMINISTRATORS) and allow READ [only] for SYSTEM and ADMINISTRATORS groups If required: - Restrict extproc execution to only authorized applications. - Specify EXTPROC_DLLS=ONLY: [list of authorized DLLS] in the listener.ora file - Create a separate, dedicated listener and process account for use by the external procedure agent Please see the Oracle Net Services Administrators Guides, External Procedures section for detailed configuration information.

b
OS accounts used to execute external procedures should be assigned minimum privileges.
Medium - V-15620 - SV-25052r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0101-ORACLE10
Vuln IDs
  • V-15620
Rule IDs
  • SV-25052r1_rule
External applications spawned by the DBMS process may be executed under OS accounts assigned unnecessary privileges that can lead to unauthorized access to OS resources. Unauthorized access to OS resources can lead to the compromise of the OS, the DBMS, and any other service provided by the host platform.Database AdministratorDCFA-1
Checks: C-1741r1_chk

Determine which OS accounts external DBMS executables are run. Review the privileges assigned to these accounts and compare them to the System Security Plan and the function of the applications. If assigned privileges exceed those necessary to operate as designed or the privileges do not match the list of required privileges for the application in the System Security Plan, this is a Finding.

Fix: F-3778r1_fix

Configure OS accounts used by DBMS external procedures to have the minimum privileges necessary for operation. Document DBMS external procedures and OS privileges need to execute the procedures in the System Security Plan.

b
Network access to the DBMS must be restricted to authorized personnel.
Medium - V-15621 - SV-24409r2_rule
RMF Control
Severity
Medium
CCI
Version
DG0103-ORACLE10
Vuln IDs
  • V-15621
Rule IDs
  • SV-24409r2_rule
Network listeners provide the means to connect to the DBMS from remote systems. Restricting remote access to specific, trusted systems helps prevent access by unauthorized and potentially malicious users.Database AdministratorDCFA-1
Checks: C-25962r2_chk

IP address restriction may be defined for the database listener, by use of the Oracle Connection Manager or by an external network device. Identify the method used to enforce address restriction (interview or System Security Plan review). If enforced by the database listener, then review the SQLNET.ORA file located in the ORACLE_HOME/network/admin directory or the directory indicated by the TNS_ADMIN environment variable or registry setting. If the following entries do not exist, then restriction by IP address is not configured and is a Finding. tcp.validnode_checking=YES tcp.invited_nodes=(IP1, IP2, IP3) If enforced by an Oracle Connection Manager, then review the CMAN.ORA file for the Connection Manager (located in the TNS_ADMIN or ORACLE_HOME/network/admin directory for the connection manager). If a RULE entry allows all addresses ("/32") or does not match the address range specified in the System Security Plan, this is a Finding. (rule=(src=[IP]/27)(dst=[IP])(srv=*)(act=accept)) NOTE: an IP address with a "/" indicates acceptance by subnet mask where the number after the "/" is the left most number of bits in the address that must match for the rule to apply. If this rule is database-specific, then determine if the SERVICE_NAME parameter is set: From SQL*PLUS: select value from v$parameter where name = 'service_names'; If SERVICE_NAME is set in the initialization file for the database instance, use (srv=[service name]), else, use (srv=*) if not set or rule applies to all databases on the DBMS server. If network access restriction is performed by an external device, validate ACLs are in place to prohibit unauthorized access to the DBMS. To do this, find the IP address of the database server (destination address) and source address (authorized IPs) in the System Security Plan. Confirm only authorized IPs from the System Security Plan are allowed access to the DBMS.

Fix: F-20462r1_fix

Configure the database listener to restrict access by IP address. Where the number of addresses to allow is not feasible to define for the listener, use the Oracle Connection manager or an external device. See the Oracle Net Reference and Oracle Net Services Administrators Guides (release-specific) for information on configuring the listener or Connection Manager.

a
DBMS service identification should be unique and clearly identifies the service.
Low - V-15622 - SV-24413r1_rule
RMF Control
Severity
Low
CCI
Version
DG0104-ORACLE10
Vuln IDs
  • V-15622
Rule IDs
  • SV-24413r1_rule
Local or network services that do not employ unique or clearly identifiable targets can lead to inadvertent or unauthorized connections.Database AdministratorDCFA-1
Checks: C-29308r1_chk

Review the Oracle instance names on the DBMS host: On UNIX platforms: Solaris: cat /var/opt/oracle/oratab Other UNIX: cat /etc/oratab The format of lines in the oratab file is: sid:oracle_home_directory:Y or N The instance name is the sid. On Windows platforms: Go to Start / Administrative Tools / Services View service names that begin with "OracleService". The remainder of the service name is the instance name. Example: OracleServicesalesDB -- where salesDB is the instance name If instance names are listed and do not clearly identify the use of the instance or clearly differentiate individual instances, this is a Finding. An example of instance naming that meets the requirement: prdinv01 (Production Inventory Database #1), dvsales02 (Development Sales Database #2), orfindb1 (Oracle Financials Database #1). Examples of instance naming that do not meet the requirement: Instance1, MyInstance, orcl, 10gdb1 Interview the DBA to get an understanding of the naming scheme used to determine if the names are clear differentiations.

Fix: F-26340r1_fix

Follow the instructions in Oracle Doc ID: 15390.1 to change the SID without re-creating the database. Set the value so that it does not identify the Oracle version and clearly identifies its purpose.

b
Recovery procedures and technical system features exist to ensure that recovery is done in a secure and verifiable manner.
Medium - V-15625 - SV-28966r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0115-ORACLE10
Vuln IDs
  • V-15625
Rule IDs
  • SV-28966r1_rule
A DBMS may be vulnerable to use of compromised data or other critical files during recovery. Use of compromised files could introduce maliciously altered application code, relaxed security settings or loss of data integrity. Where available, DBMS mechanisms to ensure use of only trusted files can help protect the database from this type of compromise during DBMS recovery.Database AdministratorCOTR-1
Checks: C-29545r1_chk

Review DBMS recovery procedures or technical system features to determine if mechanisms exist and are in place to specify use of trusted files during DBMS recovery. If recovery procedures do not exist or are not sufficient to ensure recovery is done in a secure and verifiable manner, this is a Finding. If system features exist and are not employed or not employed sufficiently, this is a Finding. If circumstances that can inhibit a trusted recovery are not documented and appropriate mitigating procedures have not been put in place, this is a Finding.

Fix: F-26647r1_fix

Develop, document and implement DBMS recovery procedures and employ technical system features where supported by the DBMS to specify trusted files during DBMS recovery. Ensure circumstances that can inhibit a trusted recovery are documented and appropriate mitigating procedures have been put in place.

c
Passwords should be encrypted when transmitted across the network.
High - V-15636 - SV-24966r1_rule
RMF Control
Severity
High
CCI
Version
DG0129-ORACLE10
Vuln IDs
  • V-15636
Rule IDs
  • SV-24966r1_rule
DBMS passwords sent in clear text format across the network are vulnerable to discovery by unauthorized users. Disclosure of passwords may easily lead to unauthorized access to the database.Database AdministratorIAIA-1, IAIA-2
Checks: C-20437r1_chk

Oracle natively encrypts passwords in transit when using Oracle connection protocols and products (i.e. Oracle Client). Where other connection products and protocols are used, review configuration options for encrypting passwords during login events across the network. If passwords are not encrypted, this is a Finding. Where only Oracle connection protocols and products are used and password encryption is not purposely disabled and enabled where applicable, this is Not a Finding. If determined that passwords are passed unencrypted at any point along the transmission path between the source and destination, this is a Finding.

Fix: F-24533r1_fix

Utilize Oracle connection protocols and products (i.e. Oracle Client) where possible. Where other connection products and protocols are used, ensure configuration options for encrypting passwords during login events across the network are used. If the database does not provide encryption for login events natively, employ encryption at the OS or network level. Ensure passwords remain encrypted from source to destination.

b
Access to DBMS security data should be audited.
Medium - V-15643 - SV-24431r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0140-ORACLE10
Vuln IDs
  • V-15643
Rule IDs
  • SV-24431r1_rule
DBMS security data is useful to malicious users to perpetrate activities that compromise DBMS operations or data integrity. Auditing of access to this data supports forensic and accountability investigations.Database AdministratorECAR-1, ECAR-2, ECAR-3
Checks: C-17015r1_chk

Determine the locations of DBMS audit, configuration, credential and other security data. Review audit settings for these files or data objects. If access to the security data is not audited, this is a Finding. If no access is audited, consider the operational impact and appropriateness for access that is not audited. If the risk for incomplete auditing of the security files is reasonable and documented in the System Security Plan, then do not include this as a Finding.

Fix: F-23925r1_fix

Determine all locations for storage of DBMS security and configuration data. Enable auditing for access to any security data. If auditing results in an unacceptable adverse impact on application operation, reduce the amount of auditing to a reasonable and acceptable level. Document any incomplete audit with acceptance of the risk of incomplete audit in the System Security Plan.

b
The DBMS should have configured all applicable settings to use trusted files, functions, features, or other components during startup, shutdown, aborts, or other unplanned interruptions.
Medium - V-15649 - SV-25384r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0155-ORACLE10
Vuln IDs
  • V-15649
Rule IDs
  • SV-25384r1_rule
The DBMS opens data files and reads configuration files at system startup, system shutdown and during abort recovery efforts. If the DBMS does not verify the trustworthiness of these files, it is vulnerable to malicious alterations of its configuration or unauthorized replacement of data. Database AdministratorInformation Assurance OfficerDCSS-1, DCSS-2
Checks: C-28660r1_chk

Ask the DBA and/or IAO to demonstrate that the DBMS system initialization, shutdown, and aborts are configured to ensure that the DBMS system remains in a secure state. If the DBA and/or IAO has documented proof from the DBMS vendor demonstrating that the DBMS does not support this either natively or programmatically, this check is a Finding, but can be downgraded to a CAT 3 severity. If the DBMS does support this either natively or programmatically and the configuration does not meet the requirements listed above, this is a Finding. For all MAC 1, all MAC 2 and Classified MAC 3 systems where the DBMS supports the requirements, review documented procedures and evidence of periodic testing to ensure DBMS system state integrity. If documented procedures do not exist or no evidence of implementation is provided, this is a Finding.

Fix: F-19556r1_fix

Configure DBMS system initialization, shutdown and aborts to ensure DBMS system remains in a secure state. For applicable DBMS systems as listed in the check, periodically test configuration to ensure DBMS system state integrity. Where DBMS system state integrity is not supported by the DBMS vendor, obtain and apply mitigation strategies to bring risk to a DAA-acceptable level.

b
Remote DBMS administration should be documented and authorized or disabled.
Medium - V-15651 - SV-24981r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0157-ORACLE10
Vuln IDs
  • V-15651
Rule IDs
  • SV-24981r1_rule
Remote administration may expose configuration and sensitive data to unauthorized viewing during transit across the network or allow unauthorized administrative access to the DBMS to remote users.Database AdministratorEBRP-1
Checks: C-26136r1_chk

Review the System Security Plan for authorization, assignments and usage procedures for remote DBMS administration. If remote administration of the DBMS is not documented or poorly documented, this is a Finding. If remote administration of the DBMS is not authorized and not disabled, this is a Finding.

Fix: F-25691r1_fix

Disable remote administration of the DBMS where not required. Where remote administration of the DBMS is required, develop, document and implement policy and procedures on its use. Assign remote administration privileges to IAO-authorized personnel only. Document assignments in the System Security Plan.

b
DBMS remote administration should be audited.
Medium - V-15652 - SV-24983r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0158-ORACLE10
Vuln IDs
  • V-15652
Rule IDs
  • SV-24983r1_rule
When remote administration is available, the vulnerability to attack for administrative access is increased. An audit of remote administrative access provides additional means to discover suspicious activity and to provide accountability for administrative actions completed by remote users.Database AdministratorEBRP-1
Checks: C-23852r1_chk

If the DBMS does not provide auditing of remote administrative actions, this check is Not a Finding. Review settings for actions taken during remote administration sessions. If auditing of remote administration sessions and actions is not enabled, this is a Finding. If audit logs do not include all actions taken by database administrators during remote sessions, this is a Finding. Actions should be tied to a specific user.

Fix: F-19768r1_fix

Develop, document and implement policy and procedures for remote administration auditing. Configure the DBMS to provide an audit trail for remote administrative sessions. Include all actions taken by database administrators during remote sessions. Actions should be tied to a specific user.

b
The DBMS should not have a connection defined to access or be accessed by a DBMS at a different classification level.
Medium - V-15656 - SV-25074r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0171-ORACLE10
Vuln IDs
  • V-15656
Rule IDs
  • SV-25074r1_rule
Applications that access databases and databases connecting to remote databases that differ in their assigned classification levels may expose sensitive data to unauthorized clients. Any interconnections between databases or applications and databases differing in classification levels are required to comply with interface control rules.Database AdministratorECIC-1
Checks: C-17025r1_chk

Review database links or other connections defined for the database to access or be accessed by remote databases or other applications as defined in the AIS Functional Architecture documentation or the System Security Plan. If any interconnections show differences in the DBMS and remote system classification levels, this is a Finding.

Fix: F-20465r1_fix

Disassociate or remove connection definitions to remote systems of differing classification levels.

b
The DBMS warning banner should meet DoD policy requirements.
Medium - V-15658 - SV-24826r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0179-ORACLE10
Vuln IDs
  • V-15658
Rule IDs
  • SV-24826r1_rule
Without sufficient warning of monitoring and access restrictions of a system, legal prosecution to assign responsibility for unauthorized or malicious access may not succeed. A warning message provides legal support for such prosecution. Access to the DBMS or the applications used to access the DBMS require this warning to help assign responsibility for database activities.Database AdministratorECWM-1
Checks: C-26464r1_chk

A warning banner displayed as a function of an Operating System or application login for applications that use the database makes this check Not a Finding for all supported versions of Oracle. For supported versions of Oracle, this requirement can be fulfilled programmatically and is not covered in this check; however, if required and not performed, this is a Finding. View the DBMS for the specified banner text. If it does not contain the following text as written below, this is a Finding: [A. Use this banner for desktops, laptops, and other devices accommodating banners of 1300 characters. The banner shall be implemented as a click-through banner at logon (to the extent permitted by the operating system), meaning it prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK."] You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OK [B. For Blackberries and other PDAs/PEDs with severe character limitations:] I've read & consent to terms in IS user agreem't. This User Agreement conforms to DoD Standard Notice and Consent Banner and User Agreement – JTF-GNO CTO 08-008A, May 9, 2008 unless superceded.

Fix: F-22800r1_fix

Replace the DBMS banner text with the banner text as shown in this check. For all versions of Oracle, this requirement can be fulfilled where the database user receives the warning message when authenticating or connecting to a front-end system that includes or covers the Oracle DBMS. Mark this check as a Finding if the display of a warning banner (not necessarily this specific warning banner) cannot be confirmed. The banner text listed in the Check section supersedes that referenced in the Database STIG requirement.

b
Credentials used to access remote databases should be protected by encryption and restricted to authorized users.
Medium - V-15659 - SV-24834r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0191-ORACLE10
Vuln IDs
  • V-15659
Rule IDs
  • SV-24834r1_rule
Access to database connection credential stores provides easy access to the database. Unauthorized access to the database can result without controls in place to prevent unauthorized access to the credentials.Database AdministratorDCFA-1
Checks: C-29396r1_chk

Review the System Security Plan to discover any external storage of passwords used by applications, batch jobs or users to connect to the database. If no database passwords or credentials are stored outside of the database including use of Oracle Wallets and the Oracle password file (pwd*.ora or orapwd*.ora), this check is Not a Finding. View the sqlnet.ora file to determine if Oracle Wallets are used for authentication. If the "WALLET_LOCATION" entry exists in the file, then view permissions on the directory and contents. If access to this directory and these files is not restricted to the Oracle database and listener services, DBA's, and other authorized system and administrative accounts this is a Finding. From SQL*Plus: select value from v$parameter where name = 'remote_login_passwordfile'; If the command returns the value NONE, this is not a Finding. If it returns the value SHARED, this is a Finding. If it returns the value EXCLUSIVE, view access permissions to the Oracle password file. The default name for Windows is pwd[SID].ora and is located in the ORACLE_HOME\database directory. On UNIX hosts, the file is named orapw[SID] and stored in the $ORACLE_HOME/dbs directory. If access to this file is not restricted to the Oracle database, DBA's, and other authorized system and administrative accounts, this is a Finding. For other password or credential stores, interview the DBA to ask what restrictions to the storage location of passwords have been assigned. If accounts other than those that require access to the storage location have been granted permissions, this is a Finding.

Fix: F-26421r1_fix

Consider alternate methods for database connections to avoid custom storage of local connection credentials. Develop and document use of locally stored credentials and their authorized use and access in the System Security Plan. Restrict access and use of the credentials to authorized users using host file permissions and any other available method to restrict access.

b
Remote administration of the DBMS should be restricted to known, dedicated and encrypted network addresses and ports.
Medium - V-15662 - SV-24843r1_rule
RMF Control
Severity
Medium
CCI
Version
DG0198-ORACLE10
Vuln IDs
  • V-15662
Rule IDs
  • SV-24843r1_rule
Remote administration provides many conveniences that can assist in the maintenance of the designed security posture of the DBMS. On the other hand, remote administration of the database also provides malicious users the ability to access from the network a highly privileged function. Remote administration needs to be carefully considered and used only when sufficient protections against its abuse can be applied. Encryption and dedication of ports to access remote administration functions can help prevent unauthorized access to it.Database AdministratorEBRP-1
Checks: C-29404r1_chk

Ask the DBA if the DBMS is accessed remotely for administration purposes. If it is not, this check is Not a Finding. Check DG0093 specifies remote administration encryption for confidentiality. This check should confirm the use of dedicated and encrypted network addresses and ports. Review configured network access interfaces for remote DBMS administration. These may be host-based encryptions such as IPSec or may be configured for the DBMS as part of the network communications and/or in the DBMS listening process. For DBMS listeners, verify that encrypted ports exist and are restricted to specific network addresses to access the DBMS. View the System Security Plan to review the authorized procedures and access for remote administration. If the configuration does not match the specifications in the System Security Plan, this is a Finding. Note: Out-Of-Band (OOB) is allowed for remote administration, however, OOB alone does not maintain encryption of network traffic from source to destination and is a Finding for this check.

Fix: F-26429r1_fix

Disable remote administration where it is not required. Consider restricting administrative access to local connections only. Where necessary, configure the DBMS network communications to provide an encrypted, dedicated port for remote administration access. Develop and provide procedures for remote administrative access to DBAs that have been authorized for remote administration. Verify during audit reviews that DBAs do not access the database remotely except through the dedicated and encrypted port.

a
The Oracle listener.ora file should specify IP addresses rather than host names to identify hosts.
Low - V-16031 - SV-24951r1_rule
RMF Control
Severity
Low
CCI
Version
DO6746-ORACLE10
Vuln IDs
  • V-16031
Rule IDs
  • SV-24951r1_rule
The use of IP address in place of host names helps to protect against malicious corruption or spoofing of host names. Use of static IP addresses is considered more stable and reliable than use of hostnames or Fully Qualified Domain Names (FQDN).Database AdministratorDCFA-1
Checks: C-29490r1_chk

If a listener is not running on the local database host server, this check is Not a Finding. Review all listener.ora files for the HOST =. Verify the HOST = value specifies an IP address for all occurrences of the HOST = setting. Sample: (ADDRESS= (PROTOCOL=TCP) (HOST= [host IP address]) (PORT=1521)) If any addresses specify a host name in place of an IP or other network address, this is a Finding. NOTE: If a host name is used, ensure it can be locally resolved to an IP address on the DBMS system using a host table, however, if a hostname is used, it is still a Finding.

Fix: F-26558r1_fix

Edit the listener.ora file and replace any HOST= [hostname or domain name] to use static IP addresses for the host. The listener.ora file is by default located in the ORACLE_HOME/network/admin directory or the directory specified in the TNS_ADMIN environment variable for the listener service or process owner account.

b
Remote administration should be disabled for the Oracle connection manager.
Medium - V-16032 - SV-24954r1_rule
RMF Control
Severity
Medium
CCI
Version
DO6747-ORACLE10
Vuln IDs
  • V-16032
Rule IDs
  • SV-24954r1_rule
Remote administration provides a potential opportunity for malicious users to make unauthorized changes to the Connection Manager configuration or interrupt its service.Database AdministratorEBRP-1
Checks: C-29492r1_chk

View the cman.ora file in the ORACLE_HOME/network/admin directory. If the file does not exist, the database is not accessed via Oracle Connection Manager and this check is Not a Finding. If the entry and value for REMOTE_ADMIN is not listed or is not set to a value of NO (REMOTE_ADMIN = NO), this is a Finding.

Fix: F-26560r1_fix

View the cman.ora file in the ORACLE_HOME/network/admin directory of the Connection Manager. Include the following line in the file: REMOTE_ADMIN = NO

b
Oracle Application Express or Oracle HTML DB should not be installed on a production database.
Medium - V-16055 - SV-24960r1_rule
RMF Control
Severity
Medium
CCI
Version
DO6753-ORACLE10
Vuln IDs
  • V-16055
Rule IDs
  • SV-24960r1_rule
The Oracle Application Express, formerly called HTML DB, is an application development component installed by default with Oracle. Unauthorized application development can introduce a variety of vulnerabilities to the database.Database AdministratorECSD-1, ECSD-2
Checks: C-28653r1_chk

From SQL*Plus: select count(*) from dba_users where username like 'FLOWS_%'; If the value returned is not 0 and the database is a production system, this is a Finding.

Fix: F-25680r1_fix

Remove Application Express using the instruction found in Oracle MetaLink Note 558340.1 from production DBMS systems. For new installations, select custom installation and de-select Application Express from the selectable options if available.

b
Oracle Configuration Manager should not remain installed on a production system.
Medium - V-16056 - SV-24962r1_rule
RMF Control
Severity
Medium
CCI
Version
DO6754-ORACLE10
Vuln IDs
  • V-16056
Rule IDs
  • SV-24962r1_rule
Oracle Configuration Manager (OCM) is a function of the Oracle Software Configuration Manager (SCM). OCM collects system configuration data used for automated upload to systems owned and managed by Oracle to assist in providing customer support. The configuration information about the server that the OCM collects includes IP addresses, hostname, database username, location of datafiles, etc.Database AdministratorECAN-1
Checks: C-29495r1_chk

NOTE: The collection does not include application or custom data within the database. If released to unauthorized persons, system configuration data may be used by malicious persons to gain additional unauthorized access to the database or other systems. On UNIX Systems: ls $ORACLE_HOME/ccr On Windows Systems (From Windows Explorer): Browse to the %ORACLE_HOME% directory. If the directory ORACLE_HOME\ccr does not exist, this is not a Finding. If the ccr directory exists, confirm if any of the Oracle databases have been configured for OCM: From SQL*Plus: select username from dba_users where username = 'ORACLE_OCM'; If the account exists, OCM has been installed (on this database) and is a Finding.

Fix: F-26563r1_fix

Remove Oracle Configuration Manager. Details for removal are provided in Oracle MetaLink Note 369111.1 or in MetaLink Note 728989.1 for a link to the OCM Installation and Administration Guide.

b
The SQLNet SQLNET.ALLOWED_LOGON_VERSION parameter should be set to a value of 10 or higher.
Medium - V-16057 - SV-24957r1_rule
RMF Control
Severity
Medium
CCI
Version
DO6751-ORACLE10
Vuln IDs
  • V-16057
Rule IDs
  • SV-24957r1_rule
Unsupported Oracle network client installations may introduce vulnerabilities to the database. Restriction to use of supported versions helps to protect the database and helps to enforce newer, more robust security controls.Database AdministratorVIVM-1
Checks: C-17074r1_chk

View the SQLNET.ORA file in the ORACLE_HOME/network/admin directory or the directory specified in the TNS_ADMIN environment variable. Locate the following entry: SQLNET.ALLOWED_LOGON_VERSION = 10 If the parameter does not exist, this is a Finding. If the parameter is not set to a value of 10 or higher, this is a Finding. NOTE: It has been reported that the there is an Oracle bug (6051243) that prevents connections to the DBMS using JDBC THIN drivers when this parameter is set. The fix is available as patch 6779501.

Fix: F-16160r1_fix

Edit the SQLNET.ORA file to add or edit the entry: SQLNET.ALLOWED_LOGON_VERSION = 10 Set the value to 10 or higher (10 and 11 are currently valid values).