Oracle Database 11g Instance STIG
Pick two releases to diff their requirements.
Open a previous version of this STIG.
Digest of Updates −1 ✎ 93
Comparison against the immediately-prior release (V8R16). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.
Removed rules 1
- V-15624 Medium DBMS data files should be dedicated to support individual applications.
Content changes 93
- V-15114 Low description Developers should not be assigned excessive privileges on production databases.
- V-15128 Medium description DBMS application user roles should not be assigned unauthorized privileges.
- V-15130 Medium description Unapproved inactive or expired database accounts should not be found on the database.
- V-15133 Medium description Transaction logs should be periodically reviewed for unauthorized modification of data.
- V-15141 Medium description DBMS processes or services should run under custom, dedicated OS accounts.
- V-15142 Medium description Asymmetric keys should use DoD PKI Certificates and be protected in accordance with NIST (unclassified data) or NSA (classified data) approved key management and processes.
- V-15149 Low description DBA roles assignments should be assigned and authorized by the IAO.
- V-15152 Medium description DBMS login accounts require passwords to meet complexity requirements.
- V-15153 Medium description DBMS account passwords should be set to expire every 60 days or more frequently.
- V-15154 Medium description Credentials stored and used by the DBMS to access remote databases or applications should be authorized and restricted to authorized users.
- V-15607 Medium description Application objects should be owned by accounts authorized for ownership.
- V-15609 Medium description Default demonstration and sample database objects and applications should be removed.
- V-15613 Medium description Each database user, application or process should have an individually assigned account.
- V-15615 Medium description The DBA role should not be assigned excessive or unauthorized privileges.
- V-15616 Low description Sensitive data should be labeled.
- V-15617 Medium description ccess to external objects should be disabled if not required and authorized.
- V-15619 Medium description Replication accounts should not be granted DBA privileges.
- V-15623 Medium description DBMS system data files should be stored in dedicated disk directories.
- V-15626 Medium description Database privileged role assignments should be restricted to IAO-authorized DBMS accounts.
- V-15627 Medium description Administrative privileges should be assigned to database accounts via database roles.
- V-15628 Medium description DBMS application users should not be granted administrative privileges to the DBMS.
- V-15629 Medium description Application users privileges should be restricted to assignment using application user roles.
- V-15630 Medium description Access to sensitive data should be restricted to authorized users identified by the Information Owner.
- V-15631 Medium description Access to DBMS system tables and other configuration or metadata should be restricted to DBAs.
- V-15632 Medium description Use of DBA accounts should be restricted to administrative activities.
- V-15633 Medium description Password reuse should be prevented where supported by the DBMS.
- V-15634 Medium description DBMS account passwords should not be set to easily guessed words or values.
- V-15635 High description DBMS default accounts should be assigned custom passwords.
- V-15637 Medium description DBMS passwords should not be stored in compiled, encoded or encrypted batch jobs or compiled, encoded or encrypted application source code.
- V-15639 Medium description Unlimited account lock times should be specified for locked accounts.
- V-15641 Medium description Users should be alerted upon login of previous successful connections or unsuccessful attempts to access their account.
- V-15642 Medium description Access grants to sensitive data should be restricted to authorized user roles.
- V-15644 Medium description Attempts to bypass access controls should be audited.
- V-15645 Medium description Changes to configuration options must be audited.
- V-15646 Medium description Audit records should contain required information.
- V-15647 Medium description Audit records should include the reason for blacklisting or disabling DBMS connections or accounts.
- V-15654 Medium description DBMS symmetric keys should be protected in accordance with NSA or NIST-approved key management technology or processes.
- V-15657 Medium descriptioncheck Changes to DBMS security labels should be audited.
- V-15660 Medium description Remote database or other external access should use fully-qualified names.
- V-15747 Medium description The /diag subdirectory under the directory assigned to the DIAGNOSTIC_DEST parameter must be protected from unauthorized access.
- V-16033 Medium description Case sensitivity for passwords should be enabled.
- V-16035 Medium description The Oracle SEC_MAX_FAILED_LOGIN_ATTEMPTS parameter should be set to an ISSO-approved value between 1 and 3.
- V-16053 Medium description The Oracle SEC_PROTOCOL_ERROR_FURTHER_ACTION parameter should be set to a value of DELAY or DROP.
- V-2424 Medium description All database non-interactive, n-tier connection, and shared accounts that exist should be documented and approved by the IAO.
- V-2507 Medium description Audit trail data should be retained for one year.
- V-2508 Medium description Unauthorized user accounts should not exist.
- V-2511 Medium description Access to the Oracle SYS and SYSTEM accounts should be restricted to authorized DBAs.
- V-2515 Medium description The audit table should be owned by SYS or SYSTEM.
- V-2516 Medium description Access to default accounts used to support replication should be restricted to authorized DBAs.
- V-2517 Medium description Oracle instance names should not contain Oracle version numbers.
- V-2519 Low description The Oracle OS_ROLES parameter should be set to FALSE.
- V-2520 Medium description Fixed user and public database links should be authorized for use.
- V-2521 Medium description A minimum of two Oracle control files should be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device.
- V-2522 Medium description A minimum of two Oracle redo log groups/files should be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device.
- V-2527 Medium description The DBA role should not be granted to unauthorized user accounts.
- V-2531 Low description The Oracle OS_AUTHENT_PREFIX parameter should be changed from the default value of OPS$.
- V-2533 Medium descriptioncheck The Oracle WITH GRANT OPTION privilege should not be granted to non-DBA or non-Application administrator user accounts.
- V-2539 Medium description Execute permission should be revoked from PUBLIC for restricted Oracle packages.
- V-2552 Medium description The IDLE_TIME profile parameter should be set for Oracle profiles IAW DoD policy.
- V-2554 High description The Oracle REMOTE_OS_AUTHENT parameter should be set to FALSE.
- V-2555 High description The Oracle REMOTE_OS_ROLES parameter should be set to FALSE.
- V-2556 Medium description The Oracle SQL92_SECURITY parameter should be set to TRUE.
- V-2558 Medium description The Oracle REMOTE_LOGIN_PASSWORDFILE parameter should be set to EXCLUSIVE or NONE.
- V-2561 Medium description System privileges granted using the WITH ADMIN OPTION should not be granted to unauthorized user accounts.
- V-2562 Medium description Required object auditing should be configured.
- V-2564 Medium description System Privileges should not be granted to PUBLIC.
- V-2574 Medium description Oracle roles granted using the WITH ADMIN OPTION should not be granted to unauthorized accounts.
- V-2586 Low description The Oracle O7_DICTIONARY_ACCESSIBILITY parameter should be set to FALSE.
- V-2589 Medium description Object permissions granted to PUBLIC should be restricted.
- V-2593 Medium description The Oracle RESOURCE_LIMIT parameter should be set to TRUE.
- V-3437 Medium description Application role permissions should not be assigned to the Oracle PUBLIC role.
- V-3438 Medium description Oracle application administration roles should be disabled if not required and authorized.
- V-3439 Medium description Oracle system privileges should not be directly assigned to unauthorized accounts.
- V-3808 Medium description Database job/batch queues should be reviewed regularly to detect unauthorized database job submissions.
- V-3810 Medium description DBMS authentication should require use of a DoD PKI certificate.
- V-3815 Medium description New passwords must be required to differ from old passwords by more than four characters.
- V-3817 Medium description Database accounts should not specify account lock times less than the site-approved minimum.
- V-3818 Medium description Unauthorized database links should not be defined and active.
- V-3819 Medium description Sensitive information from production database exports should be modified after import to a development database.
- V-3820 Medium description Production databases should be protected from unauthorized access by developers on shared production/development host systems.
- V-3821 Medium description Application user privilege assignment should be reviewed monthly or more frequently to ensure compliance with least privilege and documented policy.
- V-3823 Low description Custom and GOTS application source code stored in the database should be protected with encryption or encoding.
- V-3846 Medium descriptioncheckfix Only authorized system accounts should have the SYSTEM tablespace specified as the default tablespace.
- V-3847 Low description Database application user accounts should be denied storage usage for object creation within the database.
- V-3848 Low description The Oracle SID should not be the default SID.
- V-3849 Medium descriptioncheck Application owner accounts should have a dedicated application tablespace.
- V-3850 Medium description The directory assigned to the AUDIT_FILE_DEST parameter should be protected from unauthorized access.
- V-3854 Medium description The directories assigned to the LOG_ARCHIVE_DEST* parameters should be protected from unauthorized access.
- V-3857 Medium description The Oracle _TRACE_FILES_PUBLIC parameter if present should be set to FALSE.
- V-3865 Low description The XDB Protocol server should be uninstalled if not required and authorized for use.
- V-5683 Medium description Application object owner accounts should be disabled when not performing installation or maintenance actions.
- V-5685 Medium description Required auditing parameters for database auditing should be set.
- V-5686 Medium description Audit records should be restricted to authorized individuals.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0060-ORACLE11
- Vuln IDs
-
- V-2424
- Rule IDs
-
- SV-24632r1_rule
Checks: C-29159r1_chk
From SQL*Plus: select username from dba_users order by username; Review the list of database account names to determine usage of all non-standard account names or account names that do not appear to be assigned to individuals. For example, accounts named BATCHJOB, FMAPP, FMAPP-ADMIN do not have the appearance of assignment to an individual interactive user. An account name like JDOE appears to be assigned to an individual. Review the list of account names against those listed in the System Security Plan or authorized user list. Consult the IAO or DBA to make a final determination on whether accounts are shared accounts or not. If shared accounts are not documented as such and are not approved, this is a Finding.
Fix: F-26170r1_fix
Use accounts assigned to individual users where feasible. Design applications to provide individual accountability (audit logs) for actions performed under a single database account. Implement other DBMS automated procedures that provide individual accountability. Where appropriate, implement manual procedures to use manual logs and monitor entries against account usage to ensure procedures are followed.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0030-ORACLE11
- Vuln IDs
-
- V-2507
- Rule IDs
-
- SV-24368r1_rule
Checks: C-1001r1_chk
Review and verify the implementation of an audit trail retention policy. Verify that audit data is maintained for a minimum of one year. If audit data is not maintained for a minimum of one year, this is a Finding.
Fix: F-23729r1_fix
Develop, document and implement an audit retention policy and procedures. It is recommended that the most recent thirty days of audit logs remain available online. After thirty days, the audit logs may be maintained offline. Online maintenance provides for a more timely capability and inclination to investigate suspicious activity.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0070-ORACLE11
- Vuln IDs
-
- V-2508
- Rule IDs
-
- SV-24647r1_rule
Checks: C-29171r1_chk
Review procedures for ensuring authorization of new or re-assigned DBMS user accounts. Requests for user account access to the DBMS should include documented approval by an authorized requestor. Procedures should also include notification for a change in status, particularly cause for revocation of account access, to any DBMS accounts. Review the user accounts listed either in the script report or manually against the authorized user list. From SQL*Plus: select username from dba_users order by username; If procedures for DBMS user account authorization are incomplete or not implemented, this is a Finding. If any accounts listed are not clearly authorized, this is a Finding.
Fix: F-26183r1_fix
Develop, document and implement procedures for authorizing creation, changes and deletions of user accounts. Monitor user accounts to verify that they remain authorized.
- RMF Control
- Severity
- M
- CCI
- Version
- DO0140-ORACLE11
- Vuln IDs
-
- V-2511
- Rule IDs
-
- SV-24850r1_rule
Checks: C-29409r1_chk
Review the policy and procedures for use of the Oracle default accounts including direct use of the Oracle SYS and SYSTEM accounts with the IAO and DBA. If a policy does not exist for their use, this is a Finding. If procedures, automated or manual, for logging default account use are not defined or implemented, this is a Finding. If monitoring use of default accounts do not exist or is not implemented, this is a Finding.
Fix: F-26436r1_fix
Design, document and implement policy and procedures for use, logging and monitoring of Oracle default accounts in the System Security Plan. Ensure those granted access to the accounts are aware of the accounts and the policies and procedures for them.
- RMF Control
- Severity
- M
- CCI
- Version
- DO0190-ORACLE11
- Vuln IDs
-
- V-2515
- Rule IDs
-
- SV-24859r2_rule
Checks: C-29418r2_chk
From SQL*Plus: select owner from dba_tables where table_name = 'AUD$'; If the owner account returned is not SYS or SYSTEM, this is a Finding. If the AUD$ tables does not exist, this is a Finding.
Fix: F-26445r1_fix
Change the owner of the $AUD table to SYS or SYSTEM account. OR Recreate the audit table while logged in as SYS or SYSTEM.
- RMF Control
- Severity
- M
- CCI
- Version
- DO0210-ORACLE11
- Vuln IDs
-
- V-2516
- Rule IDs
-
- SV-24862r1_rule
Checks: C-29420r1_chk
From SQL*Plus: select 'The number of replication objects defined is: '|| count(*) from all_tables where table_name like 'REPCAT%'; If the count returned is 0, then Oracle Replication is not installed and this check is Not a Finding. Otherwise: From SQL*Plus: select count(*) from sys.dba_repcatlog; If the count returned is 0, then Oracle Replication is not in use and this check is Not a Finding. If any results are returned, ask the IAO or DBA if the replication account (the default is REPADMIN, but may be customized) is restricted to IAO-authorized personnel only. If it is not, this is a Finding. If there are multiple replication accounts, confirm that all are justified and documented with the IAO. If they are not, this is a Finding.
Fix: F-26447r1_fix
Change the password for default and custom replication accounts and provide the password to IAO-authorized users only.
- RMF Control
- Severity
- M
- CCI
- Version
- DO0220-ORACLE11
- Vuln IDs
-
- V-2517
- Rule IDs
-
- SV-24865r1_rule
Checks: C-29422r1_chk
From SQL*Plus: select instance_name from v$instance; select version from v$instance; If the instance name returned references the Oracle release number, this is a Finding. Numbers used that include version numbers by coincidence are not a Finding. The DBA should be able to relate the significance of the presence of a digit in the SID.
Fix: F-26449r1_fix
Follow the instructions in Oracle MetaLink Note 15390.1 (and related documents) to change the SID for the database without re-creating the database to a value that does not identify the Oracle version.
- RMF Control
- Severity
- L
- CCI
- Version
- DO0240-ORACLE11
- Vuln IDs
-
- V-2519
- Rule IDs
-
- SV-24881r2_rule
Checks: C-29433r2_chk
From SQL*Plus: select value from v$parameter where name = 'os_roles'; If the value returned is not FALSE, this is a Finding.
Fix: F-26462r1_fix
From SQL*Plus: alter system set os_roles = FALSE scope = spfile; The above SQL*Plus command will set the parameter to take effect at next system startup.
- RMF Control
- Severity
- M
- CCI
- Version
- DO0250-ORACLE11
- Vuln IDs
-
- V-2520
- Rule IDs
-
- SV-24519r2_rule
Checks: C-29437r2_chk
From SQL*Plus: select owner||': '||db_link from dba_db_links; select count(*) from sys.dba_repcatlog; If no records are returned from the first SQL statement, this check is Not a Finding. If the value of the count returned is 0 for the second SQL statement, none of the database links listed above, if any, is used for replication. Confirm the public and fixed user database links listed are documented in the System Security Plan, are authorized by the IAO and are used for replication or operational system requirements. If any are not, this is a Finding.
Fix: F-26494r1_fix
Document all authorized connections from the database to remote databases in the System Security Plan. Remove all unauthorized remote database connection definitions from the database. From SQL*Plus: drop database link [link name]; OR drop public database link [link name]; Review remote database connection definitions periodically and confirm their use is still required and authorized.
- RMF Control
- Severity
- M
- CCI
- Version
- DO0260-ORACLE11
- Vuln IDs
-
- V-2521
- Rule IDs
-
- SV-24887r1_rule
Checks: C-29439r1_chk
From SQL*Plus: select name from v$controlfile; DoD guidance recommends: 1. A minimum of two distinct control files for each Oracle Database Instance. 2a. Each control file is to be located on separate, archived physical storage devices OR 2b. Each control file is to be located on separate, archived directories within one or more RAID devices 3. The Logical Paths for each control file should differ at the highest level supported by your configuration, for example: UNIX /ora03/app/oracle/{SID}/control/control01.ctl /ora04/app/oracle/{SID}/control/control02.ctl Windows D:/oracle/{SID}/control/control01.ctl E:/oracle/{SID}/control/control02.ctl If this minimum listed above is not met, this is a Finding. Consult with the SA or DBA to determine that the mount points or partitions referenced in the file paths indicate separate physical disks or directories on RAID devices. NOTE: Distinct does not equal dedicated. You may share directory space with other Oracle database instances if present.
Fix: F-26497r1_fix
To prevent loss of service during disk failure, multiple copies of Oracle control files should be maintained on separate disks in archived directories or on separate, archived directories within one or more RAID devices. Adding or moving a control file requires careful planning and execution. Please consult and follow the instructions for creating control files in the Oracle Database Administrator's Guide, under Steps for Creating New Control Files.
- RMF Control
- Severity
- M
- CCI
- Version
- DO0270-ORACLE11
- Vuln IDs
-
- V-2522
- Rule IDs
-
- SV-24522r2_rule
Checks: C-29441r2_chk
From SQL*Plus: select count(*) from V$LOG; If the value of the count returned is less than 2, this is a Finding. From SQL*Plus: select count(*) from V$LOG where members > 1; If the value of the count returned is less than 2 and a RAID storage device is not being used, this is a Finding.
Fix: F-26500r1_fix
To define additional redo log file groups: From SQL*Plus (Example): alter database add logfile group 2 ('diska:log2.log' , 'diskb:log2.log') size 50K; To add additional redo log file [members] to an existing redo log file group: From SQL*Plus (Example): alter database add logfile member 'diskc:log2.log' to group 2; Replace diska, diskb, diskc with valid, different disk drive specifications. Replace log#.log file with valid or custom names for the log files.
- RMF Control
- Severity
- M
- CCI
- Version
- DO3440-ORACLE11
- Vuln IDs
-
- V-2527
- Rule IDs
-
- SV-24549r2_rule
Checks: C-29459r2_chk
From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts): select grantee from dba_role_privs where granted_role='DBA' and grantee not in ('SYS', 'SYSTEM', 'SYSMAN', 'CTXSYS', 'WKSYS'); If any accounts are listed, review against the list of DBA accounts authorized by the IAO in the System Security Plan. If any accounts are assigned the DBA role and are not authorized by the IAO, this is a Finding. If any DBA roles are assigned to developer accounts and this is a production database, this is a Finding. If any DBA roles are assigned to shared accounts, this is a Finding.
Fix: F-26521r1_fix
Authorize and document all DBA role authorizations in the System Security Plan. Revoke DBA role membership from unauthorized accounts. Revoke DBA role membership from any accounts assigned to a developer job function on a shared production / development database.
- RMF Control
- Severity
- L
- CCI
- Version
- DO3447-ORACLE11
- Vuln IDs
-
- V-2531
- Rule IDs
-
- SV-24902r2_rule
Checks: C-29461r2_chk
From SQL*Plus: select value from v$parameter where name = 'os_authent_prefix'; If the value returned is OPS$ or ops$, this is a Finding.
Fix: F-26523r1_fix
Specify an operating system authenticated username prefix other than OPS$. From SQL*Plus: alter system set os_authent_prefix = [prefix value] scope = spfile; Compliant selections for [prefix value] are: a null string ('') a text value other than 'OPS$' The above SQL*Plus command will set the parameter to take effect at next system startup.
- RMF Control
- Severity
- M
- CCI
- Version
- DO3451-ORACLE11
- Vuln IDs
-
- V-2533
- Rule IDs
-
- SV-24905r3_rule
Checks: C-29463r3_chk
Execute the query: select grantee||': '||owner||'.'||table_name from dba_tab_privs where grantable = 'YES' and grantee not in (select distinct owner from dba_objects) and grantee not in (select grantee from dba_role_privs where granted_role = 'DBA') order by grantee; If any accounts are listed, this is a finding.
Fix: F-26525r1_fix
Revoke privileges granted the WITH GRANT OPTION from non-DBA and accounts that do not own application objects. Re-grant privileges without specifying WITH GRANT OPTION.
- RMF Control
- Severity
- M
- CCI
- Version
- DO3475-ORACLE11
- Vuln IDs
-
- V-2539
- Rule IDs
-
- SV-24908r2_rule
Checks: C-26553r2_chk
From SQL*Plus: select table_name from dba_tab_privs where grantee='PUBLIC' and privilege ='EXECUTE' and table_name in ('UTL_FILE', 'UTL_SMTP', 'UTL_TCP', 'UTL_HTTP', 'DBMS_RANDOM', 'DBMS_LOB', 'DBMS_SQL', 'DBMS_SYS_SQL', 'DBMS_JOB', 'DBMS_BACKUP_RESTORE', 'DBMS_OBFUSCATION_TOOLKIT'); If any records are returned, this is a Finding.
Fix: F-22841r1_fix
Revoking all default installation privilege assignments from PUBLIC is not required at this time. However, execute permissions to the specified packages is required to be revoked from PUBLIC. Removal of these privileges from PUBLIC may result in invalid packages in version 10.1 and later of Oracle and an inability to execute default Oracle applications and utilities. To correct this problem, grant execute privileges on these packages directly to the SYSMAN, WKSYS, MDSYS and SYSTEM accounts as well as any other default Oracle database and custom application object owner accounts as necessary to support execution of applications/utilities installed with an Oracle Database Server. At a minimum, revoke the following: From SQL*Plus: revoke execute on UTL_FILE from PUBLIC; revoke execute on UTL_SMTP from PUBLIC; revoke execute on UTL_TCP from PUBLIC; revoke execute on UTL_HTTP from PUBLIC; revoke execute on DBMS_RANDOM from PUBLIC; revoke execute on DBMS_LOB from PUBLIC; revoke execute on DBMS_SQL from PUBLIC; revoke execute on DBMS_SYS_SQL from PUBLIC; revoke execute on DBMS_JOB from PUBLIC; revoke execute on DBMS_BACKUP_RESTORE from PUBLIC; revoke execute on DBMS_OBFUSCATION_TOOLKIT from PUBLIC;
- RMF Control
- Severity
- M
- CCI
- Version
- DO3536-ORACLE11
- Vuln IDs
-
- V-2552
- Rule IDs
-
- SV-24564r2_rule
Checks: C-29465r2_chk
From SQL*Plus: select profile, limit from DBA_PROFILES where profile = ’DEFAULT’ and resource_name = ’IDLE_TIME’; select profile, limit from DBA_PROFILES where profile <> ’DEFAULT’ and resource_name = ’IDLE_TIME’; If the idle time on the DEFAULT profile is greater than 15 minutes, this is a Finding. If any non-default profiles have an idle time setting greater than 60 minutes or are set to an UNLIMITED value and not documented in the System Security Plan or not authorized by the IAO, this is a Finding.
Fix: F-26529r1_fix
Modify profiles to meet the idle time requirement. From SQL*Plus: alter profile default limit idle_time 15; alter profile [profile name] limit idle_time [IAO-approved value]; Authorize and document any profiles that require idle times greater than 15 minutes in the System Security Plan.
- RMF Control
- Severity
- H
- CCI
- Version
- DO3538-ORACLE11
- Vuln IDs
-
- V-2554
- Rule IDs
-
- SV-24911r2_rule
Checks: C-29467r2_chk
From SQL*Plus: select value from v$parameter where name = 'remote_os_authent'; If the value returned does not equal FALSE, this is a Finding.
Fix: F-26531r1_fix
Document remote OS authentication in the System Security Plan. If not required or not mitigated to an acceptable level, disable remote OS authentication. From SQL*Plus: alter system set remote_os_authent = FALSE scope = spfile; The above SQL*Plus command will set the parameter to take effect at next system startup.
- RMF Control
- Severity
- H
- CCI
- Version
- DO3539-ORACLE11
- Vuln IDs
-
- V-2555
- Rule IDs
-
- SV-24916r2_rule
Checks: C-29469r2_chk
From SQL*Plus: select value from v$parameter where name = 'remote_os_roles'; If the returned value is not FALSE or not documented in the System Security Plan as required, this is a Finding.
Fix: F-26533r1_fix
Document remote OS roles in the System Security Plan. If not required, disable use of remote OS roles. From SQL*Plus: alter system set remote_os_roles = FALSE scope = spfile; The above SQL*Plus command will set the parameter to take effect at next system startup.
- RMF Control
- Severity
- M
- CCI
- Version
- DO3540-ORACLE11
- Vuln IDs
-
- V-2556
- Rule IDs
-
- SV-24919r2_rule
Checks: C-29471r2_chk
From SQL*Plus: select value from v$parameter where name = 'sql92_security'; If the value returned is set to FALSE, this is a Finding. If the parameter is set to TRUE or does not exist, this is Not a Finding.
Fix: F-26535r1_fix
Enable SQL92 security. From SQL*Plus: alter system set sql92_security = TRUE scope = spfile; The above SQL*Plus command will set the parameter to take effect at next system startup.
- RMF Control
- Severity
- M
- CCI
- Version
- DO3546-ORACLE11
- Vuln IDs
-
- V-2558
- Rule IDs
-
- SV-24922r2_rule
Checks: C-29473r2_chk
From SQL*Plus: select value from v$parameter where name = 'remote_login_passwordfile'; If the value returned does not equal 'EXCLUSIVE' or 'NONE', this is a Finding.
Fix: F-26537r1_fix
Disable use of the remote_login_passwordfile where remote administration is not authorized by specifying a value of NONE. If authorized, restrict use of a password file to exclusive use by each database by specifying a value of EXCLUSIVE. From SQL*Plus: alter system set remote_login_passwordfile = 'EXCLUSIVE' scope = spfile; OR alter system set remote_login_passwordfile = 'NONE' scope = spfile; The above SQL*Plus command will set the parameter to take effect at next system startup.
- RMF Control
- Severity
- M
- CCI
- Version
- DO3609-ORACLE11
- Vuln IDs
-
- V-2561
- Rule IDs
-
- SV-24925r2_rule
Checks: C-29475r2_chk
From SQL*Plus: select grantee, privilege from dba_sys_privs where grantee not in ('SYS', 'SYSTEM', 'AQ_ADMINISTRATOR_ROLE', 'DBA', 'MDSYS', 'LBACSYS', 'SCHEDULER_ADMIN', 'WMSYS') and admin_option = 'YES' and grantee not in (select grantee from dba_role_privs where granted_role = 'DBA'); If any accounts are listed, this is a Finding.
Fix: F-26540r1_fix
Revoke assignment of privileges with the WITH ADMIN OPTION from unauthorized users and re-grant them without the option. From SQL*Plus: revoke [privilege name] from user [username]; Replace [privilege name] with the named privilege and [username] with the named user. Restrict use of the WITH ADMIN OPTION to authorized administrators. Document authorized privilege assignments with the WITH ADMIN OPTION in the System Security Plan.
- RMF Control
- Severity
- M
- CCI
- Version
- DO3610-ORACLE11
- Vuln IDs
-
- V-2562
- Rule IDs
-
- SV-24928r2_rule
Checks: C-29477r2_chk
From SQL*Plus: select count(*) from all_def_audit_opts where ren = 'A/A'; If the count of 0 is returned, this is a Finding. Check for required auditing of the audit table as follows: From SQL*Plus: select upd, del, object_type from dba_obj_audit_opts where object_name = 'AUD$'; If the record returned is of object type TABLE and upd(ate) and del(ete) are not = 'A/A', this is a Finding. If the record type VIEW is returned and upd and del are = ‘A/A’, this is NOT a Finding. Otherwise, if the record type VIEW is returned and upd and del are NOT = 'A/A', then the underlying table must be checked for update and delete auditing as follows: From SQL*Plus: set long 1000 set wrap on select text from dba_views where view_name = 'AUD$'; Review the text returned and locate the “from table_owner.table_name”. This should be located at the end of the text returned. Replace table_owner and table_name in the select statement below with the values returned above. From SQL*Plus: select upd, del from dba_obj_audit_opts where owner = 'table_owner' and object_name = 'table_name'; If the value of upd(ate) and del(ete) returned above is NOT equal to 'A/A', this is a Finding.
Fix: F-26541r1_fix
The only application objects auditing required is for use of the RENAME privilege on database objects. Configure auditing on RENAME privilege use by default for newly created objects. From SQL*Plus: audit rename on default by access; If application objects have already been created, the audit rename on object statement should be issued for all application objects. From SQL*Plus: audit rename on [application object name] by access; Enable auditing of access and activity on audit trail data stored in the database. From SQL*Plus: audit update, delete on AUD$ by access; NOTE: The audit table is by default in the SYSTEM schema, but may have been moved to another schema.
- RMF Control
- Severity
- M
- CCI
- Version
- DO3612-ORACLE11
- Vuln IDs
-
- V-2564
- Rule IDs
-
- SV-24931r2_rule
Checks: C-29479r2_chk
From SQL*Plus: select privilege from dba_sys_privs where grantee = 'PUBLIC'; If any records are returned, this is a Finding.
Fix: F-26544r1_fix
Revoke any system privileges assigned to PUBLIC: From SQL*Plus: revoke [system privilege] from PUBLIC; Replace [system privilege] with the named system privilege. NOTE: System privileges are not granted to PUBLIC by default and would indicate a custom action.
- RMF Control
- Severity
- M
- CCI
- Version
- DO3622-ORACLE11
- Vuln IDs
-
- V-2574
- Rule IDs
-
- SV-24570r2_rule
Checks: C-29481r2_chk
From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts): select grantee||': '||granted_role from dba_role_privs where grantee not in ('DBA', 'SYS', 'SYSTEM', 'WKSYS', 'LBACSYS', 'WMSYS', 'OWBSYS', 'CTXSYS', 'SPATIAL_CSW_ADMIN_USR', 'SPATIAL_WFS_ADMIN_USR', 'FLOWS_030000') and admin_option = 'YES' and grantee not in (select distinct owner from dba_objects) and grantee not in (select grantee from dba_role_privs where granted_role = 'DBA') order by grantee; Review the System Security Plan to confirm any grantees listed are IAO-authorized DBA accounts or application administration roles. If any grantees listed are not authorized and documented, this is a Finding.
Fix: F-26547r1_fix
Revoke assignment of roles with the WITH ADMIN OPTION from unauthorized grantees and re-grant them without the option if required. From SQL*Plus: revoke [role name] from [grantee]; grant [role name] to [grantee]; Restrict use of the WITH ADMIN OPTION to authorized administrators. Document authorized role assignments with the WITH ADMIN OPTION in the System Security Plan.
- RMF Control
- Severity
- L
- CCI
- Version
- DO3685-ORACLE11
- Vuln IDs
-
- V-2586
- Rule IDs
-
- SV-24937r2_rule
Checks: C-29483r2_chk
From SQL*Plus: select value from v$parameter where name = 'O7_dictionary_accessibility'; If the value returned is TRUE, this is a Finding. If the parameter does not exist or the value returned is FALSE, this is Not a Finding.
Fix: F-26549r1_fix
Disable O7_dictionary_accessibility to restrict access to system tables to users granted privileges to access objects owned by all users. From SQL*Plus: alter system set O7_dictionary_accessibility = FALSE scope = spfile; The above SQL*Plus command will set the parameter to take effect at next system startup.
- RMF Control
- Severity
- M
- CCI
- Version
- DO3689-ORACLE11
- Vuln IDs
-
- V-2589
- Rule IDs
-
- SV-24573r2_rule
Checks: C-29485r2_chk
From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts): select owner ||'.'|| table_name ||':'|| privilege from dba_tab_privs where grantee = 'PUBLIC' and owner not in ('SYS', 'CTXSYS', 'MDSYS', 'ODM', 'OLAPSYS', 'MTSSYS', 'ORDPLUGINS', 'ORDSYS', 'SYSTEM', 'WKSYS', 'WMSYS', 'XDB', 'LBACSYS', 'PERFSTAT', 'SYSMAN', 'DMSYS', 'EXFSYS'); If any records that are not Oracle product accounts are returned, are not documented and authorized, this is a Finding. NOTE: This check may return false positives where other Oracle product accounts are not included in the exclusion list.
Fix: F-26551r1_fix
Revoke any privileges granted to PUBLIC for objects that are not owned by Oracle product accounts. From SQL*Plus: revoke [privilege name] from [user name] on [object name]; Assign permissions to custom application user roles based on job functions: From SQL*Plus: grant [privilege name] to [user role] on [object name];
- RMF Control
- Severity
- M
- CCI
- Version
- DO3696-ORACLE11
- Vuln IDs
-
- V-2593
- Rule IDs
-
- SV-24942r2_rule
Checks: C-29487r2_chk
From SQL*Plus: select value from v$parameter where name = 'resource_limit'; If the value returned is not set to TRUE, this is a Finding.
Fix: F-26553r1_fix
Enable resource limit checking on the database. From SQL*Plus: alter system set resource_limit = TRUE scope = both; The above SQL*Plus command will set the parameter to take effect immediately and permanently at next system startup.
- RMF Control
- Severity
- M
- CCI
- Version
- DO0320-ORACLE11
- Vuln IDs
-
- V-3437
- Rule IDs
-
- SV-24896r2_rule
Checks: C-29447r2_chk
From SQL*Plus: select granted_role from dba_role_privs where grantee = 'PUBLIC'; If any roles are listed, this is a Finding.
Fix: F-26510r1_fix
Revoke role grants from PUBLIC. Do not assign role privileges to PUBLIC. From SQL*Plus: revoke [role name] from PUBLIC;
- RMF Control
- Severity
- M
- CCI
- Version
- DO0340-ORACLE11
- Vuln IDs
-
- V-3438
- Rule IDs
-
- SV-24531r2_rule
Checks: C-29449r2_chk
From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts): select grantee, granted_role from dba_role_privs where default_role='YES' and granted_role in (select grantee from dba_sys_privs where upper(privilege) like '%USER%') and grantee not in ('DBA', 'SYS', 'SYSTEM', 'CTXSYS', 'DBA', 'IMP_FULL_DATABASE', 'MDSYS', 'SYS', 'WKSYS') and grantee not in (select distinct owner from dba_tables) and grantee not in (select distinct username from dba_users where upper(account_status) like '%LOCKED%'); Review the list of accounts reported for this check and ensures that they are authorized application administration roles. If any are not authorized application administration roles, this is a Finding.
Fix: F-26513r1_fix
For each role assignment returned, issue: From SQL*Plus: alter user [username] default role all except [role]; If the user has more than one application administration role assigned, then you will have to remove assigned roles from default assignment and assign individually the appropriate default roles.
- RMF Control
- Severity
- M
- CCI
- Version
- DO0350-ORACLE11
- Vuln IDs
-
- V-3439
- Rule IDs
-
- SV-24534r2_rule
Checks: C-29451r2_chk
From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts): select grantee||': '||PRIVILEGE from dba_sys_privs where privilege<>'CREATE SESSION' and grantee not in ('PUBLIC', 'AQ_ADMINISTRATOR_ROLE', 'AQ_USER_ROLE', 'CTXSYS', 'DBA', 'DELETE_CATALOG_ROLE', 'EXECUTE_CATALOG_ROLE', 'EXP_FULL_DATABASE', 'GATHER_SYSTEM_STATISTICS', 'HS_ADMIN_ROLE', 'IMP_FULL_DATABASE', 'LOGSTDBY_ADMINISTRATOR', 'MDSYS', 'ODM', 'OEM_MONITOR', 'OLAPSYS', 'ORDSYS', 'OUTLN', 'MTSSYS', 'RECOVERY_CATALOG_OWNER', 'SELECT_CATALOG_ROLE', 'SNMPAGENT', 'SYSTEM', 'WKSYS', 'WKUSER', 'WMSYS', 'WM_ADMIN_ROLE', 'XDB', 'ANONYMOUS', 'CONNECT', 'DBSNMP', 'JAVADEBUGPRIV', 'ODM_MTR', 'OLAP_DBA', 'ORDPLUGINS', 'RESOURCE', 'RMAN', 'SYS', 'WKPROXY', 'AURORA$JIS$UTILITY$', 'AURORA$ORB$UNAUTHENTICATED', 'OSE$HTTP$ADMIN', 'TIMESERIES_DBA', 'TIMESERIES_DEVELOPER', 'OLAP_USER') and grantee not in (select grantee from dba_role_privs where granted_role='DBA') and grantee not in (select username from dba_users where upper(account_status) like '%LOCKED%'); If any records are returned, perform the following instructions for this check to determine the finding status. Review the list of active non-DBA accounts and roles granted system privileges. Any accounts listed as authorized for checks DO0340 (Oracle application administration roles enablement) and DG0008 (Oracle object ownership) are not a Finding. On a production database, confirm that any accounts listed with create user, alter user, drop user belong to authorized application administration roles. On a development system, ensure that system privileges assigned to developers are justified and authorized by the IAO. If any unauthorized, unjustified or undocumented application user roles or accounts are listed, this is a Finding.
Fix: F-26515r1_fix
Document and justify system privileges assigned to users/roles in the System Security Plan and authorize with the IAO. Remove unauthorized or unjustified system privileges from user accounts or roles. From SQL*Plus: revoke [privilege] from [user or role name]; Replace [privilege] with the named privilege and [user or role name] with the identified user or role.
- RMF Control
- Severity
- L
- CCI
- Version
- DG0015-ORACLE11
- Vuln IDs
-
- V-3727
- Rule IDs
-
- SV-24355r2_rule
Checks: C-1113r2_chk
If the database being reviewed is not a production database, this check is Not a Finding. From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts): select created, owner, object_name, object_type from dba_objects where owner not in ('SYS', 'SYSTEM', 'ORDSYS', 'XDB', 'OLAPSYS', 'ODM') and object_type <> 'SYNONYM' order by created, owner, object_name; View the list of objects retuned. If any object-creation dates do not coincide with the software maintenance and upgrade logs or are not objects documented as supporting dynamic object creation functions, then investigate the circumstances under which the object was created. If the object is created using static definitions to store temporary data or indicates that the application uses unauthorized DDL statements, this is a Finding.
Fix: F-17993r1_fix
Document known object creation that supports dynamic object assignment in the System Security Plan and authorize with the IAO. Coordinate with the application designer to modify the application to use static objects with temporary data rather than using temporary objects. You may use the following code to periodically monitor for recently created objects: select created, owner, object_name, object_type from dba_objects where owner not in ('SYS', 'SYSTEM', 'ORDSYS', 'XDB', 'OLAPSYS', 'ODM') and object_type <> 'SYNONYM' and created >= sysdate-30 -- Lists objects created within last 30 days order by created, owner, object_name;
- RMF Control
- Severity
- M
- CCI
- Version
- DG0051-ORACLE11
- Vuln IDs
-
- V-3808
- Rule IDs
-
- SV-60353r2_rule
Checks: C-26071r1_chk
The DBMS_JOB PL/SQL package has been replaced by DBMS_SCHEDULER in Oracle versions 10.1 and higher, though it continues to be supported for backward compatibility. From SQL*Plus: select value from v$parameter where name = 'job_queue_processes'; From SQL*Plus: select value from all_scheduler_global_attribute where ATTRIBUTE_NAME = 'MAX_JOB_SLAVE_PROCESSES'; To understand the relationship between these settings, review: http://download.oracle.com/docs/cd/B28359_01/server.111/b28310/appendix_a003.htm Review documented and implemented procedures for monitoring the Oracle DBMS job/batch queues for unauthorized submissions. If procedures for job queue review are not defined, documented or evidence of implementation does not exist, this is a Finding. Job queue information is available from the DBA_JOBS view. The following command lists jobs submitted to the queue. DBMS_JOB does not generate a 'history' of previous job executions. From SQL*Plus: select job, next_date, next_sec, failures, broken from dba_jobs; Scheduler queue information is available from the DBA_SCHEDULER_JOBS view. The following command lists jobs submitted to the queue. From SQL*Plus: select owner, job_name, state, job_class, job_type, job_action from dba_scheduler_jobs;
Fix: F-26158r2_fix
Develop, document and implement procedures to monitor the database job queues for unauthorized job submissions. Develop, document and implement a formal migration plan to convert jobs using DBMS_JOB to use DBMS_SCHEDULER instead for Oracle versions 10.1 and higher. (This does not apply to DBMS_JOB jobs generated by Oracle itself, such as those for refreshing materialized views.) Set the value of the job_queue_processes parameter to a low value to restrict concurrent DBMS_JOB executions. Use auditing to capture use of the DBMS_JOB package in the audit trail. Review the audit trail for unauthorized use of the DBMS_JOB package.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0065-ORACLE11
- Vuln IDs
-
- V-3810
- Rule IDs
-
- SV-25026r1_rule
Checks: C-1055r1_chk
If user access to the DBMS is via a portal or mid-tier system or product and PKI-authentication occurs at the portal/mid-tier, this check is Not a Finding. Review the list of all DBMS accounts and their authentication methods. This list is usually available from a system view or table and is easily gained from a simple SQL query. If any accounts are listed with an authentication method other than a PKI certificate, this is a Finding. For MAC 3 systems, if identification and authentication is not accomplished using the DoD PKI Class 3 certificate and hardware security token (when available) at minimum, this is a Finding. For MAC 1 and 2 systems, if identification and authentication is not accomplished using the DoD PKI Class 3 or 4 certificate and hardware security token (when available) or an NSA-certified product at minimum, this is a Finding.
Fix: F-2540r1_fix
Implement PKI authentication for all accounts defined within the database where applicable. Applications may use host system (server) certificates to authenticate. For MAC 3 systems, use of the DoD PKI Class 3 certificate and hardware security token (when available) at minimum is required. For MAC 1 and 2 systems, use of the DoD PKI Class 3 or 4 certificate and hardware security token (when available) or an NSA-certified product at minimum is required.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0071-ORACLE11
- Vuln IDs
-
- V-3815
- Rule IDs
-
- SV-24387r3_rule
Checks: C-28977r4_chk
If no DBMS accounts authenticate using passwords, this check is Not a Finding. Confirm that database profiles specify a password verify function. From SQL*Plus: select profile, limit from dba_profiles where resource_name='PASSWORD_VERIFY_FUNCTION' and limit not in ('NULL', 'DEFAULT') order by profile; If no rows are listed, this is a Finding. Review the code for the password verify function or have the DBA demonstrate a password change to ensure that the function requires new passwords to differ from old passwords by more than 4 characters. If reviewing code, logic similar to the following should be discovered: -- Check if the password differs from the previous password -- by more than 4 characters if old_password is not null then differ:=length(old_password) - length(password); if abs(differ) <= 4 then if length(password) < length(old_password) then m:=length(password); else m:=length(old_password); end if; differ:=abs(differ); for i in 1..m loop if substr(password,i,1) != substr(old_password,i,1) then differ:=differ + 1; end if; end loop; if differ <= 4 then raise_application_error(-20004, 'Password should differ by more than 4 characters'); end if; end if; end if; If any password_verify_function routines do not check for a difference of more than 4 characters, this is a Finding.
Fix: F-25981r1_fix
Define and apply a password_verify_function for all profiles where passwords are used to authenticate accounts. See Fix information for DG0079 to create a password_verify_function that meets STIG requirements.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0073-ORACLE11
- Vuln IDs
-
- V-3817
- Rule IDs
-
- SV-24650r2_rule
Checks: C-29174r2_chk
From SQL*Plus: select profile||': '||limit from dba_profiles, (select limit as def_login_attempts from dba_profiles where profile = 'DEFAULT' and resource_name = 'FAILED_LOGIN_ATTEMPTS') where resource_name = 'FAILED_LOGIN_ATTEMPTS' and replace(limit, 'DEFAULT', def_login_attempts) IN ('UNLIMITED', NULL) or resource_name = 'FAILED_LOGIN_ATTEMPTS' and to_number(decode(limit, 'UNLIMITED', 10, 'DEFAULT', 10, limit)) > 3; If the DEFAULT profile is returned with a limit not less than or equal to 3, this is a Finding. If any non-DEFAULT profiles are returned with limits not documented and approved by the IAO, this is a Finding. NOTE: If the limit 'DEFAULT' is returned for any non-DEFAULT profiles, the profile limit is set to the corresponding value in the DEFAULT profile. If the DEFAULT profile is a Finding, so is the profile that references it.
Fix: F-2561r1_fix
Modify profiles to meet the failed login attempt requirement limit. From SQL*Plus: alter profile default limit failed_login_attempts 3; alter profile [profile name] limit failed_login_attempts [IAO-approved value]; Replace [profile name] with any existing, non-default profile names. Document in the System Security Plan all profiles and settings.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0075-ORACLE11
- Vuln IDs
-
- V-3818
- Rule IDs
-
- SV-24389r2_rule
Checks: C-1131r2_chk
From SQL*Plus: select db_link||': '||host from dba_db_links; If no links are returned, this check is Not a Finding. Review documentation for definitions of authorized database links to external interfaces. The documentation should include: - Any remote access to the database - The purpose or function of the remote connection - Any access to data or procedures stored externally to the local DBMS - Any network ports or protocols used by remote connections, whether the remote connection is to a production, test, or development system - Any security accounts used by DBMS to access remote resources or objects If any unauthorized database links are defined or the definitions do not match the documentation, this is a Finding. NOTE: Findings for production-development links under this check are assigned to the production database only. If any database links are defined between the production database and any test or development databases, this is a Finding. If remote interface documentation does not exist or is incomplete, this is a Finding.
Fix: F-2567r1_fix
Document all remote or external interfaces used by the DBMS to connect to or allow connections from remote or external sources. Include with the documentation as appropriate, any network ports or protocols, security accounts, and the sensitivity of any data exchanged. Do not define or configure database links between production databases and test or development databases.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0076-ORACLE11
- Vuln IDs
-
- V-3819
- Rule IDs
-
- SV-24654r2_rule
Checks: C-28652r3_chk
If the database being reviewed is a production database, this check is Not a Finding. Review policy, procedures and restrictions for data imports of production data containing sensitive information into development databases. If data imports of production data are allowed, review procedures for protecting any sensitive data included in production exports. If sensitive data is included in the exports and no procedures are in place to remove or modify the data to render it not sensitive prior to import into a development database or policy and procedures are not in place to ensure authorization of development personnel to access sensitive information contained in production data, this is a Finding.
Fix: F-25679r1_fix
Develop, document and implement policy, procedures and restrictions for production data import. Require any users assigned privileges that allow the export of production data from the database to acknowledge understanding of import policies, procedures and restrictions. Restrict permissions of development personnel requiring use or access to production data imported into development databases containing sensitive information to authorized users. Implement policy and procedures to modify or remove sensitive information in production exports prior to import into development databases.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0077-ORACLE11
- Vuln IDs
-
- V-3820
- Rule IDs
-
- SV-24391r2_rule
Checks: C-28658r2_chk
Review the list of instances and databases installed on the host system with the DBA. Ask which databases are production databases and which are for development. For UNIX systems, use the ps -ef|grep pmon command to see the list of databases; For Windows systems, review the list of services beginning with the name OracleService to see the list of databases. Ask which databases are production databases and which are for development. If only development or only production databases exist on this host, this check is Not a Finding. Otherwise, ask the DBA to confirm that policy and procedures are in place for the IAO to review database and operating system privileges on the system to ensure developer accounts do not have access to production DBMS systems. If none are in place, this is a Finding. Ask the DBA/SA if developer host accounts have been granted privileges to production database directories, files or resources. If they have been, this is a Finding. From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts): select grantee||': '||privilege from dba_sys_privs where (privilege like 'CREATE%' or privilege like 'ALTER%' or privilege like 'DROP%') and privilege<>'CREATE SESSION' and grantee not in ('ANONYMOUS','AURORA$JIS$UTILITY$', 'AURORA$ORB$UNAUTHENTICATED','CTXSYS','DBSNMP','DIP', 'DVF','DVSYS','EXFSYS','LBACSYS','MDDATA','MDSYS','MGMT_VIEW', 'ODM','ODM_MTR','OLAPSYS','ORDPLUGINS','ORDSYS', 'OSE$HTTP$ADMIN','OUTLN','PERFSTAT','PUBLIC','REPADMIN', 'RMAN','SI_INFORMTN_SCHEMA','SYS','SYSMAN','SYSTEM', 'TRACESVR','TSMSYSWK_TEST','WKPROXY','WKSYS','WKUSER', 'WMSYS','XDB') order by grantee; If any accounts are listed that are not on the list of IAO approved production DBAs, this is a Finding. NOTE: Though shared production/non-production DBMS installations was allowed under previous database STIG guidance, doing so may place it in violation of OS, Application, Network or Enclave STIG guidance. Ensure that any shared production/non-production DBMS installations meets STIG guidance requirements at all levels or mitigate any conflicts in STIG guidance with your DAA.
Fix: F-25685r1_fix
Develop, document and implement procedures to review and maintain privileges granted to developers on shared production and development host systems and databases. Recommend establishing a dedicated DBMS host for production DBMS installations (See Checks DG0109 and DG0110). A dedicated host system in this case refers to an instance of the operating system at a minimum. The operating system may reside on a virtual host machine where supported by the DBMS vendor.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0080-ORACLE11
- Vuln IDs
-
- V-3821
- Rule IDs
-
- SV-24668r1_rule
Checks: C-1187r1_chk
Review policy, procedures and implementation evidence to determine if periodic reviews of user privileges by the IAO are being performed. Evidence may consist of email or other correspondence that acknowledges receipt of periodic reports and notification of review between the DBA and IAO or other auditors as assigned. If policy and procedures are incomplete or no evidence of implementation exists, this is a Finding.
Fix: F-2583r1_fix
Develop, document and implement policy and procedures for periodic review of database user accounts and privilege assignments. Include methods to provide evidence of review in the procedures to verify reviews occur in accordance with the procedures.
- RMF Control
- Severity
- L
- CCI
- Version
- DG0091-ORACLE11
- Vuln IDs
-
- V-3823
- Rule IDs
-
- SV-28568r2_rule
Checks: C-28830r2_chk
If this is not a production database, this check is Not a Finding. From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts): select owner||'.'||name from dba_source where line=1 and owner not in ('SYS', 'CTXSYS', 'MDSYS', 'ODM', 'OE', 'OLAPSYS', 'ORDPLUGINS', 'ORDSYS', 'OUTLN', 'PM', 'QS_ADM', 'RMAN', 'SYSTEM', 'WKSYS', 'WMSYS', 'XDB') and owner not like 'OEM%' and text not like '%wrapped%' and type in ('PROCEDURE', 'FUNCTION', 'PACKAGE BODY'); Review the list of results with the DBA. If any results are custom or GOTS application code, this is a Finding. If all returned results are default DBMS or COTS application code, this is not a Finding.
Fix: F-25838r1_fix
Use the Oracle WRAP utility to encode application source code stored in application database objects (stored procedures, functions, package bodies). The following may be used as an example process: 1) export the application object source and store in an external file. From SQL*Plus: set show off set heading off set verify off set echo off set term off set pagesize 0 set feedback off set serveroutput on size 1000000 set wrap on set trimspool on set linesize 512 spool [output file name = proc.sql] select text from dba_source where object_name='[object name]'; spool off 2) From system command line, invoke the wrap utility. wrap iname=proc.sql oname=proc.plb This will result in the file name proc.plb 3) re-create the object with the encoded source code. From SQL*Plus: @proc.plb
- RMF Control
- Severity
- M
- CCI
- Version
- DO0155-ORACLE11
- Vuln IDs
-
- V-3846
- Rule IDs
-
- SV-24856r4_rule
Checks: C-29413r5_chk
Run the query: select property_name, property_value from database_properties where property_name in ('DEFAULT_PERMANENT_TABLESPACE','DEFAULT_TEMP_TABLESPACE'); If either value is set to "SYSTEM", this is a finding. Run the query: select username from dba_users where (default_tablespace = 'SYSTEM' or temporary_tablespace = 'SYSTEM') and username not in ('LBACSYS','OUTLN','SYS','SYSTEM', 'MGMT_VIEW'); If any non-default account records are returned, this is a finding.
Fix: F-26440r3_fix
Create and dedicate tablespaces to support only one application. Do not share tablespaces between applications. Do not grant quotas to application object owners on tablespaces not dedicated to their associated application. Run the queries: alter database default tablespace <tablespace_name>; alter database default temporary tablespace <temporary_tablespace_name>; alter user <username> default tablespace <tablespace_name> temporary tablespace <temporary_tablespace_name>; Replace <username> with the named user account. Replace <tablespace_name> with the new default tablespace name. Replace <temporary_tablespace_name> with the new default temporary tablespace name (typically TEMP). Repeat the "alter user" for each affected user account.
- RMF Control
- Severity
- L
- CCI
- Version
- DO0157-ORACLE11
- Vuln IDs
-
- V-3847
- Rule IDs
-
- SV-24501r2_rule
Checks: C-29415r2_chk
From SQL*Plus: select username, tablespace_name from dba_ts_quotas where username not in (select distinct owner from dba_objects) and username not in (select grantee from dba_role_privs where granted_role='DBA'); Review the list of user names returned. If any belong to application users or application administrators, this is a Finding.
Fix: F-26442r1_fix
Assign tablespace quotas only to database accounts authorized to create and or own objects in the database. Document authorized tablespace quotas for all accounts authorized to own objects in the System Security Plan. Remove any quotas assigned to application users, application administrators, or any other unauthorized accounts. From SQL*Plus: alter user [username] quota 0 on [tablespace name]; Replace [username] with the named user and [tablespace name] with the identified tablespace name.
- RMF Control
- Severity
- L
- CCI
- Version
- DO0221-ORACLE11
- Vuln IDs
-
- V-3848
- Rule IDs
-
- SV-24868r2_rule
Checks: C-29424r2_chk
From SQL*Plus: select instance_name from v$instance; Review the instance name with the DBA. Ask the DBA if the instance name was chosen by the installer to conform to local naming conventions, etc. or if it was determined by the installation software. If it was named by the installation software, this is a Finding.
Fix: F-26451r1_fix
Follow the instructions in Oracle MetaLink Note 15390.1 (and related documents) to change the SID for the database without re-creating the database to a value other than the application default.
- RMF Control
- Severity
- M
- CCI
- Version
- DO0231-ORACLE11
- Vuln IDs
-
- V-3849
- Rule IDs
-
- SV-24510r3_rule
Checks: C-29426r4_chk
From SQL*Plus (Note: The owner list below is but a sample of all possible default Oracle accounts - edit according to local circumstances): select distinct owner, tablespace_name from dba_SEGMENTS where owner not in ('SYS','SYSTEM','OUTLN','OLAPSYS','CTXSYS','WKSYS','ODM', 'ODM_MTR','MDSYS','ORDSYS','WMSYS','RMAN','XDB', 'AUDSYS','DBSNMP','GSMADMIN_INTERNAL') order by tablespace_name; Review the list of returned table owners with the tablespace used. If any of the owners listed are not default Oracle accounts and use the "SYSTEM" or any other tablespace not dedicated for the application’s use, this is a Finding. Look for multiple applications that may share a tablespace. If no records were returned, ask the DBA if any applications use this database. If no applications use the database, this is not a Finding. If there are applications that do use the database or if the application uses the "SYS" or other default account and "SYSTEM" tablespace to store its objects, this is a Finding.
Fix: F-26453r1_fix
Create and assign dedicated tablespaces for the storage of data by each application using the CREATE TABLESPACE command.
- RMF Control
- Severity
- M
- CCI
- Version
- DO0234-ORACLE11
- Vuln IDs
-
- V-3850
- Rule IDs
-
- SV-24872r1_rule
Checks: C-26538r1_chk
From SQL*Plus: select value from v$parameter where name = 'audit_trail'; select value from v$parameter where name = 'audit_file_dest'; If audit_trail is NOT set to TRUE, OS, XML or XML, EXTENDED per MetaLink Note 30690.1, this check is Not a Finding. On UNIX Systems: ls -ld [pathname] Substitute [pathname] with the directory path listed from the above SQL command for audit_file_dest. If permissions are granted for world access, this is a Finding. If any groups that include members other than the Oracle process and software owner accounts, DBAs, auditors, or backup accounts are listed, this is a Finding. On Windows Systems (From Windows Explorer): Browse to the directory specified. Select and right-click on the directory, select Properties, select the Security tab. On Windows hosts, records are also written to the Windows application event log. The location of the application event log is listed under Properties for the log under the Windows console. The default location is C:\WINDOWS\system32\config\EventLogs\AppEvent.Evt. If permissions are granted to everyone, this is a Finding. If any accounts other than the Administrators, DBAs, System group, auditors or backup operators are listed, this is a Finding.
Fix: F-26455r1_fix
Alter host system permissions to the AUDIT_FILE_DEST directory to the Oracle process and software owner accounts, DBAs, backup accounts, SAs (if required) and auditors. Authorize and document user access requirements to the directory outside of the Oracle, DBA and SA account list in the System Security Plan.
- RMF Control
- Severity
- M
- CCI
- Version
- DO0238-ORACLE11
- Vuln IDs
-
- V-3854
- Rule IDs
-
- SV-24513r1_rule
Checks: C-29431r1_chk
From SQL*Plus: select log_mode from v$database; select value from v$parameter where name = 'log_archive_dest'; select value from v$parameter where name = 'log_archive_duplex_dest'; select name, value from v$parameter where name LIKE 'log_archive_dest_%'; If the value returned for LOG_MODE is NOARCHIVELOG, this check is Not a Finding. If a value is not returned for LOG_ARCHIVE_DEST and no values are returned for any of the LOG_ARCHIVE_DEST_[1-10] parameters, this is a Finding. NOTE: LOG_ARCHIVE_DEST and LOG_ARCHIVE_DUPLEX_DEST are incompatible with the LOG_ARCHIVE_DEST_n parameters, and must be defined as the null string (' ') when any LOG_ARCHIVE_DEST_n parameter has a value other than a null string. On UNIX Systems: ls -ld [pathname] Substitute [pathname] with the directory paths listed from the above SQL statements for log_archive_dest and log_archive_duplex_dest. If permissions are granted for world access, this is a Finding. On Windows Systems (From Windows Explorer): Browse to the directory specified. Select and right-click on the directory, select Properties, select the Security tab. If permissions are granted to everyone, this is a Finding. If any account other than the Oracle process and software owner accounts, Administrators, DBAs, System group or developers authorized to write and debug applications on this database are listed, this is a Finding.
Fix: F-26460r1_fix
Specify a valid and protected directory for archive log files. Restrict access to the Oracle process and software owner accounts, DBAs, and backup operator accounts.
- RMF Control
- Severity
- M
- CCI
- Version
- DO0243-ORACLE11
- Vuln IDs
-
- V-3857
- Rule IDs
-
- SV-24884r2_rule
Checks: C-29435r2_chk
From SQL*Plus: select value from v$parameter where name = '_trace_files_public'; If the value returned is TRUE, this is a Finding. If the parameter does not exist or is set to FALSE, this is Not a Finding.
Fix: F-26468r1_fix
From SQL*Plus (shutdown database instance): shutdown immediate From SQL*Plus (create a pfile from spfile): create pfile='[PATH]init[SID].ora' from spfile; Edit the init[SID].ora file and remove the following line: *._trace_files_public=TRUE From SQL*Plus (update the spfile using the pfile): create spfile from pfile='[PATH]init[SID].ora'; From SQL*Plus (start the database instance): startup NOTE: [PATH] depends on the platform (Windows or UNIX). Ensure the file is directed to a writable location. [SID] is equal to the oracle SID or database instance ID.
- RMF Control
- Severity
- L
- CCI
- Version
- DO0420-ORACLE11
- Vuln IDs
-
- V-3865
- Rule IDs
-
- SV-24899r1_rule
Checks: C-29455r1_chk
From SQL*Plus: select count(*) from dba_users where username = 'XDB'; select count(*) from v$parameter where name = 'dispatchers' and value like '%XDB%'; If a value of 0 is returned for either the first or the second SQL statement above, this is not a Finding. If a value of 1 (or more) is returned for the second SQL statement, review the System Security Plan to verify existence of all XML DB dispatchers is authorized. If it is not, this is a Finding.
Fix: F-22836r1_fix
If the database is authorized to support web services using XML over HTTP, then include documentation and authorization in the System Security Plan. If not authorized, uninstall XML DB per Oracle MetaLink Note 742014.1.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0004-ORACLE11
- Vuln IDs
-
- V-5683
- Rule IDs
-
- SV-24589r2_rule
Checks: C-1073r2_chk
From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts): select distinct owner from dba_objects, dba_users where owner not in ('ANONYMOUS','AURORA$JIS$UTILITY$', 'AURORA$ORB$UNAUTHENTICATED','CTXSYS','DBSNMP','DIP','DVF', 'DVSYS','EXFSYS','LBACSYS','MDDATA','MDSYS','MGMT_VIEW','ODM', 'ODM_MTR','OLAPSYS','ORDPLUGINS','ORDSYS','OSE$HTTP$ADMIN', 'OUTLN','PERFSTAT','PUBLIC','REPADMIN','RMAN', 'SI_INFORMTN_SCHEMA','SYS','SYSMAN','SYSTEM','TRACESVR', 'TSMSYS','WK_TEST','WKPROXY','WKSYS','WKUSER','WMSYS','XDB') and owner in (select distinct owner from dba_objects where object_type <> 'SYNONYM') and owner = username and upper(account_status) not like '%LOCKED%'; To obtain a list of users assigned DBA privileges. From SQL*Plus: select grantee from dba_role_privs where granted_role = ’DBA’; If any records are returned, then verify the account is an authorized application object owner account or a default account installed to support an Oracle product. Verify that any objects owned by custom DBA accounts are for the personal use of that DBA. If any objects are used to support applications or any functions other than DBA functions, this is a Finding. Any unauthorized object owner accounts are not a finding under this check as they are noted as findings under check DG0008. Any other accounts listed are a Finding.
Fix: F-15683r1_fix
Disable any application object owner accounts. From SQL*Plus: alter user [username] account lock; Enable application object owner accounts only for installation and maintenance. DBA are special purpose accounts and do not require disabling although they may own objects. For application objects that require routine maintenance, e.g. index objects, to maintain performance, consider allowing a special purpose account to own the index or enable the application owner account for the duration of the routine maintenance function only.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0029-ORACLE11
- Vuln IDs
-
- V-5685
- Rule IDs
-
- SV-24615r2_rule
Checks: C-1126r2_chk
From SQL*Plus: select value from v$parameter where name = 'audit_trail'; If the value returned is NONE, this is a Finding.
Fix: F-22677r1_fix
Enable database auditing. Select the desired audit trail format (external file or internal database table). From SQL*Plus: alter system set audit_trail= [audit trail format] scope=spfile; Compliant selections for [audit trail format] are (per MetaLink Note 30690.1): Oracle 11.1 – 11.2 = 'true', 'os' & 'db' (true = os for backward compatibility) Oracle 11.1 – 11.2 = 'db_extended', 'xml' & 'xml, extended' The above SQL*Plus command will set the parameter to take effect at next system startup.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0032-ORACLE11
- Vuln IDs
-
- V-5686
- Rule IDs
-
- SV-24622r2_rule
Checks: C-26277r2_chk
From SQL*Plus: select value from v$parameter where name='audit_trail'; If none of the following values is displayed, this check is Not a Finding. Oracle 11.1 – 11.2 = 'db' Oracle 11.1 – 11.2 = 'db_extended' Review access granted to the AUD$ table. From SQL*Plus: select grantee from dba_tab_privs where table_name = 'AUD$' and grantee not in ('DELETE_CATALOG_ROLE') and grantee not in (select grantee from dba_role_privs where granted_role = 'DBA') order by grantee; View access granted to the AUD$ table against those authorized in the System Security Plan. If any are not authorized, this is a Finding.
Fix: F-2559r1_fix
Document and authorize accounts granted access to the AUD$ table in the System Security Plan. Revoke access permissions granted to the AUD$ table from unauthorized users.
- RMF Control
- Severity
- L
- CCI
- Version
- DG0089-ORACLE11
- Vuln IDs
-
- V-15114
- Rule IDs
-
- SV-24395r1_rule
Checks: C-19608r1_chk
If this database is not a production database, this check is Not a Finding. Review the privileges assigned to developer accounts. Identify login name of developer DBMS accounts from the System Security Plan and/or DBA. For each developer account, display the roles assigned to the account. From SQL*Plus: select granted_role from dba_role_privs where grantee=[developer account name]; If privileges assigned to developer accounts are not restricted to development objects and configurations, or authorizations to allow developer account access to production objects and configurations does not exist in the System Security Plan, this is a Finding.
Fix: F-2590r1_fix
Revoke permissions and privileges that allow changes to the production system or production objects from developer accounts or authorize permissions and privileges for developer accounts in the System Security Plan.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0105-ORACLE11
- Vuln IDs
-
- V-15128
- Rule IDs
-
- SV-24705r1_rule
Checks: C-1092r1_chk
Compare privileges assigned to database application user roles to those defined in the System Security Plan. If the assigned privileges do not match the authorized list of privileges, this is a Finding.
Fix: F-2558r1_fix
Use the grant and revoke commands to assign the authorized privileges as listed in the System Security Plan to custom database application or application user roles.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0074-ORACLE11
- Vuln IDs
-
- V-15130
- Rule IDs
-
- SV-24652r1_rule
Checks: C-29176r1_chk
Review procedures and implementation for monitoring the DBMS for account expiration and account inactivity. Verify implemented procedures are in place to address expired/locked accounts not required for system/application operation are authorized to remain and are documented. Verify implemented procedures are in place to address accounts that are unlocked and have been inactive in excess of 30 days are authorized to remain unlocked. Verify implemented procedures are in place to address unauthorized, inactive accounts after 30 days are expired and locked. Verify implemented procedures are in place to address expired/locked accounts that are not authorized to remain are dropped/removed/deleted. A finding for this check would be based on insufficient documentation and implemented procedures for monitoring DBMS accounts.
Fix: F-26187r1_fix
Develop, document and implement procedures to monitor database accounts for inactivity and account expiration. Investigate and re-authorize or delete [if appropriate] any accounts that are expired or have been inactive for more than 30 days. Where appropriate, protect authorized expired or inactive accounts by disabling them or applying some other similar protection. NOTE: Password and account requirements have changed for DoD since this STIG requirement was published.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0031-ORACLE11
- Vuln IDs
-
- V-15133
- Rule IDs
-
- SV-28970r1_rule
Checks: C-29549r1_chk
If the application does not require auditing using DBMS features, this check is Not Applicable. Review the application System Security Plan for requirements for database configuration for auditing changes to application data. If the application requires DBMS auditing for changes to data, review the database audit configuration against the application requirement. If the auditing does not comply with the requirement, this is a Finding.
Fix: F-26651r1_fix
Configure database data auditing to comply with the requirements of the application. Document auditing requirements in the System Security Plan.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0102-ORACLE11
- Vuln IDs
-
- V-15141
- Rule IDs
-
- SV-24702r2_rule
Checks: C-29295r1_chk
Ask the DBA/SA to demonstrate process ownership for the Oracle DBMS software. On UNIX Systems (enter at command prompt): ps ef | grep -i pmon | grep -v grep (all database processes) ps ef | grep -i tns | grep -v grep (all listener processes) ps ef | grep -i dbsnmp | grep -v grep (Oracle Intelligent Agents) Sample output (database processes): oracle 5593 1 0 08:15 ? 00:00:00 ora_pmon_oraprod1 Sample output (listener processes): oracle 5505 1 0 08:15 ? 00:00:00 /var/opt/oracle/product/10.2.0/db_1/bin/tnslsnr LISTENER -inherit Sample output (agent processes): oracle 1734 1 0 08:16 ? 00:00:00 /var/opt/oracle/product/10.2.0/db_1/bin/dbsnmp In the above samples, the occurrence of "oracle" indicate the user account that owns the process. If any Oracle processes are not using a dedicated OS account, this is a Finding. For Windows Systems: Log in using account with administrator privileges. Open the Services snap-in. Review the Oracle processes. All Oracle processes should be run (Log On As) by a dedicated Oracle Windows OS account and not as LocalSystem. If any Oracle service is not run by a dedicated Oracle Windows OS account, this is a Finding. If any Oracle service is run as LocalSystem, this is a Finding.
Fix: F-26327r1_fix
On UNIX Systems: Ensure the Oracle Owner account is used for all Oracle processes. The Oracle SNMP agent (Intelligent or Management Agent) is required (by Oracle Corp per MetaLink Note 548928.1) to use the Oracle Process owner account. On Windows Systems: Create and assign a dedicated Oracle Windows OS account for all Oracle processes.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0166-ORACLE11
- Vuln IDs
-
- V-15142
- Rule IDs
-
- SV-24819r1_rule
Checks: C-29383r1_chk
If Asymmetric keys are present and Oracle Advanced Security is not installed and operational on the DBMS host, this is a Finding. For each asymmetric key identified as being used to encrypt sensitive data, verify the key owner is an application object owner or other non-DBA account. If the key owner listed is a DBA, this is a Finding. If any key owner is not the application object owner account or an account specific to the application as documented in the System Security Plan, this is a Finding. If any asymmetric keys whose private key is not encrypted exist in the database, this is a Finding. Review the access permissions to asymmetric keys. Verify that any permission granted is authorized in the System Security Plan for access to the key. Examine evidence that an audit record is created whenever the asymmetric key is accessed by other than authorized users. In particular, view evidence that access by a DBA or other system privileged account results in the generation of an audit record. This is required because system privileges that allow access to encryption keys may be used to access sensitive data where the privileged user does not have a job function need-to-know the data. If an audit record is not generated for unauthorized access to the asymmetric key, this is a Finding.
Fix: F-26408r1_fix
Use DoD code-signing certificates to create asymmetric keys stored in the database that are used to encrypt sensitive data stored in the database. Assign the application object owner account as the owner of asymmetric keys used by the application. Create audit events for access to the key by other than the application owner account or approved application objects. Revoke any privileges assigned to the asymmetric key to other than the application object owner account and authorized users. Protect the private key by encrypting it with the database system master key where available. Where available, store encryption keys and certificates on hardware security modules (HSM). Oracle Advanced Security is required to provide asymmetric key management features.
- RMF Control
- Severity
- L
- CCI
- Version
- DG0153-ORACLE11
- Vuln IDs
-
- V-15149
- Rule IDs
-
- SV-24979r1_rule
Checks: C-3818r1_chk
Review the documented procedures for approval and granting of DBA privileges. Review implementation evidence for the procedures. If procedures do not exist or evidence that they are followed does not exist, this is a Finding.
Fix: F-20278r1_fix
Develop, document and implement procedures to ensure all DBA role assignments are authorized and assigned by the IAO. Include methods that provide evidence of approval in the procedures.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0079-ORACLE11
- Vuln IDs
-
- V-15152
- Rule IDs
-
- SV-24666r2_rule
Checks: C-1132r2_chk
From SQL*Plus: select profile, limit from dba_profiles, (select limit as def_pwd_verify_func from dba_profiles where resource_name='PASSWORD_VERIFY_FUNCTION' and profile='DEFAULT') where resource_name='PASSWORD_VERIFY_FUNCTION' and replace(limit, 'DEFAULT', def_pwd_verify_func) in ('UNLIMITED', NULL); If any records are returned, this is a Finding.
Fix: F-2569r1_fix
Create or use a password verify function that enforces password complexity. See a sample below that meets DoD requirements. Modify profiles to specify the password verify function created. From SQL*Plus: Rem This script was modified from the Oracle utlpwdmg.sql default script. Rem -- This script sets the default password resource parameters. -- This script needs to be run to enable the password features. -- However, the default resource parameters can be changed based on the need. -- A default password complexity function is also provided. -- This function makes the minimum complexity checks like the minimum -- length of the password, password not same as the username, etc. The user may -- enhance this function according to the need. -- This function must be created in SYS schema: -- connect sys/<password> as sysdba before running the script CREATE OR REPLACE FUNCTION verify_password_dod (username varchar2, password varchar2, old_password varchar2) RETURN boolean IS n boolean; m integer; differ integer; isdigit boolean; numdigit integer; ispunct boolean; numpunct integer; islowchar boolean; numlowchar integer; isupchar boolean; numupchar integer; digitarray varchar2(10); punctarray varchar2(25); lowchararray varchar2(26); upchararray varchar2(26); pw_change_time date; BEGIN digitarray:='0123456789'; lowchararray:='abcdefghijklmnopqrstuvwxyz'; upchararray:='ABCDEFGHIJKLMNOPQRSTUVWXYZ'; punctarray:='@!"#$%&()``*+,-/:;<=>?_'; -- Check if the password is same as the username if nls_lower(password)=nls_lower(username) then raise_application_error(-20001, 'Password same as or similar to user'); end if; -- Check for the minimum length of the password if length(password) < 15 then raise_application_error(-20002, 'Password length less than 15'); end if; -- Check if the password is too simple. A dictionary of words may be maintained -- and a check may be made so as not to allow the words that are too simple for -- the password. if nls_lower(password) in ('welcome','database','account','user','password','oracle','computer','abcdefgh', '12345') then raise_application_error(-20002, 'Password too simple'); end if; -- Check if the password contains at least two each of the following: -- uppercase characters, lowercase characters, digits and special characters. -- 1. Check for the digits isdigit:=FALSE; numdigit:=0; m:=length(password); for i in 1..10 loop for j in 1..m loop if substr(password,j,1)=substr(digitarray,i,1) then numdigit:=numdigit + 1; end if; if numdigit > 1 then isdigit:=TRUE; goto findlowchar; end if; end loop; end loop; if isdigit=FALSE then raise_application_error(-20003, 'Password should contain at least two digits'); end if; -- 2. Check for the lowercase characters <<findlowchar>> islowchar:=FALSE; numlowchar:=0; m:=length(password); for i in 1..length(lowchararray) loop for j in 1..m loop if substr(password,j,1)=substr(lowchararray,i,1) then numlowchar:=numlowchar + 1; end if; if numlowchar > 1 then islowchar:=TRUE; goto findupchar; end if; end loop; end loop; if islowchar=FALSE then raise_application_error(-20003, 'Password should contain at least two lowercase characters'); end if; -- 3. Check for the UPPERCASE characters <<findupchar>> isupchar:=FALSE; numupchar:=0; m:=length(password); for i in 1..length(upchararray) loop for j in 1..m loop if substr(password,j,1)=substr(upchararray,i,1) then numupchar:=numupchar + 1; end if; if numupchar > 1 then isupchar:=TRUE; goto findpunct; end if; end loop; end loop; if isupchar=FALSE then raise_application_error(-20003, 'Password should contain at least two uppercase characters'); end if; -- 4. Check for the punctuation <<findpunct>> ispunct:=FALSE; numpunct:=0; m:=length(password); for i in 1..length(punctarray) loop for j in 1..m loop if substr(password,j,1)=substr(punctarray,i,1) then numpunct:=numpunct + 1; end if; if numpunct > 1 then ispunct:=TRUE; goto endsearch; end if; end loop; end loop; if ispunct=FALSE then raise_application_error(-20003, 'Password should contain at least two punctuation characters'); end if; -- Check if the password differs from the previous password -- by more than 4 characters <<endsearch>> if old_password is not null then differ:=length(old_password) - length(password); if abs(differ) < 4 then if length(password) < length(old_password) then m:=length(password); else m:=length(old_password); end if; differ:=abs(differ); for i in 1..m loop if substr(password,i,1) != substr(old_password,i,1) then differ:=differ + 1; end if; end loop; if differ < 4 then raise_application_error(-20004, 'Password should differ by more than 4 characters'); end if; end if; end if; -- Everything is fine. return TRUE RETURN(TRUE); EXCEPTION WHEN OTHERS THEN raise_application_error(-20000,'verify_password_dod: Unexpected error: '||SQLERRM,TRUE); END; / alter profile default limit password_verify_function verify_password_dod; NOTE: Password and account requirements have changed for DoD since the STIG requirement listed in the table for this check was published.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0125-ORACLE11
- Vuln IDs
-
- V-15153
- Rule IDs
-
- SV-24780r2_rule
Checks: C-29356r2_chk
NOTE: Use of authentication via certificate or CAC for Oracle accounts makes the accounts non-interactive for the purposes of this check. The DEFAULT profile is required to have a password lifetime set not to exceed 60 days, which is the current password lifetime limit per DoD policy. Custom profiles for non-interactive accounts (accounts used by applications or other systems) may have PASSWORD_LIFE_TIME set to a time greater than 60 days, but must still have a limit assigned. Limits of one year or less for non-interactive accounts require IAO authorization and should be set to a lifetime as low as administration and operation of the application will support. From SQL*Plus: select profile, limit from dba_profiles, (select limit as def_pwd_life_tm from dba_profiles where profile = 'DEFAULT' and resource_name = 'PASSWORD_LIFE_TIME') where resource_name = 'PASSWORD_LIFE_TIME' and ((replace(limit, 'DEFAULT', def_pwd_life_tm) in ('UNLIMITED', NULL)) or (lpad(replace(limit, 'DEFAULT', def_pwd_life_tm),40,'0') > lpad('60',40,'0'))); If the DEFAULT profile has a value greater than 60 days, this is a Finding. If any non-default profiles have password lifetimes greater than 60 days and are assigned to interactive accounts, this is a Finding. If any non-default profiles have password lifetimes greater than 365 days (1 year) and are assigned to any accounts, this is a Finding. If any profiles have PASSWORD_LIFE_TIME set to UNLIMITED, NULL or no value, this is a Finding. Verify in the System Security Plan that all accounts assigned to profiles with a password lifetime greater than 60 days belong to non-interactive accounts.
Fix: F-26382r1_fix
Assign a password lifetime of 60 days or less to the default database profile. Assign a password lifetime of 60 days or less to non-default profiles assigned to interactive database accounts. Assign as password lifetime of 365 days or less to non-default profiles assigned to non-interactive database accounts that do not support frequent password changes. Include a list of all database accounts and their profile assignments in the System Security Plan. Modify profiles to assign a password lifetime. From SQL*Plus: alter profile default limit password_life_time 60; alter profile [profile name] limit password_life_time [60 to 365]; Replace [profile name] with any existing, non-default profile name and [60 to 365] with a value between 60 and 365 (days) inclusive.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0190-ORACLE11
- Vuln IDs
-
- V-15154
- Rule IDs
-
- SV-25082r1_rule
Checks: C-942r1_chk
Review the list of defined database links generated from the DBMS. Compare to the list in the System Security Plan with the DBA. If no database links are listed in the database and in the System Security Plan, this check is Not a Finding. If any database links are defined in the DBMS, verify the authorization for the definition in the System Security Plan. If any database links exist that are not authorized or not listed in the System Security Plan, this is a Finding.
Fix: F-24662r1_fix
Grant access to database links to authorized users or applications only. Document all database links access authorizations in the System Security Plan.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0008-ORACLE11
- Vuln IDs
-
- V-15607
- Rule IDs
-
- SV-24592r2_rule
Checks: C-1094r2_chk
From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts): select distinct owner from dba_objects where owner not in ('ANONYMOUS','AURORA$JIS$UTILITY$', 'AURORA$ORB$UNAUTHENTICATED', 'CTXSYS','DBSNMP','DIP','DVF','DVSYS', 'EXFSYS','LBACSYS','MDDATA', 'MDSYS','MGMT_VIEW','ODM','ODM_MTR', 'OLAPSYS','ORDPLUGINS', 'ORDSYS', 'OSE$HTTP$ADMIN','OUTLN','PERFSTAT', 'PUBLIC','REPADMIN','RMAN','SI_INFORMTN_SCHEMA', 'SYS','SYSMAN','SYSTEM','TRACESVR', 'TSMSYSWK_TEST','WKPROXY','WKSYS', 'WKUSER','WMSYS','XDB') and owner not in (select grantee from dba_role_privs where granted_role='DBA'); If any records are returned, then confirm that any database object owner accounts listed are application owner accounts authorized by the IAO. If any are not, this is a Finding. NOTE: Confirmed default Oracle accounts returned by the SQL statement above should be considered a false positive. See Oracle MetaLink Note 160861.1 for a current list of default accounts. NOTE: Some applications may be designed to require users to create temporary tables during application execution. This design is not considered good security practice and results in a Finding for unauthorized application object owners as application user accounts are not allowed to have system privileges assigned (CREATE TABLE, etc.) nor allowed to own objects in the database. One possible suggestion for resolving this issue is to have the application object owner create a static table for user temporary data storage. All users would share the same table.
Fix: F-16157r1_fix
Document all authorized application object owner accounts. Use only authorized application object owner accounts to install and maintain application database objects. Revoke privileges to create, drop, replace or alter application objects from unauthorized application object owners.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0014-ORACLE11
- Vuln IDs
-
- V-15609
- Rule IDs
-
- SV-24604r2_rule
Checks: C-1099r2_chk
From SQL*Plus: select username from dba_users where username in ('ALLUSERS', 'AOLDEMO', 'AQDEMO', 'AQJAVA', 'AQUSER', 'AUC_GUEST', 'BI', 'CTXDEMO', 'DEMO8', 'DEV2000_DEMOS', 'HR', 'IX', 'OE', 'ORABAMSAMPLES', 'PM', 'PORTAL_DEMO', 'PORTAL30_DEMO', 'QS', 'SCOTT', 'SECDEMO', 'SH', 'WK_TEST') or username like 'QS_%'; If any usernames are listed and are not documented in the System Security Plan and authorized by the IAO, this is a Finding. See MetaLink note 160861.1 for a list of Oracle database users and usages.
Fix: F-17990r1_fix
For the sample applications and schemas with the Oracle database installation, use the provided SQL scripts (if present) to remove the application objects and drop the demo users and schemas: From SQL*Plus: -- Human Resources application: @?/demo/schema/human_resources.hr_drop.sql -- Order Entry application: @?/demo/schema/order_entry/oe_drop.sql and oc_drop.sql -- Product Media application: @?/demo/schema/product_media/pm_drop.sql -- Information Exchange application: @?/demo/schema/information_exchange/ix_drop.sql -- Sales History application: @?/demo/schema/sales_history/sh_drop.sql For other demo applications, deinstall using the SQL command: drop user [demo username] cascade;
- RMF Control
- Severity
- M
- CCI
- Version
- DG0078-ORACLE11
- Vuln IDs
-
- V-15613
- Rule IDs
-
- SV-24663r1_rule
Checks: C-1068r1_chk
Review DBMS account names against the list of authorized DBMS accounts in the System Security Plan. If any accounts indicate use by mulitiple persons that are not mapped to a specific person, this is a Finding. If any applications or processes share an account that could be assigned an individual account or are not specified as requiring a shared account, this is a Finding. Note: Privileged installation accounts may be required to be accessed by DBA or other administrators for system maintenance. In these cases, each use of the account must be logged in some manner to assign accountability for any actions taken during the use of the account.
Fix: F-2541r1_fix
Create individual accounts for each user, application, or other process that requires a database connection. Document any accounts that are shared where separation is not supported by the application or for maintenance support. Design, develop and implement a method to log use of any account to which more than one person has access. Restrict interactive access to shared accounts to the fewest persons possible.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0085-ORACLE11
- Vuln IDs
-
- V-15615
- Rule IDs
-
- SV-24673r2_rule
Checks: C-15804r2_chk
From SQL*Plus: select username from v$pwfile_users where username not in (select grantee from dba_role_privs where granted_role='DBA') and username<>'INTERNAL' and (sysdba = 'TRUE' or sysoper='TRUE'); If any accounts are listed and are not authorized by the IAO in the System Security Plan, this is a Finding.
Fix: F-2586r1_fix
If a REMOTE_LOGIN_PASSWORDFILE is in use (='EXCLUSIVE'), list database accounts assigned SYSDBA and SYSOPER database privileges and review for appropriate authorization. Document authorized SYSDBA and SYSOPER users in the System Security Plan. From SQL*Plus: select * from v$pwfile_users; To revoke SYSDBA or SYSOPER from accounts: From SQL*Plus: revoke sysdba from [username]; revoke sysoper from [username];
- RMF Control
- Severity
- L
- CCI
- Version
- DG0087-ORACLE11
- Vuln IDs
-
- V-15616
- Rule IDs
-
- SV-24393r2_rule
Checks: C-17063r2_chk
If database does not contain sensitive data, this check is Not a Finding. If Oracle Label Security is not installed and database contains sensitive data, this is a Finding. From SQL*Plus: select * from DBA_SA_USERS; Compare results to the requirements for labeling as specified in the System Security Plan. If label security is not configured as specified in the System Security Plan, this is a Finding.
Fix: F-2587r1_fix
Develop, document and implement label security requirements. Install and configure label security in accordance with the System Security Plan. Monitor and audit changes to the label security configuration.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0098-ORACLE11
- Vuln IDs
-
- V-15617
- Rule IDs
-
- SV-24694r1_rule
Checks: C-19611r1_chk
From SQL*Plus: select value from v$parameter where name='utl_file_dir'; If the returned value contains '*', this is a Finding.
Fix: F-2614r1_fix
Where its use is authorized, restrict access by a database session to external host files. From SQL*Plus: alter system set utl_file_dir=[authorized directory] scope=spfile; Replace [authorized directory] with the directory path where file access and storage is authorized. Review Oracle MetaLink Note 39037.1 if you need to define multiple authorized directories. The above SQL*Plus command will set the parameter to take effect at next system startup.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0100-ORACLE11
- Vuln IDs
-
- V-15619
- Rule IDs
-
- SV-24407r1_rule
Checks: C-938r1_chk
If a review of the System Security Plan confirms the use of replication is not required, not permitted and the database is not configured for replication, this check is Not a Finding. If any replication accounts are assigned DBA roles or roles with DBA privileges, this is a Finding.
Fix: F-2615r1_fix
Restrict privileges assigned to replication accounts to the fewest possible privileges. Remove DBA roles from replication accounts. Create and use custom replication accounts assigned least privileges for supporting replication operations.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0112-ORACLE11
- Vuln IDs
-
- V-15623
- Rule IDs
-
- SV-24419r1_rule
Checks: C-948r1_chk
From SQL*Plus: select file_name from dba_data_files where tablespace_name='SYSTEM'; NOTE: Data files for a given database instance may include data files (*.dbf), REDO log files (redo*.log) and CONTROL files (*.ctl). Review the files in the directory shown above. Allowable files are instance database files (*.dbf), REDO log files (redo*.log) and CONTROL files (*.ctl). If any files other than these exist in the directory, this is a Finding. A good best practice (not consistently endorsed by the Oracle community) is on database creation, using separate subdirectories for data, redo and control files [under the instance name directory] instead of using a single directory to contain all Oracle data, redo and control instance files.
Fix: F-3414r1_fix
Create a dedicated directory or dedicated subdirectories to store database instance files. Reconfigure the Oracle instance to point to the files in the new locations. Where feasible, locate database instance files on a dedicated disk partition and/or RAID device to provide additional protection.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0116-ORACLE11
- Vuln IDs
-
- V-15626
- Rule IDs
-
- SV-24723r2_rule
Checks: C-953r2_chk
From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts and roles): select grantee||': '||granted_role from dba_role_privs where grantee not in ('ANONYMOUS','AURORA$JIS$UTILITY$', 'AURORA$ORB$UNAUTHENTICATED','CTXSYS','DBSNMP','DIP', 'DMSYS','DVF','DVSYS','EXFSYS','LBACSYS','MDDATA','MDSYS', 'MGMT_VIEW','ODM','ODM_MTR','OLAPSYS','ORDPLUGINS','ORDSYS', 'OSE$HTTP$ADMIN','OUTLN','PERFSTAT','REPADMIN','RMAN', 'SI_INFORMTN_SCHEMA','SYS','SYSMAN','SYSTEM','TRACESVR', 'TSMSYS','WK_TEST','WKPROXY','WKSYS','WKUSER','WMSYS','XDB') and grantee not in ('DBA', 'OLAP_USER', 'IP', 'ORASSO_PUBLIC', 'PORTAL_PUBLIC', 'DATAPUMP_EXP_FULL_DATABASE', 'DATAPUMP_IMP_FULL_DATABASE', 'EXP_FULL_DATABASE', 'IMP_FULL_DATABASE', 'OLAP_DBA', 'EXECUTE_CATALOG_ROLE', 'SELECT_CATALOG_ROLE', 'JAVASYSPRIV') and grantee not in (select grantee from dba_role_privs where granted_role = 'DBA') and grantee not in (select distinct owner from dba_objects) and granted_role in ('AQ_ADMINISTRATOR_ROLE','AQ_USER_ROLE', 'CTXAPP', 'DELETE_CATALOG_ROLE','EJBCLIENT','EXECUTE_CATALOG_ROLE', 'EXP_FULL_DATABASE','GATHER_SYSTEM_STATISTICS', 'GLOBAL_AQ_USER_ROLE','HS_ADMIN_ROLE', 'IMP_FULL_DATABASE','JAVADEBUGPRIV','JAVAIDPRIV', 'JAVASYSPRIV','JAVAUSERPRIV','JAVA_ADMIN','JAVA_DEPLOY', 'LOGSTDBY_ADMINISTRATOR','OEM_MONITOR','OLAP_DBA', 'RECOVERY_CATALOG_OWNER', 'SALES_HISTORY_ROLE','SELECT_CATALOG_ROLE','WKUSER', 'WM_ADMIN_ROLE','XDBADMIN') and granted_role not in ('CONNECT', 'RESOURCE', 'AUTHENTICATEDUSER') order by grantee; If any records are returned, confirm the grantee and role are documented in the System Security Plan and authorized by the IAO. If not documented and approved, this is a Finding.
Fix: F-3783r1_fix
Create custom roles for each discrete application user / administrator function required for your database and assign the minimum privileges necessary to perform the function. Assign custom roles to accounts. Revoke assignment of predefined roles from accounts where not documented in the System Security Plan and authorized by the IAO.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0117-ORACLE11
- Vuln IDs
-
- V-15627
- Rule IDs
-
- SV-24422r2_rule
Checks: C-962r2_chk
From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts): select grantee||': '||privilege from dba_sys_privs where grantee not in ('SYS', 'SYSTEM', 'SYSMAN', 'CTXSYS', 'MDSYS', 'WKSYS') and grantee not in (select distinct granted_role from dba_role_privs) and privilege <> 'UNLIMITED TABLESPACE' order by grantee; NOTE: Disregard any default database component account privilege assignments that may be returned. If administrative privileges have been assigned directly to an account, this is a Finding.
Fix: F-3786r1_fix
Revoke assigned administrative privileges from database accounts and assign to accounts via roles. Document roles and assignments in the System Security Plan.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0119-ORACLE11
- Vuln IDs
-
- V-15628
- Rule IDs
-
- SV-24746r2_rule
Checks: C-969r2_chk
From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts): select grantee, owner, table_name, privilege from dba_tab_privs where privilege in ('ALTER', 'REFERENCES', 'INDEX') and grantee not in ('DBA', 'SYS', 'SYSTEM', 'LBACSYS', 'XDBADMIN') and table_name not in ('SDO_IDX_TAB_SEQUENCE', 'XDB$ACL', 'XDB_ADMIN') and grantee not in (select grantee from dba_role_privs where granted_role = 'DBA') and grantee not in (select distinct owner from dba_objects); If any records are returned, this is a Finding.
Fix: F-3788r1_fix
Revoke ALTER, REFERENCES, and INDEX privileges from application user roles. From SQL*Plus: revoke [privilege] from [application user role]; Replace [privilege] with the identified ALTER, REFERENCES or INDEX privilege and [application user role] with the identified application role.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0121-ORACLE11
- Vuln IDs
-
- V-15629
- Rule IDs
-
- SV-24755r2_rule
Checks: C-1002r2_chk
From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts): select grantee||': '||privilege||': '||owner||'.'||table_name from dba_tab_privs where grantee not in (select role from dba_roles) and grantee not in ('APEX_PUBLIC_USER', 'AURORA$JIS$UTILITY$', 'CTXSYS', 'DBSNMP', 'EXFSYS', 'FLOWS_030000', 'FLOWS_FILES', 'LBACSYS', 'MDSYS', 'MGMT_VIEW', 'ODM', 'OLAPSYS', 'ORACLE_OCM', 'ORDPLUGINS', 'ORDSYS', 'OSE$HTTP$ADMIN', 'OUTLN', 'OWBSYS', 'PERFSTAT', 'PUBLIC', 'REPADMIN', 'SYS', 'SYSMAN', 'SYSTEM', 'WKSYS', 'WMSYS', 'XDB') and table_name<>'DBMS_REPCAT_INTERNAL_PACKAGE' and table_name not like '%RP' and grantee not in (select grantee from dba_tab_privs where table_name in ('DBMS_DEFER', 'DEFLOB')); If any records are returned, this is a Finding. NOTE: This check may report false positives where other ORACLE products have been installed. Accounts installed with other Oracle products are exempt from this requirement.
Fix: F-3792r1_fix
Revoke privileges assigned directly to database accounts and assign them to roles based on job functions. Assign users who are assigned responsibility for the job function to the defined role. From SQL*Plus: revoke [privilege] on [object name] from [user name]; grant [privilege] on [object name] to [role name];
- RMF Control
- Severity
- M
- CCI
- Version
- DG0122-ORACLE11
- Vuln IDs
-
- V-15630
- Rule IDs
-
- SV-24764r1_rule
Checks: C-1005r1_chk
Review file permissions defined for critical files. Review the file permissions on the Binary initialization parameter file (the default name is spfile[SID].ora). Binary initialization parameter files are by default located in the $ORACLE_HOME/dbs directory (UNIX) or %ORACLE_HOME%\database directory (Windows). From SQL*Plus: select value from v$parameter where name = 'spfile'; select member from v$logfile; select name from v$datafile; select name from v$controlfile; Check directory and file permissions for the files returned by the SQL commands above, for the files located in the $ORACLE_HOME/network/admin directory (UNIX) or %ORACLE_HOME%\network\admin directory (Windows) and the directory specified by the TNS_ADMIN environment variable, if defined. On UNIX systems: ls –ld [pathname] If permissions are granted for world access, this is a Finding. If any groups that include members other than the Oracle process and software owner accounts, DBAs, auditors, or backup accounts are listed, this is a Finding. On Windows Systems (From Windows Explorer): Browse to the directory specified. Select and right-click on the directory, select Properties, select the Security tab. If permissions are granted to everyone, this is a Finding. If any accounts other than the Oracle process and software owner accounts, Administrators, DBAs, System groups, auditors, or backup accounts are listed, this is a Finding.
Fix: F-3800r1_fix
Set UNIX permissions on critical files to 640 or more restrictive. Check group membership of the group assigned access permissions to the database software to verify all members are authorized to have the assigned access. Set Windows permissions to Full Control assigned to the Administrators, the Oracle service account and DBAs. Remove any unauthorized account access.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0123-ORACLE11
- Vuln IDs
-
- V-15631
- Rule IDs
-
- SV-24772r2_rule
Checks: C-29354r2_chk
From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts): select grantee, privilege, owner, table_name from dba_tab_privs where (owner='SYS' or table_name like 'DBA_%') and privilege <> 'EXECUTE' and grantee not in ('PUBLIC', 'AQ_ADMINISTRATOR_ROLE', 'AQ_USER_ROLE', 'AURORA$JIS$UTILITY$', 'OSE$HTTP$ADMIN', 'TRACESVR', 'CTXSYS', 'DBA', 'DELETE_CATALOG_ROLE', 'EXECUTE_CATALOG_ROLE', 'EXP_FULL_DATABASE', 'GATHER_SYSTEM_STATISTICS', 'HS_ADMIN_ROLE', 'IMP_FULL_DATABASE', 'LOGSTDBY_ADMINISTRATOR', 'MDSYS', 'ODM', 'OEM_MONITOR', 'OLAPSYS', 'ORDSYS', 'OUTLN', 'RECOVERY_CATALOG_OWNER', 'SELECT_CATALOG_ROLE', 'SNMPAGENT', 'SYSTEM', 'WKSYS', 'WKUSER', 'WMSYS', 'WM_ADMIN_ROLE', 'XDB', 'LBACSYS', 'PERFSTAT', 'XDBADMIN') and grantee not in (select grantee from dba_role_privs where granted_role='DBA') order by grantee; If no accounts or roles are listed, this is not a Finding. Verify that accounts/roles listed have been authorized by the IAO. NOTE: Any accounts created and assigned privileges by Oracle product installations do not require authorization by the IAO. The exclusion list provided in this check is subject to changes or additions made by updates to Oracle products. Non-Oracle products should not be assigned access to Oracle system data and tables, however, if required, document requirement in the System Security Plan and ensure authorization by the IAO.
Fix: F-26380r1_fix
Revoke unauthorized access to system tables and data. From SQL*Plus: revoke [object privilege] on [system object name] from [account name or role];
- RMF Control
- Severity
- M
- CCI
- Version
- DG0124-ORACLE11
- Vuln IDs
-
- V-15632
- Rule IDs
-
- SV-24775r1_rule
Checks: C-1254r1_chk
Review objects owned by custom DBA user accounts. If any objects owned by DBA accounts are accessed by non-DBA users either directly or indirectly by other applications, this is a Finding. Review documentation or instructions provided to DBAs to communicate proper and improper use of DBA accounts. If such documentation does not exist or if DBAs do not indicate an understanding of this requirement, this is a Finding.
Fix: F-2624r1_fix
Develop, document and implement policy and procedures for outlining the proper and improper use of DBA accounts. The documentation should clearly state that DBA accounts are used to administer and maintain the database only. DBA accounts are not to be used to create or alter application objects. Application maintenance should always be performed by the application object owner or application administrator accounts. Request acknowledgement of receipt of these restrictions by all users granted DBA responsibilities.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0126-ORACLE11
- Vuln IDs
-
- V-15633
- Rule IDs
-
- SV-24787r2_rule
Checks: C-29358r4_chk
If no DBMS accounts authenticate using passwords, this check is Not a Finding. Review DBMS account password reuse restrictions: From SQL*Plus: select p1.profile profile, p1.limit REUSE_MAX, p2.limit REUSE_TIME from dba_profiles p1, dba_profiles p2 where p1.profile = p2.profile and p1.resource_name = 'PASSWORD_REUSE_MAX' and p2.resource_name = 'PASSWORD_REUSE_TIME' order by p1.profile; If limits for REUSE_MAX and REUSE_TIME are set to UNLIMITED, this is a Finding. If limits for REUSE_MAX and REUSE_TIME are not set to values, this is a Finding. NOTE: If limits for REUSE_MAX or REUSE_TIME are set to DEFAULT refer to the corresponding limits set for the DEFAULT profile. If the DBMS uses Host Authentication, confirm that the host is configured to prevent password reuse. If it is not, this is a Finding.
Fix: F-26384r1_fix
Configure the DBMS to prevent password reuse by modifying Oracle profiles: From SQL*Plus: alter profile default limit password_reuse_max 10 password_reuse_time UNLIMITED; alter profile [profile name] limit password_reuse_max default password_reuse_time default; Replace [profile name] with any existing, non-default profile names. Where Host Authentication is used, configure the OS to prevent password reuse. Consider configuring the DBMS to use alternate authentication methods other than password authentication where supported by the DBMS.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0127-ORACLE11
- Vuln IDs
-
- V-15634
- Rule IDs
-
- SV-24792r1_rule
Checks: C-29360r1_chk
If no DBMS accounts authenticate using passwords (rare), this check is Not a Finding. Confirm that database profiles specify a password verify function. From SQL*Plus: select distinct limit from dba_profiles where resource_name= 'PASSWORD_VERIFY_FUNCTION' order by limit; Review the code for the password verify function or have the DBA demonstrate a password change to ensure that the function does not accept passwords that are the same as the username, the name of the database or instance name. If reviewing code, logic similar to the following should be discovered: -- Check if the password is too simple. A dictionary of words may be -- maintained and a check may be made so as not to allow the words -- that are too simple for the password. if nls_lower(password) in ('welcome','database','account','user','password','oracle','computer','abcdefgh', '12345') then raise_application_error(-20002, 'Password too simple'); end if; If any password_verify_function routines do not check for simple passwords, this is a Finding. Check also to ensure all password-authenticated accounts specify a password_verify_function. From SQL*Plus: select distinct profile from dba_profiles where resource_name='PASSWORD_VERIFY_FUNCTION' and (limit is NULL or limit = NULL); If any profiles are returned that are used by password-authenticated accounts, this is a Finding. To view the names of password-authenticated accounts: From SQL*Plus: select name from user$ where password is not NULL;
Fix: F-26386r1_fix
Define and apply a Password Verify Function for all profiles where passwords are used to authenticate accounts. See Fix information for DG0079 to create a Password Verify Function that meets STIG requirements.
- RMF Control
- Severity
- H
- CCI
- Version
- DG0128-ORACLE11
- Vuln IDs
-
- V-15635
- Rule IDs
-
- SV-24796r3_rule
Checks: C-29363r4_chk
From SQL*Plus: select decode(type#,0,'ROLE',1,'USER') type, name, decode(astatus, 0,'OPEN', 1,'EXPIRED', 2,'EXPIRED(GRACE)', 4,'LOCKED(TIMED)', 8,'LOCKED', 5,'EXPIRED and LOCKED(TIMED)', 6,'EXPIRED(GRACE) and LOCKED(TIMED)', 9,'EXPIRED and LOCKED', 10,'EXPIRED(GRACE) and LOCKED') account_status from sys.user$ where user$.name <> 'XS$NULL' and password = decode(name, 'AASH', '9B52488370BB3D77', 'ABA1', '30FD307004F350DE', 'ABM', 'D0F2982F121C7840', 'AD_MONITOR', '54F0C83F51B03F49', 'ADAMS', '72CDEF4A3483F60D', 'ADS', 'D23F0F5D871EB69F', 'ADSEUL_US', '4953B2EB6FCB4339', 'AHL', '7910AE63C9F7EEEE', 'AHM', '33C2E27CF5E401A4', 'AK', '8FCB78BBA8A59515', 'AL', '384B2C568DE4C2B5', 'ALA1', '90AAC5BD7981A3BA', 'ALLUSERS', '42F7CD03B7D2CA0F', 'ALR', 'BE89B24F9F8231A9', 'AMA1', '585565C23AB68F71', 'AMA2', '37E458EE1688E463', 'AMA3', '81A66D026DC5E2ED', 'AMA4', '194CCC94A481DCDE', 'AMF', 'EC9419F55CDC666B', 'AMS', 'BD821F59270E5F34', 'AMS1', 'DB8573759A76394B', 'AMS2', 'EF611999C6AD1FD7', 'AMS3', '41D1084F3F966440', 'AMS4', '5F5903367FFFB3A3', 'AMSYS', '4C1EF14ECE13B5DE', 'AMV', '38BC87EB334A1AC4', 'AMW', '0E123471AACA2A62', 'ANNE', '1EEA3E6F588599A6', 'ANONYMOUS', '94C33111FD9C66F3', 'AOLDEMO', 'D04BBDD5E643C436', 'AP', 'EED09A552944B6AD', 'APA1', 'D00197BF551B2A79', 'APA2', '121C6F5BD4674A33', 'APA3', '5F843C0692560518', 'APA4', 'BF21227532D2794A', 'APPLEAD', '5331DB9C240E093B', 'APPLSYS', '0F886772980B8C79', 'APPLSYSPUB', 'D2EEF40EE87221E', 'APPLSYS', 'E153FFF4DAE6C9F7', 'APPS', 'D728438E8A5925E0', 'APS1', 'F65751C55EA079E6', 'APS2', '5CACE7B928382C8B', 'APS3', 'C786695324D7FB3B', 'APS4', 'F86074C4F4F82D2C', 'AQDEMO', '5140E342712061DD', 'AQJAVA', '8765D2543274B42E', 'AQUSER', '4CF13BDAC1D7511C', 'AR', 'BBBFE175688DED7E', 'ARA1', '4B9F4E0667857EB8', 'ARA2', 'F4E52BFBED4652CD', 'ARA3', 'E3D8D73AE399F7FE', 'ARA4', '758FD31D826E9143', 'ARS1', '433263ED08C7A4FD', 'ARS2', 'F3AF9F26D0213538', 'ARS3', 'F6755F08CC1E7831', 'ARS4', '452B5A381CABB241', 'ART', '665168849666C4F3', 'ASF', 'B6FD427D08619EEE', 'ASG', '1EF8D8BD87CF16BE', 'ASL', '03B20D2C323D0BFE', 'ASN', '1EE6AEBD9A23D4E0', 'ASO', 'F712D80109E3C9D8', 'ASP', 'CF95D2C6C85FF513', 'AST', 'F13FF949563EAB3C', 'AUC_GUEST', '8A59D349DAEC26F7', 'AURORA$ORB$UNAUTHENTICATED', '80C099F0EADF877E', 'AUTHORIA', 'CC78120E79B57093', 'AX', '0A8303530E86FCDD', 'AZ', 'AAA18B5D51B0D5AC', 'B2B', 'CC387B24E013C616', 'BAM', '031091A1D1A30061', 'BCA1', '398A69209360BD9D', 'BCA2', '801D9C90EBC89371', 'BEN', '9671866348E03616', 'BIC', 'E84CC95CBBAC1B67', 'BIL', 'BF24BCE2409BE1F7', 'BIM', '6026F9A8A54B9468', 'BIS', '7E9901882E5F3565', 'BIV', '2564B34BE50C2524', 'BIX', '3DD36935EAEDE2E3', 'BLAKE', '9435F2E60569158E', 'BMEADOWS', '2882BA3D3EE1F65A', 'BNE', '080B5C7EE819BF78', 'BOM', '56DB3E89EAE5788E', 'BP01', '612D669D2833FACD', 'BP02', 'FCE0C089A3ECECEE', 'BP03', '0723FFEEFBA61545', 'BP04', 'E5797698E0F8934E', 'BP05', '58FFC821F778D7E9', 'BP06', '2F358909A4AA6059', 'BSC', 'EC481FD7DCE6366A', 'BUYACCT', 'D6B388366ECF2F61', 'BUYAPPR1', 'CB04931693309228', 'BUYAPPR2', '3F98A3ADC037F49C', 'BUYAPPR3', 'E65D8AD3ACC23DA3', 'BUYER', '547BDA4286A2ECAE', 'BUYMTCH', '0DA5E3B504CC7497', 'CAMRON', '4384E3F9C9C9B8F1', 'CANDICE', 'CF458B3230215199', 'CARL', '99ECCC664FFDFEA2', 'CARLY', 'F7D90C099F9097F1', 'CARMEN', '46E23E1FD86A4277', 'CARRIECONYERS', '9BA83B1E43A5885B', 'CATADMIN', 'AF9AB905347E004F', 'CE', 'E7FDFE26A524FE39', 'CAESAR', 'E69833B8205D5DD7', 'CENTRA', '63BF5FFE5E3EA16D', 'CFD', '667B018D4703C739', 'CHANDRA', '184503FA7786C82D', 'CHARLEY', 'E500DAA705382E8D', 'CHRISBAKER', '52AFB6B3BE485F81', 'CHRISTIE', 'C08B79CCEC43E798', 'CINDY', '3AB2C717D1BD0887', 'CLARK', '7AAFE7D01511D73F', 'CLAUDE', 'C6082BCBD0B69D20', 'CLARK', '74DF527800B6D713', 'CLINT', '163FF8CCB7F11691', 'CLN', 'A18899D42066BFCA', 'CN', '73F284637A54777D', 'CNCADMIN', 'C7C8933C678F7BF9', 'CONNIE', '982F4C420DD38307', 'CONNOR', '52875AEB74008D78', 'CORY', '93CE4CCE632ADCD2', 'CRM1', '6966EA64B0DFC44E', 'CRM2', 'B041F3BEEDA87F72', 'CRP', 'F165BDE5462AD557', 'CRPB733', '2C9AB93FF2999125', 'CRPCTL', '4C7A200FB33A531D', 'CRPDTA', '6665270166D613BC', 'CS', 'DB78866145D4E1C3', 'CSADMIN', '94327195EF560924', 'CSAPPR1', '47D841B5A01168FF', 'CSC', 'EDECA9762A8C79CD', 'CSD', '144441CEBAFC91CF', 'CSDUMMY', '7A587C459B93ACE4', 'CSE', 'D8CC61E8F42537DA', 'CSF', '684E28B3C899D42C', 'CSI', '71C2B12C28B79294', 'CSL', 'C4D7FE062EFB85AB', 'CSM', '94C24FC0BE22F77F', 'CSMIG', '09B4BB013FBD0D65', 'CSP', '5746C5E077719DB4', 'CSR', '0E0F7C1B1FE3FA32', 'CSS', '3C6B8C73DDC6B04F', 'CTXDEMO', 'CB6B5E9D9672FE89', 'CTXSYS', '24ABAB8B06281B4C', 'CTXTEST', '064717C317B551B6', 'CTXSYS', '71E687F036AD56E5', 'CUA', 'CB7B2E6FFDD7976F', 'CUE', 'A219FE4CA25023AA', 'CUF', '82959A9BD2D51297', 'CUG', '21FBCADAEAFCC489', 'CUI', 'AD7862E01FA80912', 'CUN', '41C2D31F3C85A79D', 'CUP', 'C03082CD3B13EC42', 'CUS', '00A12CC6EBF8EDB8', 'CZ', '9B667E9C5A0D21A6', 'DAVIDMORGAN', 'B717BAB262B7A070', 'DBSNMP', 'E066D214D5421CCC', 'DCM', '45CCF86E1058D3A5', 'DD7333', '44886308CF32B5D4', 'DD7334', 'D7511E19D9BD0F90', 'DD810', '0F9473D8D8105590', 'DD811', 'D8084AE609C9A2FD', 'DD812', 'AB71915CF21E849E', 'DD9', 'E81821D03070818C', 'DDB733', '7D11619CEE99DE12', 'DDD', '6CB03AF4F6DD133D', 'DEMO8', '0E7260738FDFD678', 'DES', 'ABFEC5AC2274E54D', 'DES2K', '611E7A73EC4B425A', 'DEV2000_DEMOS', '18A0C8BD6B13BEE2', 'DEVB733', '7500DF89DC99C057', 'DEVUSER', 'C10B4A80D00CA7A5', 'DGRAY', '5B76A1EB8F212B85', 'DIP', 'CE4A36B8E06CA59C', 'DISCOVERER5', 'AF0EDB66D914B731', 'DKING', '255C2B0E1F0912EA', 'DLD', '4454B932A1E0E320', 'DMADMIN', 'E6681A8926B40826', 'DMATS', '8C692701A4531286', 'DMS', '1351DC7ED400BD59', 'DMSYS', 'BFBA5A553FD9E28A', 'DOM', '51C9F2BECA78AE0E', 'DPOND', '79D6A52960EEC216', 'DSGATEWAY', '6869F3CFD027983A', 'DV7333', '36AFA5CD674BA841', 'DV7334', '473B568021BDB428', 'DV810', '52C38F48C99A0352', 'DV811', 'B6DC5AAB55ECB66C', 'DV812', '7359E6E060B945BA', 'DV9', '07A1D03FD26E5820', 'DVP1', '0559A0D3DE0759A6', 'EAA', 'A410B2C5A0958CDF', 'EAM', 'CE8234D92FCFB563', 'EC', '6A066C462B62DD46', 'ECX', '0A30645183812087', 'EDR', '5FEC29516474BB3A', 'EDWEUL_US', '5922BA2E72C49787', 'EDWREP', '79372B4AB748501F', 'EGC1', 'D78E0F2BE306450D', 'EGD1', 'DA6D6F2089885BA6', 'EGM1', 'FB949D5E4B5255C0', 'EGO', 'B9D919E5F5A9DA71', 'EGR1', 'BB636336ADC5824A', 'END1', '688499930C210B75', 'ENG', '4553A3B443FB3207', 'ENI', '05A92C0958AFBCBC', 'ENM1', '3BDABFD1246BFEA2', 'ENS1', 'F68A5D0D6D2BB25B', 'ENTMGR_CUST', '45812601EAA2B8BD', 'ENTMGR_PRO', '20002682991470B3', 'ENTMGR_TRAIN', 'BE40A3BE306DD857', 'EOPP_PORTALADM', 'B60557FD8C45005A', 'EOPP_PORTALMGR', '9BB3CF93F7DE25F1', 'EOPP_USER', '13709991FC4800A1', 'EUL_US', '28AEC22561414B29', 'EVM', '137CEDC20DE69F71', 'EXA1', '091BCD95EE112EE3', 'EXA2', 'E4C0A21DBD06B890', 'EXA3', '40DC4FA801A73560', 'EXA4', '953885D52BDF5C86', 'EXFSYS', '66F4EF5650C20355', 'EXS1', 'C5572BAB195817F0', 'EXS2', '8FAA3AC645793562', 'EXS3', 'E3050174EE1844BA', 'EXS4', 'E963BFE157475F7D', 'FA', '21A837D0AED8F8E5', 'FEM', 'BD63D79ADF5262E7', 'FIA1', '2EB76E07D3E094EC', 'FII', 'CF39DE29C08F71B9', 'FLM', 'CEE2C4B59E7567A3', 'FNI1', '308839029D04F80C', 'FNI2', '05C69C8FEAB4F0B9', 'FPA', '9FD6074B9FD3754C', 'FPT', '73E3EC9C0D1FAECF', 'FRM', '9A2A7E2EBE6E4F71', 'FTA1', '65FF9AB3A49E8A13', 'FTE', '2FB4D2C9BAE2CCCA', 'FUN', '8A7055CA462DB219', 'FV', '907D70C0891A85B1', 'FVP1', '6CC7825EADF994E8', 'GALLEN', 'F8E8ED9F15842428', 'GCA1', '47DA9864E018539B', 'GCA2', 'FD6E06F7DD50E868', 'GCA3', '4A4B9C2E9624C410', 'GCA9', '48A7205A4C52D6B5', 'GCMGR1', '14A1C1A08EA915D6', 'GCMGR2', 'F4F11339A4221A4D', 'GCMGR3', '320F0D4258B9D190', 'GCS', '7AE34CA7F597EBF7', 'GCS1', '2AE8E84D2400E61D', 'GCS2', 'C242D2B83162FF3D', 'GCS3', 'DCCB4B49C68D77E2', 'GEORGIAWINE', 'F05B1C50A1C926DE', 'GL', 'CD6E99DACE4EA3A6', 'GLA1', '86C88007729EB36F', 'GLA2', '807622529F170C02', 'GLA3', '863A20A4EFF7386B', 'GLA4', 'DB882CF89A758377', 'GLS1', '7485C6BD564E75D1', 'GLS2', '319E08C55B04C672', 'GLS3', 'A7699C43BB136229', 'GLS4', '7C171E6980BE2DB9', 'GM_AWDA', '4A06A107E7A3BB10', 'GM_COPI', '03929AE296BAAFF2', 'GM_DPHD', '0519252EDF68FA86', 'GM_MLCT', '24E8B569E8D1E93E', 'GM_PLADMA', '2946218A27B554D8', 'GM_PLADMH', '2F6EDE96313AF1B7', 'GM_PLCCA', '7A99244B545A038D', 'GM_PLCCH', '770D9045741499E6', 'GM_PLCOMA', '91524D7DE2B789A8', 'GM_PLCOMH', 'FC1C6E0864BF0AF2', 'GM_PLCONA', '1F531397B19B1E05', 'GM_PLCONH', 'C5FE216EB8FCD023', 'GM_PLNSCA', 'DB9DD2361D011A30', 'GM_PLNSCH', 'C80D557351110D51', 'GM_PLSCTA', '3A778986229BA20C', 'GM_PLSCTH', '9E50865473B63347', 'GM_PLVET', '674885FDB93D34B9', 'GM_SPO', 'E57D4BD77DAF92F0', 'GM_STKH', 'C498A86BE2663899', 'GMA', 'DC7948E807DFE242', 'GMD', 'E269165256F22F01', 'GME', 'B2F0E221F45A228F', 'GMF', 'A07F1956E3E468E1', 'GMI', '82542940B0CF9C16', 'GML', '5F1869AD455BBA73', 'GMP', '450793ACFCC7B58E', 'GMS', 'E654261035504804', 'GR', 'F5AB0AA3197AEE42', 'GUEST', '1C0A090E404CECD0', 'HCC', '25A25A7FEFAC17B6', 'HHCFO', '62DF37933FB35E9F', 'HR', '4C6D73C3E8B0F0DA', 'HRI', '49A3A09B8FC291D0', 'HXC', '4CEA0BF02214DA55', 'HXT', '169018EB8E2C4A77', 'IA', '42C7EAFBCEEC09CC', 'IBA', '0BD475D5BF449C63', 'IBC', '9FB08604A30A4951', 'IBE', '9D41D2B3DD095227', 'IBP', '840267B7BD30C82E', 'IBU', '0AD9ABABC74B3057', 'IBY', 'F483A48F6A8C51EC', 'ICX', '7766E887AF4DCC46', 'IEB', 'A695699F0F71C300', 'IEC', 'CA39F929AF0A2DEC', 'IEM', '37EF7B2DD17279B5', 'IEO', 'E93196E9196653F1', 'IES', '30802533ADACFE14', 'IEU', '5D0E790B9E882230', 'IEX', '6CC978F56D21258D', 'IGC', 'D33CEB8277F25346', 'IGF', '1740079EFF46AB81', 'IGI', '8C69D50E9D92B9D0', 'IGS', 'DAF602231281B5AC', 'IGW', 'B39565F4E3CF744B', 'IMC', 'C7D0B9CDE0B42C73', 'IMT', 'E4AAF998653C9A72', 'INS1', '2ADC32A0B154F897', 'INS2', 'EA372A684B790E2A', 'INTERNET_APPSERVER_REGISTRY', 'A1F98A977FFD73CD', 'INV', 'ACEAB015589CF4BC', 'IP', 'D29012C144B58A40', 'IPA', 'EB265A08759A15B4', 'IPD', '066A2E3072C1F2F3', 'ISC', '373F527DC0CFAE98', 'ISTEWARD', '8735CA4085DE3EEA', 'ITG', 'D90F98746B68E6CA', 'JA', '9AC2B58153C23F3D', 'JD7333', 'FB5B8A12AE623D52', 'JD7334', '322810FCE43285D9', 'JD9', '9BFAEC92526D027B', 'JDE', '7566DC952E73E869', 'JDEDBA', 'B239DD5313303B1D', 'JE', 'FBB3209FD6280E69', 'JG', '37A99698752A1CF1', 'JL', '489B61E488094A8D', 'JOHNINARI', 'B3AD4DA00F9120CE', 'JONES', 'B9E99443032F059D', 'JTF', '5C5F6FC2EBB94124', 'JTI', 'B8F03D3E72C96F7', 'JTM', '6D79A2259D5B4B5A', 'JTR', 'B4E2BE38B556048F', 'JTS', '4087EE6EB7F9CD7C', 'JUNK_PS', 'BBC38DB05D2D3A7A', 'JUSTOSHUM', '53369CD63902FAAA', 'KELLYJONES', 'DD4A3FF809D2A6CF', 'KEVINDONS', '7C6D9540B45BBC39', 'KPN', 'DF0AED05DE318728', 'LADAMS', 'AE542B99505CDCD2', 'LBA', '18E5E15A436E7157', 'LBACSYS', 'AC9700FD3F1410EB', 'LDQUAL', '1274872AB40D4FCD', 'LHILL', 'E70CA2CA0ED555F5', 'LNS', 'F8D2BC61C10941B2', 'LQUINCY', '13F9B9C1372A41B6', 'LSA', '2D5E6036E3127B7E', 'MDDATA', 'DF02A496267DEE66', 'MDSYS', '72979A94BAD2AF80', 'ME', 'E5436F7169B29E4D', 'MDSYS', '9AAEB2214DCC9A31', 'MFG', 'FC1B0DD35E790847', 'MGR1', 'E013305AB0185A97', 'MGR2', '5ADE358F8ACE73E8', 'MGR3', '05C365C883F1251A', 'MGR4', 'E229E942E8542565', 'MIKEIKEGAMI', 'AAF7A168C83D5C47', 'MJONES', 'EE7BB3FEA50A21C5', 'MLAKE', '7EC40274AC1609CA', 'MM1', '4418294570E152E7', 'MM2', 'C06B5B28222E1E62', 'MM3', 'A975B1BD0C093DA3', 'MM4', '88256901EB03A012', 'MM5', '4CEA62CBE776DCEC', 'MMARTIN', 'D52F60115FE87AA4', 'MOBILEADMIN', '253922686A4A45CC', 'MRP', 'B45D4DF02D4E0C85', 'MSC', '89A8C104725367B2', 'MSD', '6A29482069E23675', 'MSO', '3BAA3289DB35813C', 'MSR', 'C9D53D00FE77D813', 'MST', 'A96D2408F62BE1BC', 'MWA', '1E2F06BE2A1D41A6', 'NEILKATSU', '1F625BB9FEBC7617', 'OBJ7333', 'D7BDC9748AFEDB52', 'OBJ7334', 'EB6C5E9DB4643CAC', 'OBJB733', '61737A9F7D54EF5F', 'OCA', '9BC450E4C6569492', 'ODM', 'C252E8FA117AF049', 'ODM_MTR', 'A7A32CD03D3CE8D5', 'ODS', '89804494ADFC71BC', 'ODSCOMMON', '59BBED977430C1A8', 'OE', 'D1A2DFC623FDA40A', 'OKB', 'A01A5F0698FC9E31', 'OKC', '31C1DDF4D5D63FE6', 'OKE', 'B7C1BB95646C16FE', 'OKI', '991C817E5FD0F35A', 'OKL', 'DE058868E3D2B966', 'OKO', '6E204632EC7CA65D', 'OKR', 'BB0E28666845FCDC', 'OKS', 'C2B4C76AB8257DF5', 'OKX', 'F9FDEB0DE52F5D6B', 'OL810', 'E2DA59561CBD0296', 'OL811', 'B3E88767A01403F8', 'OL812', 'AE8C7989346785BA', 'OL9', '17EC83E44FB7DB5B', 'OLAPSYS', '3FB8EF9DB538647C', 'ONT', '9E3C81574654100A', 'OPI', '1BF23812A0AEEDA0', 'ORABAM', 'D0A4EA93EF21CE25', 'ORABAMSAMPLES', '507F11063496F222', 'ORABPEL', '26EFDE0C9C051988', 'ORAESB', 'CC7FCCB3A1719EDA', 'ORAOCA_PUBLIC', 'FA99021634DDC111', 'ORASAGENT', '234B6F4505AD8F25', 'ORASSO', 'F3701A008AA578CF', 'ORASSO_DS', '17DC8E02BC75C141', 'ORASSO_PA', '133F8D161296CB8F', 'ORASSO_PS', '63BB534256053305', 'ORASSO_PUBLIC', 'C6EED68A8F75F5D3', 'ORDPLUGINS', '88A2B2C183431F00', 'ORDSYS', '7EFA02EC7EA6B86F', 'OSM', '106AE118841A5D8C', 'OTA', 'F5E498AC7009A217', 'OUTLN', '4A3BA55E08595C81', 'OWAPUB', '6696361B64F9E0A9', 'OWF_MGR', '3CBED37697EB01D1', 'OZF', '970B962D942D0C75', 'OZP', 'B650B1BB35E86863', 'OZS', '0DABFF67E0D33623', 'PA', '8CE2703752DB36D8', 'PABLO', '5E309CB43FE2C2FF', 'PAIGE', '02B6B704DFDCE620', 'PAM', '1383324A0068757C', 'PARRISH', '79193FDACFCE46F6', 'PARSON', 'AE28B2BD64720CD7', 'PAT', 'DD20769D59F4F7BF', 'PATORILY', '46B7664BD15859F9', 'PATRICKSANCHEZ', '47F74BD3AD4B5F0A', 'PATSY', '4A63F91FEC7980B7', 'PAUL', '35EC0362643ADD3F', 'PAULA', 'BB0DC58A94C17805', 'PAXTON', '4EB5D8FAD3434CCC', 'PCA1', '8B2E303DEEEEA0C0', 'PCA2', '7AD6CE22462A5781', 'PCA3', 'B8194D12FD4F537D', 'PCA4', '83AD05F1D0B0C603', 'PCS1', '2BE6DD3D1DEA4A16', 'PCS2', '78117145145592B1', 'PCS3', 'F48449F028A065B1', 'PCS4', 'E1385509C0B16BED', 'PD7333', '5FFAD8604D9DC00F', 'PD7334', 'CDCF262B5EE254E1', 'PD810', 'EB04A177A74C6BCB', 'PD811', '3B3C0EFA4F20AC37', 'PD812', 'E73A81DB32776026', 'PD9', 'CACEB3F9EA16B9B7', 'PDA1', 'C7703B70B573D20F', 'PEARL', 'E0AFD95B9EBD0261', 'PEG', '20577ED9A8DB8D22', 'PENNY', 'BB6103E073D7B811', 'PEOPLE', '613459773123B38A', 'PERCY', 'EB9E8B33A2DDFD11', 'PERRY', 'D62B14B93EE176B6', 'PETE', '4040619819A9C76E', 'PEYTON', 'B7127140004677FC', 'PHIL', '181446AE258EE2F6', 'PJI', '5024B1B412CD4AB9', 'PJM', '021B05DBB892D11F', 'PM', '72E382A52E89575A', 'PMI', 'A7F7978B21A6F65E', 'PN', 'D40D0FEF9C8DC624', 'PO', '355CBEC355C10FEF', 'POA', '2AB40F104D8517A0', 'POLLY', 'ABC770C112D23DBE', 'POM', '123CF56E05D4EF3C', 'PON', '582090FD3CC44DA3', 'PORTAL', 'A96255A27EC33614', 'PORTAL_APP', '831A79AFB0BD29EC', 'PORTAL_DEMO', 'A0A3A6A577A931A3', 'PORTAL_PUBLIC', '70A9169655669CE8', 'PORTAL30', '969F9C3839672C6D', 'PORTAL30_DEMO', 'CFD1302A7F832068', 'PORTAL30_PUBLIC', '42068201613CA6E2', 'PORTAL30_SSO', '882B80B587FCDBC8', 'PORTAL30_SSO_PS', 'F2C3DC8003BC90F8', 'PORTAL30_SSO_PUBLIC', '98741BDA2AC7FFB2', 'POS', '6F6675F272217CF7', 'PPM1', 'AA4AE24987D0E84B', 'PPM2', '4023F995FF78077C', 'PPM3', '12F56FADDA87BBF9', 'PPM4', '84E17CB7A3B0E769', 'PPM5', '804C159C660F902C', 'PRISTB733', '1D1BCF8E03151EF5', 'PRISTCTL', '78562A983A2F78FB', 'PRISTDTA', '3FCBC379C8FE079C', 'PRODB733', '9CCD49EB30CB80C4', 'PRODCTL', 'E5DE2F01529AE93C', 'PRODDTA', '2A97CD2281B256BA', 'PRODUSER', '752E503EFBF2C2CA', 'PROJMFG', '34D61E5C9BC7147E', 'PRP', 'C1C4328F8862BC16', 'PS', '0AE52ADF439D30BD', 'PS810', '90C0BEC7CA10777E', 'PS810CTL', 'D32CCE5BDCD8B9F9', 'PS810DTA', 'AC0B7353A58FC778', 'PS811', 'B5A174184403822F', 'PS811CTL', '18EDE0C5CCAE4C5A', 'PS811DTA', '7961547C7FB96920', 'PS812', '39F0304F007D92C8', 'PS812CTL', 'E39B1CE3456ECBE5', 'PS812DTA', '3780281C933FE164', 'PSA', 'FF4B266F9E61F911', 'PSB', '28EE1E024FC55E66', 'PSBASS', 'F739804B718D4406', 'PSEM', '40ACD8C0F1466A57', 'PSFT', '7B07F6F3EC08E30D', 'PSFTDBA', 'E1ECD83073C4E134', 'PSP', '4FE07360D435E2F0', 'PTADMIN', '4C35813E45705EBA', 'PTCNE', '463AEFECBA55BEE8', 'PTDMO', '251D71390034576A', 'PTE', '380FDDB696F0F266', 'PTESP', '5553404C13601916', 'PTFRA', 'A360DAD317F583E3', 'PTG', '7AB0D62E485C9A3D', 'PTGER', 'C8D1296B4DF96518', 'PTJPN', '2159C2EAF20011BF', 'PTUKE', 'D0EF510BCB2992A3', 'PTUPG', '2C27080C7CC57D06', 'PTWEB', '8F7F509D4DC01DF6', 'PTWEBSERVER', '3C8050536003278B', 'PUBLIC', '', 'PV', '76224BCC80895D3D', 'PY7333', '2A9C53FE066B852F', 'PY7334', 'F3BBFAE0DDC5F7AC', 'PY810', '95082D35E94B88C2', 'PY811', 'DC548D6438E4D6B7', 'PY812', '99C575A55E9FDA63', 'PY9', 'B8D4E503D0C4FCFD', 'QA', 'C7AEAA2D59EB1EAE', 'QOT', 'B27D0E5BA4DC8DEA', 'QP', '10A40A72991DCA15', 'QRM', '098286E4200B22DE', 'QS', '4603BCD2744BDE4F', 'QS_ADM', '3990FB418162F2A0', 'QS_CB', '870C36D8E6CD7CF5', 'QS_CBADM', '20E788F9D4F1D92C', 'QS_CS', '2CA6D0FC25128CF3', 'QS_ES', '9A5F2D9F5D1A9EF4', 'QS_OS', '0EF5997DC2638A61', 'QS_WS', '0447F2F756B4F460', 'RENE', '9AAD141AB0954CF0', 'REPADMIN', '915C93F34954F5F8', 'REPORTS', '0D9D14FE6653CF69', 'REPORTS_USER', '635074B4416CD3AC', 'RESTRICTED_US', 'E7E67B60CFAFBB2D', 'RG', '0FAA06DA0F42F21F', 'RHX', 'FFDF6A0C8C96E676', 'RLA', 'C1959B03F36C9BB2', 'RLM', '4B16ACDA351B557D', 'RM1', 'CD43500DAB99F447', 'RM2', '2D8EE7F8857D477E', 'RM3', '1A95960A95AC2E1D', 'RM4', '651BFD4E1DE4B040', 'RM5', 'FDCC34D74A22517C', 'RMAN', 'E7B5D92911C831E1', 'ROB', '94405F516486CA24', 'RPARKER', 'CEBFE4C41BBCC306', 'RWA1', 'B07E53895E37DBBB', 'SALLYH', '21457C94616F5716', 'SAM', '4B95138CB6A4DB94', 'SARAHMANDY', '60BE21D8711EE7D9', 'SCM1', '507306749131B393', 'SCM2', 'CBE8D6FAC7821E85', 'SCM3', '2B311B9CDC70F056', 'SCM4', '1FDF372790D5A016', 'SCOTT', 'F894844C34402B67', 'SDAVIS', 'A9A3B88C6A550559', 'SECDEMO', '009BBE8142502E10', 'SEDWARDS', '00A2EDFD7835BC43', 'SELLCM', '8318F67F72276445', 'SELLER', 'B7F439E172D5C3D0', 'SELLTREAS', '6EE7BA85E9F84560', 'SERVICES', 'B2BE254B514118A5', 'SETUP', '9EA55682C163B9A3', 'SH', '54B253CBBAAA8C48', 'SI_INFORMTN_SCHEMA', '84B8CBCA4D477FA3', 'SID', 'CFA11E6EBA79D33E', 'SKAYE', 'ED671B63BDDB6B50', 'SKYTETSUKA', 'EB5DA777D1F756EC', 'SLSAA', '99064FC6A2E4BBE8', 'SLSMGR', '0ED44093917BE294', 'SLSREP', '847B6AAB9471B0A5', 'SRABBITT', '85F734E71E391DF5', 'SRALPHS', '975601AA57CBD61A', 'SRAY', 'C233B26CFC5DC643', 'SRIVERS', '95FE94ADC2B39E08', 'SSA1', 'DEE6E1BEB962AA8B', 'SSA2', '96CA278B20579E34', 'SSA3', 'C3E8C3B002690CD4', 'SSC1', '4F7AC652CC728980', 'SSC2', 'A1350B328E74AE87', 'SSC3', 'EE3906EC2DA586D8', 'SSOSDK', '7C48B6FF3D54D006', 'SSP', '87470D6CE203FB4D', 'SSS1', 'E78C515C31E83848', 'SUPPLIER', '2B45928C2FE77279', 'SVM7333', '04B731B0EE953972', 'SVM7334', '62E2A2E886945CC8', 'SVM810', '0A3DCD8CA3B6ABD9', 'SVM811', '2B0CD57B1091C936', 'SVM812', '778632974E3947C9', 'SVM9', '552A60D8F84441F1', 'SVMB733', 'DD2BFB14346146FE', 'SVP1', 'F7BF1FFECE27A834', 'SY810', 'D56934CED7019318', 'SY811', '2FDC83B401477628', 'SY812', '812B8D7211E7DEF1', 'SY9', '3991E64C4BC2EC5D', 'SYS', '43CA255A7916ECFE', 'SYS7333', 'D7CDB3124F91351E', 'SYS', '5638228DAF52805F', 'SYS7334', '06959F7C9850F1E3', 'SYS', 'D4C5016086B2DC6A', 'SYSADMIN', 'DC86E8DEAA619C1A', 'SYSB733', '7A7F5C90BEC02F0E', 'SYSMAN', 'EB258E708132DD2D', 'SYSTEM', '4D27CA6E3E3066E6', 'TDEMARCO', 'CAB71A14FA426FAE', 'SYSTEM', 'D4DF7931AB130E37', 'TDOS_ICSAP', '7C0900F751723768', 'TESTCTL', '205FA8DF03A1B0A6', 'TESTDTA', 'EEAF97B5F20A3FA3', 'TRA1', 'BE8EDAE6464BA413', 'TRACESVR', 'F9DA8977092B7B81', 'TRBM1', 'B10ED16CD76DBB60', 'TRCM1', '530E1F53715105D0', 'TRDM1', 'FB1B8EF14CF3DEE7', 'TRRM1', '4F29D85290E62EBE', 'TWILLIAMS', '6BF819CE663B8499', 'UDDISYS', 'BF5E56915C3E1C64', 'VEA', 'D38D161C22345902', 'VEH', '72A90A786AAE2914', 'VIDEO31', '2FA72981199F9B97', 'VIDEO4', '9E9B1524C454EEDE', 'VIDEO5', '748481CFF7BE98BB', 'VP1', '3CE03CD65316DBC7', 'VP2', 'FCCEFD28824DFEC5', 'VP3', 'DEA4D8290AA247B2', 'VP4', 'F4730B0FA4F701DC', 'VP5', '7DD67A696734AE29', 'VP6', '45660DEE49534ADB', 'WAA1', 'CF013DC80A9CBEE3', 'WAA2', '6160E7A17091741A', 'WCRSYS', '090263F40B744BD8', 'WEBDB', 'D4C4DCDD41B05A5D', 'WEBSYS', '54BA0A1CB5994D64', 'WENDYCHO', '7E628CDDF051633A', 'WH', '91792EFFCB2464F9', 'WIP', 'D326D25AE0A0355C', 'WIRELESS', '1495D279640E6C3A', 'WK_TEST', '29802572EB547DBF', 'WIRELESS', 'EB9615631433603E', 'WKPROXY', 'AA3CB2A4D9188DDB', 'WKSYS', '545E13456B7DDEA0', 'WMS', 'D7837F182995E381', 'WMSYS', '7C9BA362F8314299', 'WPS', '50D22B9D18547CF7', 'WSH', 'D4D76D217B02BD7A', 'WSM', '750F2B109F49CC13', 'XDB', '88D8364765FCE6AF', 'XDO', 'E9DDE8ACFA7FE8E4', 'XDP', 'F05E53C662835FA2', 'XLA', '2A8ED59E27D86D41', 'XLE', 'CEEBE966CC6A3E39', 'XNB', '03935918FA35C993', 'XNC', 'BD8EA41168F6C664', 'XNI', 'F55561567EF71890', 'XNM', '92776EA17B8B5555', 'XNP', '3D1FB783F96D1F5E', 'XNS', 'FABA49C38150455E', 'XTR', 'A43EE9629FA90CAE', 'YCAMPOS', 'C3BBC657F099A10F', 'YSANCHEZ', 'E0C033C4C8CC9D84', 'ZFA', '742E092A27DDFB77', 'ZPB', 'CAF58375B6D06513', 'ZSA', 'AFD3BD3C7987CBB6', 'ZX', '7B06550956254585', 'FLOWS_030000', 'B5C7B17C2C983E8F', 'FLOWS_FILES', '5CDD1E40E516FE6A', 'TSMSYS', '3DF26A8B17D0F29F', 'ORACLE_OCM', '6D17CF1EB1611F94', 'OWBSYS', '610A3C38F301776F', 'SPATIAL_CSW_ADMIN', '093913703800E437', 'SPATIAL_WFS_ADMIN', '32FA36DC781579AA', 'SPATIAL_CSW_ADMIN_USR', '1B290858DD14107E', 'SPATIAL_WFS_ADMIN_USR', '7117215D6BEE6E82', 'MGMT_VIEW', '17028530E6D346B4', 'APEX_PUBLIC_USER', 'C8E264D926F001D8', 'XS$NULL', 'DC4FCC8CB69A6733', name ); If any accounts listed show an account status of OPEN, this is a Finding. If all of the accounts listed show an account status of LOCKED & EXPIRED or LOCKED this is a Finding, but downgrade the severity Category Code to II.
Fix: F-26388r2_fix
Change passwords from the default. Ensure passwords meet complexity standards outlined in STIG Requirement DG0079. From SQL*Plus: alter user [username] identified by [password]; Lock and expire any accounts not required for interactive access. From SQL*Plus: alter user [username] account lock; alter user [username] password expire; NOTE: Follow Oracle documentation for changing any default passwords. Some accounts require coordinated actions in order to maintain operational status.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0130-ORACLE11
- Vuln IDs
-
- V-15637
- Rule IDs
-
- SV-24968r2_rule
Checks: C-24316r2_chk
Ask the DBA to review application source code that is required by Check DG0091 to be encoded or encrypted for database accounts used by applications or batch jobs to access the database. Ask the DBA to review source batch job code prior to compiling, encoding or encrypting for database accounts used by applications or the batch jobs themselves to access the database. Ask the DBA and/or IAO to determine if the compiled, encoded or encrypted application source code or batch jobs contain passwords used for authentication to the database. If none of the identified compiled, encoded or encrypted application source code or batch job code contain passwords used for authentication, this check is Not a Finding. If any of the identified compiled, encoded or encrypted application source code or batch job code do contain passwords used for authentication to the database, this is a Finding. NOTE: This check only applies to application source code or batch job code that is compiled, encoded or encrypted in a production environment. Application source code or batch job code that is not compiled, encoded or encrypted would fall under Check DG0067 for determination of compliance.
Fix: F-3413r1_fix
Design DBMS application code and batch job code that is compiled, encoded or encrypted to NOT contain passwords. Consider alternatives to using password authentication for compiled, encoded or encrypted batch jobs and DBMS application code.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0133-ORACLE11
- Vuln IDs
-
- V-15639
- Rule IDs
-
- SV-24426r2_rule
Checks: C-29365r2_chk
From SQL*Plus: select profile, limit from dba_profiles where resource_name = 'PASSWORD_LOCK_TIME' and limit not in ('UNLIMITED', 'DEFAULT'); If any profiles are listed, this is a Finding. A value of UNLIMITED means that the account is locked until it is manually unlocked.
Fix: F-26390r1_fix
Set the password_lock_time on all defined profiles to unlimited. This will require the DBA manually to re-enable every locked account after the failed login limit has been reached. From SQL*Plus: alter profile default limit password_lock_time unlimited; alter profile [profile name] limit password_lock_time default; Replace [profile name] with an existing, non-default profile name.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0135-ORACLE11
- Vuln IDs
-
- V-15641
- Rule IDs
-
- SV-24429r1_rule
Checks: C-29367r1_chk
If the database does not store or process classified data, or user accounts are prohibited from accessing the database interactively, this check is Not a Finding. NOTE: Per the STIG, The definition of an Interactive Database User can be considered an end-user who accesses the database interactively using tools like SQL*Plus, TOAD, etc. and not through a mid-tier application. Your DAA has the option to consider administration accounts (SYSDBA, SYSOPER, SCHEMA accounts and accounts assigned DBA privileges) as Interactive Database User accounts for the purposes of this check. The definition of an Interactive Database User should be documented in the System Security Plan. Have the DBA perform an interactive logon test (via SQL*Plus) using a non-privileged account (and a privileged account if privileged accounts meet this requirement) to verify display of user access and account usage. If the last successful and number of unsuccessful attempts since the last successful attempt are not reported, this is a Finding.
Fix: F-26391r1_fix
Develop, document and implement an automated method to display at interactive logon the time and date of the last successful login and the number of failed login attempts since the last successful login for users that access the database interactively. This may require a custom-developed logon trigger or procedure to accomplish. NOTE: This may cause interaction/functionality problems with COTS applications not designed for this kind of interaction.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0138-ORACLE11
- Vuln IDs
-
- V-15642
- Rule IDs
-
- SV-24798r1_rule
Checks: C-29369r1_chk
If no data is identified as being sensitive or classified by the Information Owner, in the System Security Plan or in the AIS Functional Architecture documentation, this check is Not a Finding. if no identified sensitive or classified data requires encryption by the Information Owner in the System Security Plan and/or AIS Functional Architecture documentation, this check is Not a Finding. Review data access requirements for sensitive data as identified and assigned by the Information Owner in the System Security Plan. Review the access controls for sensitive data configured in the database. If the configured access controls do not match those defined in the System Security Plan, this is a Finding.
Fix: F-26394r1_fix
Define, document and implement all sensitive data access controls based on job function in the System Security Plan.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0141-ORACLE11
- Vuln IDs
-
- V-15644
- Rule IDs
-
- SV-24801r3_rule
Checks: C-26453r3_chk
From SQL*Plus: select name from stmt_audit_option_map where name not in (select audit_option from dba_stmt_audit_opts) and name not in ('ALL STATEMENTS', 'ANALYZE ANY DICTIONARY', 'CREATE DIRECTORY', 'DEBUG CONNECT ANY', 'DEBUG CONNECT USER', 'DELETE ANY TABLE', 'DELETE TABLE', 'DROP DIRECTORY', 'EXECUTE ANY LIBRARY', 'EXECUTE ANY PROCEDURE', 'EXECUTE ANY TYPE', 'EXECUTE LIBRARY', 'EXECUTE PROCEDURE', 'EXISTS', 'GRANT LIBRARY', 'INSERT ANY TABLE', 'INSERT TABLE', 'LOCK TABLE', 'NETWORK', 'OUTLINE', 'READUP', 'READUP DBHIGH', 'SELECT ANY DICTIONARY', 'SELECT ANY SEQUENCE', 'SELECT ANY TABLE', 'SELECT MINING MODEL', 'SELECT SEQUENCE', 'SELECT TABLE', 'UPDATE ANY TABLE', 'UPDATE TABLE', 'USE EDITION', 'WRITEDOWN', 'WRITEDOWN DBLOW', 'WRITEUP', 'WRITEUP DBHIGH'); If any audit options are returned, this is a finding.
Fix: F-22791r4_fix
There are three types of auditable events: 1) Use of system privileges, 2) Use of object privileges, and 3) Issuance of statements. Activating some auditing options sometimes activates others. For example, the use of a system privilege requires the issuance of a system command. Auditing for use of the privilege also audits for the statement. Configure auditing for Oracle using the following script. If the Check reports audit option names not included in this script, augment it with one additional statement per option reported: From SQL*Plus: audit all by access; audit all privileges by access; audit alter database link by access; audit alter java class by access; audit alter java resource by access; audit alter java source by access; audit alter mining model by access; audit alter public database link by access; audit alter sequence by access; audit alter table by access; audit comment edition by access; audit comment mining model by access; audit comment table by access; audit create java class by access; audit create java resource by access; audit create java source by access; audit debug procedure by access; audit drop java class by access; audit drop java resource by access; audit drop java source by access; audit execute assembly; audit exempt access policy by access; audit exempt identity policy by access; audit grant directory by access; audit grant edition by access; audit grant mining model by access; audit grant procedure by access; audit grant sequence by access; audit grant table by access; audit grant type by access; audit sysdba by access; audit sysoper by access; The following SQL statements will disable audits set by the commands above that are not required: noaudit execute library; audit rename on default by access; If application objects have already been created, then the audit rename on object statement should be issued for all application objects. From SQL*Plus: audit rename on [application object name] by access;
- RMF Control
- Severity
- M
- CCI
- Version
- DG0142-ORACLE11
- Vuln IDs
-
- V-15645
- Rule IDs
-
- SV-24805r3_rule
Checks: C-29371r2_chk
From SQL*Plus: select value from v$parameter where name = 'audit_sys_operations'; If the value returned is FALSE, this is a Finding.
Fix: F-26396r1_fix
From SQL*Plus: alter system set audit_sys_operations = TRUE scope = spfile; The above SQL*Plus command will set the parameter to take effect at next system startup.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0145-ORACLE11
- Vuln IDs
-
- V-15646
- Rule IDs
-
- SV-30881r1_rule
Checks: C-31301r1_chk
Review samples of the DBMS audit logs. Compare to the required elements listed below: - User ID. - Successful and unsuccessful attempts to access security files - Date and time of the event. - Type of event. - Success or failure of event. - Successful and unsuccessful logons. - Denial of access resulting from excessive number of logon attempts. - Blocking or blacklisting a user ID, terminal or access port, and the reason for the action. - Activities that might modify, bypass, or negate safeguards controlled by the system. - Data required to audit the possible use of covert channel mechanisms. - Privileged activities and other system-level access. - Starting and ending time for access to the system. - Security relevant actions associated with periods processing or the changing of security labels or categories of information. If the elements listed above are not included in the audit logs at at minimum, this is a Finding.
Fix: F-27769r1_fix
Configure audit settings to include the following list of elements in the audit logs at a minimum: - User ID. - Successful and unsuccessful attempts to access security files - Date and time of the event. - Type of event. - Success or failure of event. - Successful and unsuccessful logons. - Denial of access resulting from excessive number of logon attempts. - Blocking or blacklisting a user ID, terminal or access port, and the reason for the action. - Activities that might modify, bypass, or negate safeguards controlled by the system. - Data required to audit the possible use of covert channel mechanisms. - Privileged activities and other system-level access. - Starting and ending time for access to the system. - Security relevant actions associated with periods processing or the changing of security labels or categories of information.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0146-ORACLE11
- Vuln IDs
-
- V-15647
- Rule IDs
-
- SV-24976r1_rule
Checks: C-28646r1_chk
Review audit settings for disabling or locking account events based on event failures. If the settings are not configured to include the cause of the lock or disabling, this is a Finding.
Fix: F-3790r1_fix
Determine and implement audit settings that will collect and store the cause of any DBMS account or connection lock or disabling actions taken by the DBMS.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0165-ORACLE11
- Vuln IDs
-
- V-15654
- Rule IDs
-
- SV-24817r1_rule
Checks: C-29381r1_chk
If Symmetric keys are present and Oracle Advanced Security is not installed and operational on the DBMS host, this is a Finding. If the symmetric key management procedures and configuration settings for the DBMS are not specified in the System Security Plan, this is a Finding. If the procedures are not followed with evidence for audit, this is a Finding. NOTE: This check does not include a review of the key management procedures for validity. Specific key management requirements may be covered under separate checks.
Fix: F-26406r1_fix
Symmetric and other encryption keys require the following: - protection from unauthorized access in transit and in storage - utilization of accepted algorithms - generation in accordance with required standards for the key's use - expiration date - continuity - key backup and recovery - key change - archival key storage (as necessary) Details for key management requirements are provided by FIPS 140-2 key management standards available from NIST. Oracle Advanced Security is required to provide symmetric key management features.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0172-ORACLE11
- Vuln IDs
-
- V-15657
- Rule IDs
-
- SV-24442r2_rule
Checks: C-29386r2_chk
If no data is identified as being sensitive or classified by the Information Owner, in the System Security Plan or in the AIS Functional Architecture documentation, this is not a finding. If security labeling is not required, this is not a finding. If no sensitive or classified data is identified by the Information Owner as requiring labeling in the System Security Plan and/or AIS Functional Architecture documentation, this is not a finding. Run the SQL statement: select * from dba_sa_audit_options; If no records are returned or if output from the SQL statement above does not show classification labels being audited as required in the System Security Plan, this is a finding.
Fix: F-26412r1_fix
Define the policy for auditing changes to security labels defined for the data. Document the audit requirements in the System Security Plan and configure database auditing in accordance with the policy.
- RMF Control
- Severity
- M
- CCI
- Version
- DG0192-ORACLE11
- Vuln IDs
-
- V-15660
- Rule IDs
-
- SV-24838r2_rule
Checks: C-29399r2_chk
From SQL*Plus: select value from v$parameter where name = 'global_names'; If the value returned is FALSE, this is a Finding.
Fix: F-26424r1_fix
From SQL*Plus: alter system set global_names = TRUE scope = spfile; NOTE: This parameter, if changed, will affect all currently defined Oracle database links. The above SQL*Plus command will set the parameter to take effect at next system startup.
- RMF Control
- Severity
- M
- CCI
- Version
- DO0233-ORACLE11
- Vuln IDs
-
- V-15747
- Rule IDs
-
- SV-24869r2_rule
Checks: C-26535r2_chk
From SQL*Plus: select value from v$parameter where name='diagnostic_dest'; On UNIX Systems: ls -ld [pathname]/diag Substitute [pathname] with the directory path listed from the above SQL command, and append "/diag" to it, as shown. If permissions are granted for world access, this is a finding. If any groups that include members other than the Oracle process and software owner accounts, DBAs, auditors, or backup accounts are listed, this is a finding. On Windows Systems (From Windows Explorer): Browse to the \diag directory under the directory specified. Select and right-click on the directory, select Properties, select the Security tab. If permissions are granted to everyone, this is a finding. If any account other than the Oracle process and software owner accounts, Administrators, DBAs, System group or developers authorized to write and debug applications on this database are listed, this is a finding.
Fix: F-22818r2_fix
Alter host system permissions to the <DIAGNOSTIC_DEST>/diag directory to the Oracle process and software owner accounts, DBAs, SAs (if required) and developers or other users that may specifically require access for debugging or other purposes. Authorize and document user access requirements to the directory outside of the Oracle, DBA and SA account list.
- RMF Control
- Severity
- M
- CCI
- Version
- DO6748-ORACLE11
- Vuln IDs
-
- V-16033
- Rule IDs
-
- SV-60351r1_rule
Checks: C-16814r2_chk
From SQL*Plus: select value from v$parameter where name = 'sec_case_sensitive_logon'; If the value returned is not TRUE, this is a Finding.
Fix: F-16077r1_fix
Enable case sensitive passwords. From SQL*Plus: alter system set sec_case_sensitive_logon = TRUE scope = both; The above SQL*Plus command will set the parameter to take effect immediately and permanently at next system startup. NOTE: Password and account requirements have changed for DoD since the STIG requirement listed in the table for this check was published.
- RMF Control
- Severity
- M
- CCI
- Version
- DO6749-ORACLE11
- Vuln IDs
-
- V-16035
- Rule IDs
-
- SV-55939r2_rule
Checks: C-16815r2_chk
From SQL*Plus: select value from v$parameter where name = 'sec_max_failed_login_attempts'; If the value returned is equal to 0 or greater than 3, this is a Finding.
Fix: F-16078r1_fix
Limit the number of failed login attempts for the database. From SQL*Plus: alter system set sec_max_failed_login_attempts = 3 scope = spfile; The above SQL*Plus command will set the parameter to take effect at next system startup.
- RMF Control
- Severity
- M
- CCI
- Version
- DO6750-ORACLE11
- Vuln IDs
-
- V-16053
- Rule IDs
-
- SV-55940r2_rule
Checks: C-17062r2_chk
From SQL*Plus: select upper(value) from v$parameter where name = 'sec_protocol_error_further_action'; If the value returned does not include DROP or DELAY, this is a Finding.
Fix: F-16156r1_fix
Set the value for the sec_protocol_error_further_action initialization parameter to DROP or DELAY. DROP provides better protection and is recommended. From SQL*Plus: alter system set sec_protocol_error_further_action = 'drop' scope = spfile; OR alter system set sec_protocol_error_further_action = 'drop,3' scope = spfile; NOTE: The addition of the ‘,3’ above further limits the number of ‘bad packets’ to the specified number before forcefully terminating the connection. The above SQL*Plus command will set the parameter to take effect at next system startup.