Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
From SQL*Plus: select 'The number of replication objects defined is: '|| count(*) from all_tables where table_name like 'REPCAT%'; If the count returned is 0, then Oracle Replication is not installed and this check is not a finding. Otherwise: From SQL*Plus: select count(*) from sys.dba_repcatlog; If the count returned is 0, then Oracle Replication is not in use and this check is not a finding. If any results are returned, ask the ISSO or DBA if the replication account (the default is REPADMIN, but may be customized) is restricted to ISSO-authorized personnel only. If it is not, this is a finding. If there are multiple replication accounts, confirm that all are justified and documented with the ISSO. If they are not, this is a finding. Note: Oracle Database Advanced Replication is deprecated in Oracle Database 12c. Use Oracle GoldenGate to replace all features of Advanced Replication, including multimaster replication, updatable materialized views, hierarchical materialized views, and deployment templates.
Change the password for default and custom replication accounts and provide the password to ISSO-authorized users only.
From SQL*Plus: select instance_name from v$instance; select version from v$instance; If the instance name returned references the Oracle release number, this is a finding. Numbers used that include version numbers by coincidence are not a finding. The DBA should be able to relate the significance of the presence of a digit in the SID.
Follow the instructions in Oracle MetaLink Note 15390.1 (and related documents) to change the SID for the database without re-creating the database to a value that does not identify the Oracle version.
From SQL*Plus: select owner||': '||db_link from dba_db_links; If no records are returned from the first SQL statement, this check is not a finding. Confirm the public and fixed user database links listed are documented in the System Security Plan, are authorized by the ISSO, and are used for replication or operational system requirements. If any are not, this is a finding.
Document all authorized connections from the database to remote databases in the System Security Plan. Remove all unauthorized remote database connection definitions from the database. From SQL*Plus: drop database link [link name]; OR drop public database link [link name]; Review remote database connection definitions periodically and confirm their use is still required and authorized.
From SQL*Plus: select name from v$controlfile; DoD guidance recommends: 2a. Each control file is to be located on separate, archived physical or virtual storage devices. OR 2b. Each control file is to be located on separate, archived directories within one or more RAID devices. 3. The Logical Paths for each control file should differ at the highest level supported by the configuration, for example: UNIX /ora03/app/oracle/{SID}/control/control01.ctl /ora04/app/oracle/{SID}/control/control02.ctl Windows D:/oracle/{SID}/control/control01.ctl E:/oracle/{SID}/control/control02.ctl If the minimum listed above is not met, this is a finding. Consult with the SA or DBA to determine that the mount points or partitions referenced in the file paths indicate separate physical disks or directories on RAID devices. Note: Distinct does not equal dedicated. May share directory space with other Oracle database instances if present.
To prevent loss of service during disk failure, multiple copies of Oracle control files must be maintained on separate disks in archived directories or on separate, archived directories within one or more RAID devices. Adding or moving a control file requires careful planning and execution. Consult and follow the instructions for creating control files in the Oracle Database Administrator's Guide, under Steps for Creating New Control Files.
From SQL*Plus: select count(*) from V$LOG; If the value of the count returned is less than 2, this is a finding. From SQL*Plus: select count(*) from V$LOG where members > 1; If the value of the count returned is less than 2 and a RAID storage device is not being used, this is a finding.
To define additional redo log file groups: From SQL*Plus (Example): alter database add logfile group 2 ('diska:log2.log' , 'diskb:log2.log') size 50K; To add additional redo log file [members] to an existing redo log file group: From SQL*Plus (Example): alter database add logfile member 'diskc:log2.log' to group 2; Replace diska, diskb, diskc with valid, different disk drive specifications. Replace log#.log file with valid or custom names for the log files.
Execute the query: select grantee||': '||owner||'.'||table_name from dba_tab_privs where grantable = 'YES' and grantee not in (select distinct owner from dba_objects) and grantee not in (select grantee from dba_role_privs where granted_role = 'DBA') and table_name not like 'SYS_PLSQL_%' order by grantee; If any accounts are listed, this is a finding.
Revoke privileges granted the WITH GRANT OPTION from non-DBA and accounts that do not own application objects. Re-grant privileges without specifying WITH GRANT OPTION. Note: Do not revoke the system-generated grants such as those found on The SYS_PLSQL_% objects. They are system generated object types (a.k.a ShadowTypes) which are created internally by Oracle when you use the Pipelined Table Functions. This can result in (incorrect) compilation failures and/or invalidations when the users who are supposed to have access to the shadow types find themselves without access.
From SQL*Plus: select value from v$parameter where name = 'remote_os_authent'; If the value returned does not equal FALSE, this is a finding.
Document remote OS authentication in the System Security Plan. If not required or not mitigated to an acceptable level, disable remote OS authentication. From SQL*Plus: alter system set remote_os_authent = FALSE scope = spfile; The above SQL*Plus command will set the parameter to take effect at next system startup.
From SQL*Plus: select value from v$parameter where name = 'remote_os_roles'; If the value returned is FALSE, this is not a finding. If the value returned is TRUE, confirm that the setting is justified and documented. If not, this is a finding.
Document remote OS roles in the System Security Plan. If not required, disable use of remote OS roles. From SQL*Plus: alter system set remote_os_roles = FALSE scope = spfile; The above SQL*Plus command will set the parameter to take effect at next system startup.
From SQL*Plus: select value from v$parameter where name = 'sql92_security'; If the value returned is set to FALSE, this is a finding. If the parameter is set to TRUE or does not exist, this is not a finding.
Enable SQL92 security. From SQL*Plus: alter system set sql92_security = TRUE scope = spfile; The above SQL*Plus command will set the parameter to take effect at next system startup.
From SQL*Plus: Select value from v$parameter where upper(name) = 'REMOTE_LOGIN_PASSWORDFILE'; If the value returned does not equal "EXCLUSIVE" or "NONE", this is a finding. On UNIX Systems: ls -ld $ORACLE_HOME/dbs/orapw${ORACLE_SID} Substitute ${ORACLE_SID} with the name of the ORACLE_SID for the database. If permissions are granted for world access, this is a finding. On Windows Systems (From Windows Explorer): Navigate to the %ORACLE_HOME%\database\directory. Select and right-click on the PWD%ORACLE_SID%.ora file, select Properties >> Security tab. Substitute %ORACLE_SID% with the name of the ORACLE_SID for the database. If permissions are granted to everyone, this is a finding. If any account other than the DBMS software installation account is listed, this is a finding.
Disable use of the REMOTE_LOGIN_PASSWORDFILE where remote administration is not authorized by specifying a value of NONE. If authorized, restrict use of a password file to exclusive use by each database by specifying a value of EXCLUSIVE. From SQL*Plus: alter system set REMOTE_LOGIN_PASSWORDFILE = 'EXCLUSIVE' scope = spfile; OR alter system set REMOTE_LOGIN_PASSWORDFILE = 'NONE' scope = spfile; The above SQL*Plus command will set the parameter to take effect at next system startup. Restrict ownership and permissions on the Oracle password file to exclude world (Unix) or everyone (Windows). More information regarding the ORAPWD file and the REMOTE_LOGIN_PASSWORDFILE parameter, can be found here: https://docs.oracle.com/database/121/ADMIN/dba.htm#ADMIN12478
A default Oracle Database installation provides a set of predefined administrative accounts and non-administrative accounts. These are accounts that have special privileges required to administer areas of the database, such as the CREATE ANY TABLE or ALTER SESSION privilege, or EXECUTE privileges on packages owned by the SYS schema. The default tablespace for administrative accounts is either SYSTEM or SYSAUX. Non-administrative user accounts only have the minimum privileges needed to perform their jobs. Their default tablespace is USERS. To protect these accounts from unauthorized access, the installation process expires and locks most of these accounts, except where noted below. The database administrator is responsible for unlocking and resetting these accounts, as required. Non-Administrative Accounts - Expired and locked: APEX_PUBLIC_USER, DIP, FLOWS_040100*, FLOWS_FILES, MDDATA, SPATIAL_WFS_ADMIN_USR, XS$NULL Administrative Accounts - Expired and Locked: ANONYMOUS, CTXSYS, EXFSYS, LBACSYS, MDSYS, OLAPSYS, ORACLE_OCM, ORDDATA, OWBSYS, ORDPLUGINS, ORDSYS, OUTLN, SI_INFORMTN_SCHEMA, SPATIAL_CSW_ADMIN_USR, WK_TEST, WK_SYS, WKPROXY, WMSYS, XDB Administrative Accounts - Open: DBSNMP, MGMT_VIEW, SYS, SYSMAN, SYSTEM, SYSKM * Subject to change based on version installed Run the SQL query: From SQL*Plus: select grantee, privilege from dba_sys_privs where grantee not in (<list of non-applicable accounts>) and admin_option = 'YES' and grantee not in (select grantee from dba_role_privs where granted_role = 'DBA'); (With respect to the list of special accounts that are excluded from this requirement, it is expected that the DBA will maintain the list to suit local circumstances, adding special accounts as necessary and removing any that are not supposed to be in use in the Oracle deployment that is under review.) If any accounts that are not authorized to have the ADMIN OPTION are listed, this is a finding.
Revoke assignment of privileges with the WITH ADMIN OPTION from unauthorized users and re-grant them without the option. From SQL*Plus: revoke [privilege name] from user [username]; Replace [privilege name] with the named privilege and [username] with the named user. Restrict use of the WITH ADMIN OPTION to authorized administrators. Document authorized privilege assignments with the WITH ADMIN OPTION in the System Security Plan.
From SQL*Plus: select privilege from dba_sys_privs where grantee = 'PUBLIC'; If any records are returned, this is a finding.
Revoke any system privileges assigned to PUBLIC: From SQL*Plus: revoke [system privilege] from PUBLIC; Replace [system privilege] with the named system privilege. Note: System privileges are not granted to PUBLIC by default and would indicate a custom action.
A default Oracle Database installation provides a set of predefined administrative accounts and non-administrative accounts. These are accounts that have special privileges required to administer areas of the database, such as the CREATE ANY TABLE or ALTER SESSION privilege, or EXECUTE privileges on packages owned by the SYS schema. The default tablespace for administrative accounts is either SYSTEM or SYSAUX. Non-administrative user accounts only have the minimum privileges needed to perform their jobs. Their default tablespace is USERS. To protect these accounts from unauthorized access, the installation process expires and locks most of these accounts, except where noted below. The database administrator is responsible for unlocking and resetting these accounts, as required. Non-Administrative Accounts - Expired and locked: APEX_PUBLIC_USER, DIP, FLOWS_040100*, FLOWS_FILES, MDDATA, SPATIAL_WFS_ADMIN_USR, XS$NULL Administrative Accounts - Expired and Locked: ANONYMOUS, CTXSYS, EXFSYS, LBACSYS, MDSYS, OLAPSYS, ORACLE_OCM, ORDDATA, OWBSYS, ORDPLUGINS, ORDSYS, OUTLN, SI_INFORMTN_SCHEMA, SPATIAL_CSW_ADMIN_USR, WK_TEST, WK_SYS, WKPROXY, WMSYS, XDB Administrative Accounts - Open: DBSNMP, MGMT_VIEW, SYS, SYSMAN, SYSTEM * Subject to change based on version installed Run the SQL statement: select grantee||': '||granted_role from dba_role_privs where grantee not in (<list of non-applicable accounts>) and admin_option = 'YES' and grantee not in (select distinct owner from dba_objects) and grantee not in (select grantee from dba_role_privs where granted_role = 'DBA') order by grantee; (With respect to the list of special accounts that are excluded from this requirement, it is expected that the DBA will maintain the list to suit local circumstances, adding special accounts as necessary and removing any that are not supposed to be in use in the Oracle deployment that is under review.) Review the System Security Plan to confirm any grantees listed are ISSO-authorized DBA accounts or application administration roles. If any grantees listed are not authorized and documented, this is a finding.
Revoke assignment of roles with the WITH ADMIN OPTION from unauthorized grantees and re-grant them without the option if required. SQL statements to remove the admin option from an unauthorized grantee: revoke <role name> from <grantee>; grant <role name> to <grantee>; Restrict use of the WITH ADMIN OPTION to authorized administrators. Document authorized role assignments with the WITH ADMIN OPTION in the System Security Plan.
A default Oracle Database installation provides a set of predefined administrative accounts and non-administrative accounts. These are accounts that have special privileges required to administer areas of the database, such as the “CREATE ANY TABLE” or “ALTER SESSION” privilege, or “EXECUTE” privileges on packages owned by the SYS schema. The default tablespace for administrative accounts is either “SYSTEM” or “SYSAUX”. Non-administrative user accounts only have the minimum privileges needed to perform their jobs. Their default tablespace is “USERS”. To protect these accounts from unauthorized access, the installation process expires and locks most of these accounts, except where noted below. The database administrator is responsible for unlocking and resetting these accounts, as required. Non-Administrative Accounts - Expired and locked: APEX_PUBLIC_USER, DIP, FLOWS_040100*, FLOWS_FILES, MDDATA, SPATIAL_WFS_ADMIN_USR, XS$NULL Administrative Accounts - Expired and Locked: ANONYMOUS, CTXSYS, EXFSYS, LBACSYS, , GSMADMIN_INTERNAL, MDSYS, OLAPSYS, ORACLE_OCM, ORDDATA, OWBSYS, ORDPLUGINS, ORDSYS, OUTLN, SI_INFORMTN_SCHEMA, SPATIAL_CSW_ADMIN_USR, WK_TEST, WK_SYS, WKPROXY, WMSYS, XDB Administrative Accounts - Open: DBSNMP, MGMT_VIEW, SYS, SYSMAN, SYSTEM * Subject to change based on version installed Run the SQL query: select owner ||'.'|| table_name ||':'|| privilege from dba_tab_privs where grantee = 'PUBLIC' and owner not in (<list of non-applicable accounts>); (With respect to the list of special accounts that are excluded from this requirement, it is expected that the DBA will maintain the list to suit local circumstances, adding special accounts as necessary and removing any that are not supposed to be in use in the Oracle deployment that is under review.) If there are any records returned that are not Oracle product accounts, and are not documented and authorized, this is a finding. Note: This check may return false positives where other Oracle product accounts are not included in the exclusion list.
Revoke any privileges granted to PUBLIC for objects that are not owned by Oracle product accounts. From SQL*Plus: revoke [privilege name] from [user name] on [object name]; Assign permissions to custom application user roles based on job functions: From SQL*Plus: grant [privilege name] to [user role] on [object name];
If a listener is not running on the local database host server, this check is not a finding. Note: This check needs to be done only once per host system and once per listener. Multiple listeners may be defined on a single host system. They must all be reviewed, but only once per database home review. For subsequent database home reviews on the same host system, this check is not a finding. Determine all Listeners running on the host. For Windows hosts, view all Windows services with TNSListener embedded in the service name - The service name format is: Oracle[ORACLE_HOME_NAME]TNSListener For UNIX hosts, the Oracle Listener process will indicate the TNSLSNR executable. At a command prompt, issue the command: ps -ef | grep tnslsnr | grep -v grep The alias for the listener follows tnslsnr in the command output. Must be logged on the host system using the account that owns the tnslsnr executable (UNIX). If the account is denied local logon, have the system SA assist in this task by adding 'su' to the listener account from the root account. On Windows platforms, log on using an account with administrator privileges to complete the check. From a system command prompt, execute the listener control utility: lsnrctl status [LISTENER NAME] Review the results for the value of Security. If "Security = OFF" is displayed, this is a finding. If "Security = ON: Local OS Authentication" is displayed, this is not a finding. If "Security = ON: Password or Local OS Authentication", this is a finding (do not set a password on Oracle versions 10.1 and higher. Instead, use Local OS Authentication). Repeat the execution of the lsnrctl utility for all active listeners.
By default, Oracle Net Listener permits only local administration for security reasons. As a policy, the listener can be administered only by the user who started it. This is enforced through local operating system authentication. For example, if user1 starts the listener, then only user1 can administer it. Any other user trying to administer the listener gets an error. The super user is the only exception. Remote administration of the listener must not be permitted. If listener administration from a remote system is required, granting secure remote access to the Oracle DBMS server and performing local administration is preferred. Authorize and document this requirement in the System Security Plan. Note: In Oracle Database 12c Release 1 (12.1), the listener password feature is no longer supported. This does not cause a loss of security because authentication is enforced through local operating system authentication. Refer to Oracle Database Net Services Reference for additional information.
From SQL*Plus: select granted_role from dba_role_privs where grantee = 'PUBLIC'; If any roles are listed, this is a finding.
Revoke role grants from PUBLIC. Do not assign role privileges to PUBLIC. From SQL*Plus: revoke [role name] from PUBLIC;
Run the SQL query: select grantee, granted_role from dba_role_privs where default_role='YES' and granted_role in (select grantee from dba_sys_privs where upper(privilege) like '%USER%') and grantee not in (<list of non-applicable accounts>) and grantee not in (select distinct owner from dba_tables) and grantee not in (select distinct username from dba_users where upper(account_status) like '%LOCKED%'); (With respect to the list of special accounts that are excluded from this requirement, it is expected that the DBA will maintain the list to suit local circumstances, adding special accounts as necessary and removing any that are not supposed to be in use in the Oracle deployment that is under review.) Review the list of accounts reported for this check and ensures that they are authorized application administration roles. If any are not authorized application administration roles, this is a finding.
For each role assignment returned, issue: From SQL*Plus: alter user [username] default role all except [role]; If the user has more than one application administration role assigned, then remove assigned roles from default assignment and assign individually the appropriate default roles.
Review the System Security Plan for remote applications that access and use the database. For each remote application or application server, determine whether communications between it and the DBMS are encrypted. If any are not encrypted, this is a finding.
Configure communications between the DBMS and remote applications/application servers to use DoD-approved encryption.
The DBMS_JOB PL/SQL package has been replaced by DBMS_SCHEDULER in Oracle versions 10.1 and higher, though it continues to be supported for backward compatibility. Run this query: select value from v$parameter where name = 'job_queue_processes'; Run this query: select value from all_scheduler_global_attribute where ATTRIBUTE_NAME = 'MAX_JOB_SLAVE_PROCESSES'; To understand the relationship between these settings, review: https://docs.oracle.com/database/121/ADMIN/appendix_a.htm#ADMIN11002 Review documented and implemented procedures for monitoring the Oracle DBMS job/batch queues for unauthorized submissions. If procedures for job queue review are not defined, documented or evidence of implementation does not exist, this is a finding. Job queue information is available from the DBA_JOBS view. The following command lists jobs submitted to the queue. DBMS_JOB does not generate a 'history' of previous job executions. Run this query: select job, next_date, next_sec, failures, broken from dba_jobs; Scheduler queue information is available from the DBA_SCHEDULER_JOBS view. The following command lists jobs submitted to the queue. Run this query: select owner, job_name, state, job_class, job_type, job_action from dba_scheduler_jobs;
Develop, document and implement procedures to monitor the database job queues for unauthorized job submissions. Develop, document and implement a formal migration plan to convert jobs using DBMS_JOB to use DBMS_SCHEDULER instead for Oracle versions 10.1 and higher. (This does not apply to DBMS_JOB jobs generated by Oracle itself, such as those for refreshing materialized views.) Set the value of the job_queue_processes parameter to a low value to restrict concurrent DBMS_JOB executions. Use auditing to capture use of the DBMS_JOB package in the audit trail. Review the audit trail for unauthorized use of the DBMS_JOB package.
From SQL*Plus: select db_link||': '||host from dba_db_links; If no links are returned, this check is not a finding. Review documentation for definitions of authorized database links to external interfaces. The documentation should include: - Any remote access to the database - The purpose or function of the remote connection - Any access to data or procedures stored externally to the local DBMS - Any network ports or protocols used by remote connections, whether the remote connection is to a production, test, or development system - Any security accounts used by DBMS to access remote resources or objects If any unauthorized database links are defined or the definitions do not match the documentation, this is a finding. Note: findings for production-development links under this check are assigned to the production database only. If any database links are defined between the production database and any test or development databases, this is a finding. If remote interface documentation does not exist or is incomplete, this is a finding.
Document all remote or external interfaces used by the DBMS to connect to or allow connections from remote or external sources. Include with the documentation as appropriate, any network ports or protocols, security accounts, and the sensitivity of any data exchanged. Do not define or configure database links between production databases and test or development databases. Note: Oracle Database Advanced Replication is deprecated in Oracle Database 12c. Use Oracle GoldenGate to replace all features of Advanced Replication, including multimaster replication, updatable materialized views, hierarchical materialized views, and deployment templates.
If the database being reviewed is a production database, this check is not a finding. Review policy, procedures and restrictions for data imports of production data containing sensitive information into development databases. If data imports of production data are allowed, review procedures for protecting any sensitive data included in production exports. If sensitive data is included in the exports and no procedures are in place to remove or modify the data to render it not sensitive prior to import into a development database or policy and procedures are not in place to ensure authorization of development personnel to access sensitive information contained in production data, this is a finding.
Develop, document and implement policy, procedures and restrictions for production data import. Require any users assigned privileges that allow the export of production data from the database to acknowledge understanding of import policies, procedures and restrictions. Restrict permissions of development personnel requiring use or access to production data imported into development databases containing sensitive information to authorized users. Implement policy and procedures to modify or remove sensitive information in production exports prior to import into development databases.
Run the query: select property_name, property_value from database_properties where property_name in ('DEFAULT_PERMANENT_TABLESPACE','DEFAULT_TEMP_TABLESPACE'); If either value is set to SYSTEM, this is a finding. Run the query: select username from dba_users where (default_tablespace = 'SYSTEM' or temporary_tablespace = 'SYSTEM') and username not in ('LBACSYS','OUTLN','SYS','SYSTEM', 'SYSKM', 'SYSDG', 'SYSBACKUP'); If any non-default account records are returned, this is a finding.
Create and dedicate tablespaces to support only one application. Do not share tablespaces between applications. Do not grant quotas to application object owners on tablespaces not dedicated to their associated application. Run the queries: alter database default tablespace <tablespace_name>; alter database default temporary tablespace <temporary_tablespace_name>; alter user <username> default tablespace <tablespace_name> temporary tablespace <temporary_tablespace_name>; Replace <username> with the named user account. Replace <tablespace_name> with the new default tablespace name. Replace <temporary_tablespace_name> with the new default temporary tablespace name (typically TEMP). Repeat the "alter user" for each affected user account.
Run the SQL query: select distinct owner, tablespace_name from dba_SEGMENTS where owner not in (<list of non-applicable accounts>) order by tablespace_name; (With respect to the list of special accounts that are excluded from this requirement, it is expected that the DBA will maintain the list to suit local circumstances, adding special accounts as necessary and removing any that are not supposed to be in use in the Oracle deployment that is under review.) Review the list of returned table owners with the tablespace used. If any of the owners listed are not default Oracle accounts and use the SYSTEM or any other tablespace not dedicated for the application’s use, this is a finding. Look for multiple applications that may share a tablespace. If no records were returned, ask the DBA if any applications use this database. If no applications use the database, this is not a finding. If there are applications that do use the database or if the application uses the SYS or other default account and SYSTEM tablespace to store its objects, this is a finding.
Create and assign dedicated tablespaces for the storage of data by each application using the CREATE TABLESPACE command.
From SQL*Plus: select log_mode from v$database; select value from v$parameter where name = 'log_archive_dest'; select value from v$parameter where name = 'log_archive_duplex_dest'; select name, value from v$parameter where name LIKE 'log_archive_dest_%'; select value from v$parameter where name = 'db_recovery_file_dest'; If the value returned for LOG_MODE is NOARCHIVELOG, this check is not a finding. If a value is not returned for LOG_ARCHIVE_DEST and no values are returned for any of the LOG_ARCHIVE_DEST_[1-10] parameters, and no value is returned for DB_RECOVERY_FILE_DEST, this is a finding. Note: LOG_ARCHIVE_DEST and LOG_ARCHIVE_DUPLEX_DEST are incompatible with the LOG_ARCHIVE_DEST_n parameters, and must be defined as the null string (' ') when any LOG_ARCHIVE_DEST_n parameter has a value other than a null string. On UNIX Systems: ls -ld [pathname] Substitute [pathname] with the directory paths listed from the above SQL statements for log_archive_dest and log_archive_duplex_dest. If permissions are granted for world access, this is a finding. On Windows Systems (From Windows Explorer): Browse to the directory specified. Select and right-click on the directory, select Properties, select the Security tab. If permissions are granted to everyone, this is a finding. If any account other than the Oracle process and software owner accounts, Administrators, DBAs, System group or developers authorized to write and debug applications on this database are listed, this is a finding.
Specify a valid and protected directory for archive log files. Restrict access to the Oracle process and software owner accounts, DBAs, and backup operator accounts.
From SQL*Plus: select value from v$parameter where name = '_trace_files_public'; If the value returned is TRUE, this is a finding. If the parameter does not exist or is set to FALSE, this is not a finding.
From SQL*Plus (shutdown database instance): shutdown immediate From SQL*Plus (create a pfile from spfile): create pfile='[PATH]init[SID].ora' from spfile; Edit the init[SID].ora file and remove the following line: *._trace_files_public=TRUE From SQL*Plus (update the spfile using the pfile): create spfile from pfile='[PATH]init[SID].ora'; From SQL*Plus (start the database instance): startup Note: [PATH] depends on the platform (Windows or UNIX). Ensure the file is directed to a writable location. [SID] is equal to the oracle SID or database instance ID.
If the DBMS or DBMS host is not shared by production and development activities, this check is not a finding. Review OS DBA group membership. If any developer accounts, as identified in the System Security Plan, have been assigned DBA privileges, this is a finding. Note: Though shared production/non-production DBMS installations was allowed under previous database STIG guidance, doing so may place it in violation of OS, Application, Network or Enclave STIG guidance. Ensure that any shared production/non-production DBMS installation meets STIG guidance requirements at all levels or mitigate any conflicts in STIG guidance with the AO.
Create separate DBMS host OS groups for developer and production DBAs. Do not assign production DBA OS group membership to accounts used for development. Remove development accounts from production DBA OS group membership. Recommend establishing a dedicated DBMS host for production DBMS installations. A dedicated host system in this case refers to an instance of the operating system at a minimum. The operating system may reside on a virtual host machine where supported by the DBMS vendor.
Review documented and implemented procedures for monitoring the use of the DBMS software installation account in the System Security Plan. If use of this account is not monitored or procedures for monitoring its use do not exist or are incomplete, this is a finding. Note: On Windows systems, The Oracle DBMS software is installed using an account with administrator privileges. Ownership should be reassigned to a dedicated OS account used to operate the DBMS software. If monitoring does not include all accounts with administrator privileges on the DBMS host, this is a finding.
Develop, document and implement a logging procedure for use of the DBMS software installation account that provides accountability to individuals for any actions taken by the account. Host system audit logs should be included in the DBMS account usage log along with an indication of the person who accessed the account and an explanation for the access. Ensure all accounts with administrator privileges are monitored for DBMS host on Windows OS platforms.
Review the disk/directory specification where database data, transaction log and audit files are stored. If DBMS data, transaction log or audit data files are stored in the same directory, this is a finding. If multiple applications are accessing the database and the database data files are stored in the same directory, this is a finding. If multiple applications are accessing the database and database data is separated into separate physical directories according to application, this check is not a finding.
Specify dedicated host system disk directories to store database data, transaction and audit files. Example directory structure: /*/app/oracle/oradata/db_name /*/app/oracle/admin/db_name/arch/* /*/app/oracle/oradata/db_name/audit /*/app/oracle/fast_recovery_area/db_name/ See Oracle Optimal Flexible Architecture: https://docs.oracle.com/database/121/LADBI/appendix_ofa.htm#LADBI7921 When multiple applications are accessing a single database, configure DBMS default file storage according to application to use dedicated disk directories. /*/app/oracle/oradata/db_name/app_name See Oracle Optimal Flexible Architecture: https://docs.oracle.com/database/121/LADBI/appendix_ofa.htm#LADBI7921
If Standard Auditing is used: From SQL*Plus: select value from v$parameter where name = 'audit_trail'; select value from v$parameter where name = 'audit_file_dest'; If audit_trail is NOT set to OS, XML or XML EXTENDED, this is not applicable (NA). If audit_trail is set to OS, but the audit records are routed directly to a separate log server without writing to the local file system, this is not a finding. On UNIX Systems: ls -ld [pathname] Replace [pathname] with the directory path listed from the above SQL command for audit_file_dest. If permissions are granted for world access, this is a finding. If any groups that include members other than the Oracle process and software owner accounts, DBAs, auditors, or backup accounts are listed, this is a finding. Compare path to $ORACLE_HOME. If audit_file_dest is a subdirectory of $ORACLE_HOME, this is a finding. On Windows Systems (From Windows Explorer): Browse to the directory specified. Select and right-click on the directory, select Properties, select the Security tab. On Windows hosts, records are also written to the Windows application event log. The location of the application event log is listed under Properties for the log under the Windows console. The default location is C:\WINDOWS\system32\config\EventLogs\AppEvent.Evt. If permissions are granted to everyone, this is a finding. If any accounts other than the Administrators, DBAs, System group, auditors or backup operators are listed, this is a finding. Compare path to %ORACLE_HOME%. If audit_file_dest is a subdirectory of %ORACLE_HOME%, this is a finding. If Unified Auditing is used: AUDIT_FILE_DEST parameter is not used in Unified Auditing
For file-based auditing, establish an audit file directory separate from the Oracle Home. Alter host system permissions to the AUDIT_FILE_DEST directory to the Oracle process and software owner accounts, DBAs, backup accounts, SAs (if required), and auditors. Authorize and document user access requirements to the directory outside of the Oracle, DBA, and SA account list in the System Security Plan.
For UNIX Systems: log on using the Oracle software owner account and enter the command: umask If the value returned is 022 or more restrictive, this is not a finding. If the value returned is less restrictive than 022, this is a finding. The first number sets the mask for user/owner file permissions. The second number sets the mask for group file permissions. The third number sets file permission mask for other users. The list below shows the available settings: 0 = read/write/execute 1 = read/write 2 = read/execute 3 = read 4 = write/execute 5 = write 6 = execute 7 = no permissions Setting the umask to 022 effectively sets files for user/owner to read/write, group to read and other to read. Directories are set for user/owner to read/write/execute, group to read/execute and other to read/execute. For Windows Systems: Review the permissions that control access to the Oracle installation software directories (e.g. \Program Files\Oracle\). DBA accounts, the DBMS process account, the DBMS software installation/maintenance account, SA accounts if access by them is required for some operational level of support such as backups, and the host system itself require access. Compare the access control employed with that documented in the System Security Plan. If access controls do not match the documented requirement, this is a finding. If access controls appear excessive without justification, this is a finding.
For UNIX Systems: Set the umask of the Oracle software owner account to 022. Determine the shell being used for the Oracle software owner account: env | grep -i shell Startup files for each shell are as follows (located in users $HOME directory): C-Shell (CSH) = .cshrc Bourne Shell (SH) = .profile Korn Shell (KSH) = .kshrc TC Shell (TCS) = .tcshrc BASH Shell = .bash_profile or .bashrc Edit the shell startup file for the account and add or modify the line: umask 022 Log off and logon, then enter the umask command to confirm the setting. Note: To effect this change for all Oracle processes, a reboot of the DBMS server may be required. For Windows Systems: Restrict access to the DBMS software libraries to the fewest accounts that clearly require access based on job function. Document authorized access controls and justify any access grants that do not fall under DBA, DBMS process, ownership, or SA accounts.
If a review of the System Security Plan confirms the use of replication is not required, not permitted and the database is not configured for replication, this check is not a finding. If any replication accounts are assigned DBA roles or roles with DBA privileges, this is a finding.
Restrict privileges assigned to replication accounts to the fewest possible privileges. Remove DBA roles from replication accounts. Create and use custom replication accounts assigned least privileges for supporting replication operations.
IP address restriction may be defined for the database listener, by use of the Oracle Connection Manager or by an external network device. Identify the method used to enforce address restriction (interview or System Security Plan review). If enforced by the database listener, then review the SQLNET.ORA file located in the ORACLE_HOME/network/admin directory (note: this assumes that a single sqlnet.ora file, in the default location, is in use; please see the supplemental file "Non-default sqlnet.ora configurations.pdf" for how to find multiple and/or differently located sqlnet.ora files) or the directory indicated by the TNS_ADMIN environment variable or registry setting. If the following entries do not exist, then restriction by IP address is not configured and is a finding. tcp.validnode_checking=YES tcp.invited_nodes=(IP1, IP2, IP3) If enforced by an Oracle Connection Manager, then review the CMAN.ORA file for the Connection Manager (located in the TNS_ADMIN or ORACLE_HOME/network/admin directory for the connection manager). If a RULE entry allows all addresses ("/32") or does not match the address range specified in the System Security Plan, this is a finding. (rule=(src=[IP]/27)(dst=[IP])(srv=*)(act=accept)) Note: an IP address with a "/" indicates acceptance by subnet mask where the number after the "/" is the left most number of bits in the address that must match for the rule to apply. If this rule is database-specific, then determine if the SERVICE_NAMES parameter is set: From SQL*PLUS: select value from v$parameter where name = 'service_names'; If SERVICE_NAMES is set in the initialization file for the database instance, use (srv=[service name]), else, use (srv=*) if not set or rule applies to all databases on the DBMS server. If network access restriction is performed by an external device, validate ACLs are in place to prohibit unauthorized access to the DBMS. To do this, find the IP address of the database server (destination address) and source address (authorized IPs) in the System Security Plan. Confirm only authorized IPs from the System Security Plan are allowed access to the DBMS.
Configure the database listener to restrict access by IP address or set up an external device to restrict network access to the DBMS.
For Unified or mixed auditing, from SQL*Plus: Select count(*) from audit_unified_enabled_policies where entity_name = 'SYS'; If the count is less than one row, this is a finding. For Standard auditing, from SQL*Plus: Select value from v$parameter where name = 'audit_sys_operations'; If the value returned is FALSE, this is a finding.
For Standard auditing, from SQL*Plus: alter system set audit_sys_operations = TRUE scope = spfile; The above SQL*Plus command will set the parameter to take effect at next system startup. If Unified Auditing is used: To ensure auditable events are captured: Link the oracle binary with uniaud_on, and then restart the database. Oracle Database Upgrade Guide describes how to enable unified auditing. For additional information on creating audit policies, refer to the Oracle Database Security Guide http://docs.oracle.com/database/121/DBSEG/audit_config.htm#CHDGBAAC
If no data has been identified as being sensitive or classified in the system documentation, this is not a finding. If security labeling is not required, this is not a finding. If Standard Auditing is used, run the SQL query: select * from dba_sa_audit_options; If no records are returned or if output from the SQL statement above does not show classification labels being audited as required in the System Security Plan, this is a finding. If Unified Auditing is used: To see if Oracle is configured to capture audit data including changes to security label assignment, enter the following SQL*Plus command: SELECT 'Changes to security label assignment is not being audited. ' FROM dual WHERE (SELECT Count(*) FROM (select policy_name , audit_option from audit_unified_policies WHERE audit_option = 'ALL' AND audit_option_type = 'OLS ACTION' AND policy_name in (select policy_name from audit_unified_enabled_policies where user_name='ALL USERS'))) = 0 OR (SELECT value FROM v$option WHERE parameter = 'Unified Auditing') != 'TRUE'; If Oracle returns "no rows selected", this is not a finding. To confirm that Oracle audit is capturing sufficient information to establish that changes to classification labels are being audited, perform a successful auditable action and an auditable action that results in an SQL error, and then view the results in the SYS.UNIFIED_AUDIT_TRAIL view. If no ACTION#, or the wrong value, is returned for the auditable actions, this is a finding.
Define the policy for auditing changes to security labels defined for the data. Document the audit requirements in the System Security Plan and configure database auditing in accordance with the policy. If using Standard Auditing: If there is no Unified Auditing policy deployed to audit changes to security labels, the create one using the following syntax: SA_AUDIT_ADMIN.AUDIT ( policy_name IN VARCHAR2, users IN VARCHAR2 DEFAULT NULL, audit_option IN VARCHAR2 DEFAULT NULL, audit_type IN VARCHAR2 DEFAULT NULL, success IN VARCHAR2 DEFAULT NULL); For additional information on creating audit policies, refer to the Oracle Database Security Guide http://docs.oracle.com/database/121/OLSAG/packages.htm#i1011868 If Unified Auditing is used: To ensure auditable events are captured: Link the oracle binary with uniaud_on, and then restart the database. Oracle Database Upgrade Guide describes how to enable unified auditing. Reference V-61625 for information on how to configure a policy to audit changes to security label assignments. For additional information on creating audit policies, refer to the Oracle Database Security Guide http://docs.oracle.com/database/121/DBSEG/audit_config.htm#CHDGBAAC
From SQL*Plus: select value from v$parameter where name = 'global_names'; If the value returned is FALSE, this is a finding.
From SQL*Plus: alter system set global_names = TRUE scope = spfile; Note: This parameter, if changed, will affect all currently defined Oracle database links. The above SQL*Plus command will set the parameter to take effect at next system startup.
From SQL*Plus: select value from v$parameter where name='diagnostic_dest'; On UNIX Systems: ls -ld [pathname]/diag Substitute [pathname] with the directory path listed from the above SQL command, and append "/diag" to it, as shown. If permissions are granted for world access, this is a Finding. If any groups that include members other than the Oracle process and software owner accounts, DBAs, auditors, or backup accounts are listed, this is a Finding. On Windows Systems (From Windows Explorer): Browse to the \diag directory under the directory specified. Select and right-click on the directory, select Properties, select the Security tab. If permissions are granted to everyone, this is a Finding. If any account other than the Oracle process and software owner accounts, Administrators, DBAs, System group or developers authorized to write and debug applications on this database are listed, this is a Finding.
Alter host system permissions to the <DIAGNOSTIC_DEST>/diag directory to the Oracle process and software owner accounts, DBAs, SAs (if required) and developers or other users that may specifically require access for debugging or other purposes. Authorize and document user access requirements to the directory outside of the Oracle, DBA and SA account list.
View the cman.ora file in the ORACLE_HOME/network/admin directory. If the file does not exist, the database is not accessed via Oracle Connection Manager and this check is not a finding. If the entry and value for REMOTE_ADMIN is not listed or is not set to a value of NO (REMOTE_ADMIN = NO), this is a finding.
View the cman.ora file in the ORACLE_HOME/network/admin directory of the Connection Manager. Include the following line in the file: REMOTE_ADMIN = NO
Note: The SQLNET.ALLOWED_LOGON_VERSION parameter is deprecated in Oracle Database 12c. This parameter has been replaced with two new Oracle Net Services parameters: SQLNET.ALLOWED_LOGON_VERSION_SERVER SQLNET.ALLOWED_LOGON_VERSION_CLIENT View the SQLNET.ORA file in the ORACLE_HOME/network/admin directory or the directory specified in the TNS_ADMIN environment variable. (Please see the supplemental file "Non-default sqlnet.ora configurations.pdf" for how to find multiple and/or differently located sqlnet.ora files.) Locate the following entries: SQLNET.ALLOWED_LOGON_VERSION_SERVER = 12 SQLNET.ALLOWED_LOGON_VERSION_CLIENT = 12 If the parameters do not exist, this is a finding. If the parameters are not set to a value of 12 or 12a, this is a finding. Note: Attempting to connect with a client version lower than specified in these parameters may result in a misleading error: ORA-01017: invalid username/password: logon denied
Edit the SQLNET.ORA file to add or edit the entries: SQLNET.ALLOWED_LOGON_VERSION_SERVER = 12 SQLNET.ALLOWED_LOGON_VERSION_CLIENT = 12 Set the value to 12 or higher. Valid values for SQLNET.ALLOWED_LOGON_VERSION_SERVER are: 12 and 12a Valid values for SQLNET.ALLOWED_LOGON_VERSION_CLIENT are: 12 and 12a For more information on sqlnet.ora parameters refer to the following document: "Database Net Services Reference" http://docs.oracle.com/database/121/NETRF/sqlnet.htm#NETRF006 For more information on configuring authentication refer to the following document: "Oracle Database 12C Password Version Configuration Guidelines" https://docs.oracle.com/database/121/DBSEG/authentication.htm#GUID-E6EE45DD-1E3B-4028-B8DE-65D6AA373821
Review DBMS configuration to determine whether appropriate access controls exist to protect the DBMS’s private key. If strong access controls do not exist to enforce authorized access to the private key, this is a finding. - - - - - The database supports authentication by using digital certificates over TLS in addition to the native encryption and data integrity capabilities of these protocols. An Oracle Wallet is a container that is used to store authentication and signing credentials, including private keys, certificates, and trusted certificates needed by TLS. In an Oracle environment, every entity that communicates over TLS must have a wallet containing an X.509 version 3 certificate, private key, and list of trusted certificates, with the exception of Diffie-Hellman. If the $ORACLE_HOME/network/admin/sqlnet.ora contains the following entries, TLS is installed. (Note: This assumes that a single sqlnet.ora file, in the default location, is in use. Please see the supplemental file "Non-default sqlnet.ora configurations.pdf" for how to find multiple and/or differently located sqlnet.ora files.) WALLET_LOCATION = (SOURCE= (METHOD = FILE) (METHOD_DATA = DIRECTORY=/wallet) SSL_CIPHER_SUITES=(SSL_cipher_suiteExample) SSL_VERSION = 1.2 SSL_CLIENT_AUTHENTICATION=FALSE/TRUE
Implement strong access and authentication controls to protect the database’s private key. Configure the database to support Transport Layer Security (TLS) protocols and the Oracle Wallet to store authentication and signing credentials, including private keys.
Retrieve the settings for concurrent sessions for each profile with the query: SELECT * FROM SYS.DBA_PROFILES WHERE RESOURCE_NAME = 'SESSIONS_PER_USER'; If the DBMS settings for concurrent sessions for each profile are greater than the site-specific maximum number of sessions, this is a finding.
Limit concurrent connections for each system account to a number less than or equal to the organization-defined number of sessions using the following SQL. Create profiles that conform to the requirements. Assign users to the appropriate profile. The user profile, ORA_STIG_PROFILE, has been provided (starting with Oracle 12.1.0.2) to satisfy the STIG requirements pertaining to the profile parameters. Oracle recommends that this profile be customized with any site-specific requirements and assigned to all users where applicable. Note: It remains necessary to create a customized replacement for the password validation function, ORA12C_STRONG_VERIFY_FUNCTION, if relying on this technique to verify password complexity. The defaults for ORA_STIG_PROFILE are set as follows: Resource Name Limit ------------- ------ COMPOSITE_LIMIT DEFAULT SESSIONS_PER_USER DEFAULT CPU_PER_SESSION DEFAULT CPU_PER_CALL DEFAULT LOGICAL_READS_PER_SESSION DEFAULT LOGICAL_READS_PER_CALL DEFAULT IDLE_TIME 15 CONNECT_TIME DEFAULT PRIVATE_SGA DEFAULT FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LIFE_TIME 60 PASSWORD_REUSE_TIME 365 PASSWORD_REUSE_MAX 10 PASSWORD_VERIFY_FUNCTION ORA12C_STRONG_VERIFY_FUNCTION PASSWORD_LOCK_TIME UNLIMITED PASSWORD_GRACE_TIME 5 Change the value of SESSIONS_PER_USER (along with the other parameters, where relevant) from UNLIMITED to DoD-compliant, site-specific requirements and then assign users to the profile. ALTER PROFILE ORA_STIG_PROFILE LIMIT SESSIONS_PER_USER <site-specific value>; To assign the user to the profile do the following: ALTER USER <username> PROFILE ORA_STIG_PROFILE;
If all user accounts are authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding. If an Oracle feature/product, an OS feature, a third-party product, or custom code is used to automate account management, this is not a finding. Determine what is the site-defined definition of an acceptably small level of manual account-management activity. If the site has established the definition, documented it, and obtained ISSO-ISSM-AO approval, use that definition. If not, use the following rule of thumb as the definition: No more than 12 such accounts exist or are expected to exist; no more than 100 manual account-management actions (account creation, modification, locking, unlocking, removal, etc.) are expected to occur in the course of a year. If the amount of account management activity is small, as defined in the preceding paragraph, this is not a finding. Otherwise, this is a finding.
Utilize an Oracle feature/product, an OS feature, a third-party product, or custom code to automate some or all account maintenance functionality. - - - - - Roles and Profiles are two Oracle features that should be employed in account management. (Indeed, other requirements mandate the use of Roles.) The following are notes from Oracle on the use of Profiles: A profile is a named set of resource limits and password parameters that restrict database usage and instance resources for a user. You can assign a profile to each user, and a default profile to all others. Each user can have only one profile, and creating a new one supersedes any earlier one. Profile resource limits are enforced only when you enable resource limitation for the associated database. Enabling such limitation can occur either before starting up the database (the RESOURCE_LIMIT initialization parameter) or while it is open (using an ALTER SYSTEM statement). While password parameters reside in profiles, they are unaffected by RESOURCE_LIMIT or ALTER SYSTEM and password management is always enabled.
Check DBMS settings to determine whether users are restricted from accessing objects and data they are not authorized to access. If appropriate access controls are not implemented to restrict access to authorized users and to restrict the access of those users to objects and data they are authorized to see, this is a finding. The easiest way to isolate access is by using the Oracle Database Vault. To check to see if the Oracle Database Vault is installed, issue the following query: SQL> SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault'; If Oracle Database Vault is installed, review its settings for appropriateness and completeness of the access it permits and denies to each type of user. If appropriate and complete, this is not a finding. If Oracle Database Vault is not installed, review the roles and profiles in the database and the assignment of users to these for appropriateness and completeness of the access permitted and denied each type of user. If appropriate and complete, this is not a finding. If the access permitted and denied each type of user is inappropriate or incomplete, this is a finding. Following are code examples for reviewing roles, profiles, etc. Find out what role the users have: select * from dba_role_privs where granted_role = '<role>' List all roles given to a user: select * from dba_role_privs where grantee = '<username>'; List all roles for all users: column grantee format a32 column granted_role format a32 break on grantee select grantee, granted_role from dba_role_privs; Use the following query to list all privileges given to a user: select lpad(' ', 2*level) || granted_role "User roles and privileges" from ( /* THE USERS */ select null grantee, username granted_role from dba_users where username like upper('<enter_username>') /* THE ROLES TO ROLES RELATIONS */ union select grantee, granted_role from dba_role_privs /* THE ROLES TO PRIVILEGE RELATIONS */ union select grantee, privilege from dba_sys_privs ) start with grantee is null connect by grantee = prior granted_role; List which tables a certain role gives SELECT access to using the query: select * from role_tab_privs where role='<role>' and privilege = 'SELECT'; List all tables a user can SELECT from using the query: select * from dba_tab_privs where GRANTEE ='<username>' and privilege = 'SELECT'; List all users who can SELECT on a particular table (either through being given a relevant role or through a direct grant - e.g., grant select on a table to Joe). The result of this query should also show through which role the user has this access or whether it was a direct grant. select Grantee,'Granted Through Role' as Grant_Type, role, table_name from role_tab_privs rtp, dba_role_privs drp where rtp.role = drp.granted_role and table_name = '<TABLENAME>' union select Grantee, 'Direct Grant' as Grant_type, null as role, table_name from dba_tab_privs where table_name = '<TABLENAME>';
If Oracle Database Vault is in use, use it to configure the correct access privileges for each type of user. If Oracle Database Vault is not in use, configure the correct access privileges for each type of user using Roles and Profiles. Do not assign privileges directly to users, except for those that Oracle does not permit to be assigned via roles. For more information on the configuration of Database Vault, refer to the Database Vault Administrator's Guide: https://docs.oracle.com/database/121/DVADM/toc.htm
Verify, using vendor and system documentation if necessary, that the DBMS is configured to use Oracle's auditing features, or that a third-party product or custom code is deployed and configured to satisfy this requirement. If a third-party product or custom code is used, compare its current configuration with the audit requirements. If any of the requirements is not covered by the configuration, this is a finding. The remainder of this Check is applicable specifically where Oracle auditing is in use. If Standard Auditing is used: To see if Oracle is configured to capture audit data, enter the following SQL*Plus command: SHOW PARAMETER AUDIT_TRAIL or the following SQL query: SELECT * FROM SYS.V$PARAMETER WHERE NAME = 'audit_trail'; If Oracle returns the value 'NONE', this is a finding. To confirm that Oracle audit is capturing information on the required events, review the contents of the SYS.AUD$ table or the audit file, whichever is in use. If auditable events are not listed, this is a finding. If Unified Auditing is used: To see if Oracle is configured to capture audit data, enter the following SQL*Plus command: SELECT * FROM V$OPTION WHERE PARAMETER = 'Unified Auditing'; If Oracle returns a value something other than "TRUE", this is a finding. To confirm that Oracle audit is capturing information on the required events, review the contents of the SYS.UNIFIED_AUDIT_TRAIL view. If auditable events are not listed, this is a finding.
Configure the DBMS's auditing to audit organization-defined auditable events. If preferred, use a third-party tool. The tool must provide the minimum capability to audit the required events. If using a third-party product, proceed in accordance with the product documentation. If using Oracle's capabilities, proceed as follows. If Standard Auditing is used: Use this process to ensure auditable events are captured: ALTER SYSTEM SET AUDIT_TRAIL=<audit trail type> SCOPE=SPFILE; Audit trail type can be 'OS', 'DB', 'DB,EXTENDED', 'XML' or 'XML,EXTENDED'. After executing this statement, it may be necessary to shut down and restart the Oracle database. If the site-specific audit requirements are not covered by the default audit options, deploy and configure Fine-Grained Auditing. For details, refer to Oracle documentation at the locations below. If Unified Auditing is used: Use this process to ensure auditable events are captured: Link the oracle binary with uniaud_on, and then restart the database. Oracle Database Upgrade Guide describes how to enable unified auditing. For more information on the configuration of auditing, refer to the following documents: "Auditing Database Activity" in the Oracle Database 2 Day + Security Guide: http://docs.oracle.com/database/121/TDPSG/tdpsg_auditing.htm#TDPSG50000 "Monitoring Database Activity with Auditing" in the Oracle Database Security Guide: http://docs.oracle.com/database/121/DBSEG/part_6.htm#CCHEHCGI "DBMS_AUDIT_MGMT" in the Oracle Database PL/SQL Packages and Types Reference: http://docs.oracle.com/database/121/ARPLS/d_audit_mgmt.htm#ARPLS241 Oracle Database Upgrade Guide: http://docs.oracle.com/database/121/UPGRD/afterup.htm#UPGRD52810 If the site-specific audit requirements are not covered by the default audit options, deploy and configure Fine-Grained Auditing. For details, refer to Oracle documentation at the locations above.
Check DBMS settings and documentation to determine whether designated personnel are able to select which auditable events are being audited. If designated personnel are not able to configure auditable events, this is a finding.
Configure the DBMS's settings to allow designated personnel to select which auditable events are audited. Note the following: In Oracle, any user can configure auditing for the objects in his or her own schema by using the AUDIT statement. To undo the audit configuration for an object, the user can use the NOAUDIT statement. No additional privileges are needed to perform this task. To audit objects in another schema, the user must have the AUDIT ANY system privilege. To audit system privileges, the user must have the AUDIT SYSTEM privilege. For more information on the configuration of auditing, refer to the following documents: "Auditing Database Activity" in the Oracle Database 2 Day + Security Guide: http://docs.oracle.com/database/121/TDPSG/tdpsg_auditing.htm#TDPSG50000 "Monitoring Database Activity with Auditing" in the Oracle Database Security Guide: http://docs.oracle.com/database/121/DBSEG/part_6.htm#CCHEHCGI "DBMS_AUDIT_MGMT" in the Oracle Database PL/SQL Packages and Types Reference: http://docs.oracle.com/database/121/ARPLS/d_audit_mgmt.htm#ARPLS241
Check DBMS settings to determine if auditing is being performed on the events on the DoD-selected list of auditable events that lie within the scope of Oracle audit capabilities: - Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels). - Successful and unsuccessful logon attempts, privileged activities or other system-level access - Starting and ending time for user access to the system, concurrent logons from different workstations. - Successful and unsuccessful accesses to objects. - All program initiations. - All account creations, modifications, disabling, and terminations. If auditing is not being performed for any of these events, this is a finding. Notes on Oracle audit capabilities follow. Unified Audit supports named audit policies, which are defined using the CREATE AUDIT POLICY statement. A policy specifies the actions that should be audited and the objects to which it should apply. If no specific objects are included in the policy definition, it applies to all objects. A named policy is enabled using the AUDIT POLICY statement. It can be enabled for all users, for specific users only, or for all except a specified list of users. The policy can audit successful actions, unsuccessful actions, or both. Verifying existing audit policy: existing Unified Audit policies are listed in the view AUDIT_UNIFIED_POLICIES. The AUDIT_OPTION column contains one of the actions specified in a CREATE AUDIT POLICY statement. The AUDIT_OPTION_TYPE column contains 'STANDARD ACTION' for a policy that applies to all objects or 'OBJECT ACTION' for a policy that audits actions on a specific object. select POLICY_NAME from SYS.AUDIT_UNIFIED_POLICIES where AUDIT_OPTION='GRANT' and AUDIT_OPTION_TYPE='STANDARD ACTION'; To find policies that audit privilege grants on specific objects: select POLICY_NAME,OBJECT_SCHEMA,OBJECT_NAME from SYS.AUDIT_UNIFIED_POLICIES where AUDIT_OPTION='GRANT' and AUDIT_OPTION_TYPE='OBJECT ACTION'; The view AUDIT_UNIFIED_ENABLED_POLICIES shows which Unified Audit policies are enabled. The ENABLED_OPT and USER_NAME columns show the users for whom the policy is enabled or 'ALL USERS'. The SUCCESS and FAILURE columns indicate if the policy is enabled for successful or unsuccessful actions, respectively. select POLICY_NAME,ENABLED_OPT,USER_NAME,SUCCESS,FAILURE from SYS.AUDIT_UNIFIED_ENABLED_POLICIES where POLICY_NAME='POLICY1';
Configure the DBMS's auditing settings to include auditing of events on the DoD-selected list of auditable events. 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels) To audit granting and revocation of any privilege: create audit policy policy1 actions grant; create audit policy policy2 actions revoke; To audit grants of object privileges on a specific object: create audit policy policy3 actions grant on <schema>.<object>; If Oracle Label Security is enabled, this will audit all OLS administrative actions: create audit policy policy4 actions component = OLS all; 2) Successful and unsuccessful logon attempts, privileged activities or other system-level access To audit all user logon attempts: create audit policy policy5 actions logon; To audit only logon attempts using administrative privileges (e.g. AS SYSDBA): audit policy policy5 by SYS, SYSOPER, SYSBACKUP, SYSDG, SYSKM; 3) Starting and ending time for user access to the system, concurrent logons from different workstations This policy will audit all logon and logoff events. An individual session is identified in the UNIFIED_AUDIT_TRAIL by the tuple (DBID, INSTANCE_ID, SESSIONID) and the start and end time will be indicated by the EVENT_TIMESTAMP of the logon and logoff events: create audit policy policy6 actions logon, logoff; 4) Successful and unsuccessful accesses to objects To audit all accesses to a specific table: create audit policy policy7 actions select, insert, delete, alter on <schema>.<object>; Different actions are defined for other object types. To audit all supported actions on a specific object: create audit policy policy8 actions all on <schema>.<object>; 5) All program initiations To audit execution of any PL/SQL program unit: create audit policy policy9 actions EXECUTE; To audit execution of a specific function, procedure, or package: create audit policy policy10 actions EXECUTE on <schema>.<object>; 6) All direct access to the information system [Not applicable to Database audit. Monitor using OS auditing.] 7) All account creations, modifications, disabling, and terminations To audit all user administration actions: create audit policy policy11 actions create user, alter user, drop user, change password; 8) All kernel module loads, unloads, and restarts [Not applicable to Database audit. Monitor using OS auditing.] 9) All database parameter changes To audit any database parameter changes, dynamic or static: create audit policy policy12 actions alter database, alter system, create spfile; Applying the Policy The following command will enable the policy in all database sessions and audit both successful and unsuccessful actions: audit policy policy1; To audit only unsuccessful actions, add the WHENEVER NOT SUCCESSFUL modifier: audit policy policy1 whenever not successful; Either command above can be limited to only database sessions started by a specific user as follows: audit policy policy1 by <user>; audit policy policy1 by <user> whenever not successful;
Verify, using vendor and system documentation if necessary, that the DBMS is configured to use Oracle's auditing features, or that a third-party product or custom code is deployed and configured to satisfy this requirement. If a third-party product or custom code is used, compare its current configuration with the audit requirements. If any of the requirements is not covered by the configuration, this is a finding. The remainder of this Check is applicable specifically where Oracle auditing is in use. If Standard Auditing is used: To see if Oracle is configured to capture audit data, enter the following SQL*Plus command: SHOW PARAMETER AUDIT_TRAIL or the following SQL query: SELECT * FROM SYS.V$PARAMETER WHERE NAME = 'audit_trail'; If Oracle returns the value "NONE", this is a finding. To confirm that Oracle audit is capturing sufficient information to establish the identity of the user/subject or process, perform a successful auditable action and an auditable action that results in an SQL error, and then view the results in the SYS.AUD$ table or the audit file, whichever is in use. If no ACTION#, or the wrong value, is returned for the auditable actions just performed, this is a finding. If Unified Auditing is used: To see if Oracle is configured to capture audit data, enter the following SQL*Plus command: SELECT * FROM V$OPTION WHERE PARAMETER = 'Unified Auditing'; If Oracle returns a value something other than "TRUE", this is a finding. To confirm that Oracle audit is capturing sufficient information to establish the identity of the user/subject or process, perform a successful auditable action and an auditable action that results in an SQL error, and then view the results in the SYS.UNIFIED_AUDIT_TRAIL view. If no ACTION_NAME, or the wrong value, is returned for the auditable actions just performed, this is a finding.
Configure the DBMS's auditing to audit standard and organization-defined auditable events, the audit record to include what type of event occurred. If preferred, use a third-party or custom tool. If using a third-party product, proceed in accordance with the product documentation. If using Oracle's capabilities, proceed as follows. If Standard Auditing is used: Use this process to ensure auditable events are captured: ALTER SYSTEM SET AUDIT_TRAIL=<audit trail type> SCOPE=SPFILE; Audit trail type can be 'OS', 'DB', 'DB,EXTENDED', 'XML' or 'XML,EXTENDED'. After executing this statement, it may be necessary to shut down and restart the Oracle database. If Unified Auditing is used: To ensure auditable events are captured: Link the oracle binary with uniaud_on, and then restart the database. Oracle Database Upgrade Guide describes how to enable unified auditing. For more information on the configuration of auditing, refer to the following documents: "Auditing Database Activity" in the Oracle Database 2 Day + Security Guide: http://docs.oracle.com/database/121/TDPSG/tdpsg_auditing.htm#TDPSG50000 "Monitoring Database Activity with Auditing" in the Oracle Database Security Guide: http://docs.oracle.com/database/121/DBSEG/part_6.htm#CCHEHCGI "DBMS_AUDIT_MGMT" in the Oracle Database PL/SQL Packages and Types Reference: http://docs.oracle.com/database/121/ARPLS/d_audit_mgmt.htm#ARPLS241 Oracle Database Upgrade Guide: http://docs.oracle.com/database/121/UPGRD/afterup.htm#UPGRD52810
Verify, using vendor and system documentation if necessary, that the DBMS is configured to use Oracle's auditing features, or that a third-party product or custom code is deployed and configured to satisfy this requirement. If a third-party product or custom code is used, compare its current configuration with the audit requirements. If any of the requirements is not covered by the configuration, this is a finding. The remainder of this Check is applicable specifically where Oracle auditing is in use. If Standard Auditing is used: To see if Oracle is configured to capture audit data, enter the following SQL*Plus command: SHOW PARAMETER AUDIT_TRAIL or the following SQL query: SELECT * FROM SYS.V$PARAMETER WHERE NAME = 'audit_trail'; If Oracle returns the value 'NONE', this is a finding. To confirm that Oracle audit is capturing sufficient information to establish when events occurred, perform a successful auditable action and an auditable action that results in an SQL error, and then view the results in the SYS.UNIFIED_AUDIT_TRAIL view. If no timestamp, or the wrong value, is returned for the auditable actions just performed, this is a finding. If Unified Auditing is used: To see if Oracle is configured to capture audit data, enter the following SQL*Plus command: SELECT * FROM V$OPTION WHERE PARAMETER = 'Unified Auditing'; If Oracle returns a value something other than "TRUE", this is a finding. To confirm that Oracle audit is capturing sufficient information to establish when events occurred, perform a successful auditable action and an auditable action that results in an SQL error, and then view the results in the SYS.AUD$ table or the audit file, whichever is in use. If no timestamp, or the wrong value, is returned for the auditable actions just performed, this is a finding.
Configure the DBMS's auditing to audit standard and organization-defined auditable events, the audit record to include the date and time of any user/subject or process associated with the event. If preferred, use a third-party or custom tool. If using a third-party product, proceed in accordance with the product documentation. If using Oracle's capabilities, proceed as follows. To ensure auditable events are captured: Link the oracle binary with uniaud_on, and then restart the database. Oracle Database Upgrade Guide describes how to enable unified auditing. For more information on the configuration of auditing, refer to the following documents: "Auditing Database Activity" in the Oracle Database 2 Day + Security Guide: http://docs.oracle.com/database/121/TDPSG/tdpsg_auditing.htm#TDPSG50000 "Monitoring Database Activity with Auditing" in the Oracle Database Security Guide: http://docs.oracle.com/database/121/DBSEG/part_6.htm#CCHEHCGI "DBMS_AUDIT_MGMT" in the Oracle Database PL/SQL Packages and Types Reference: http://docs.oracle.com/database/121/ARPLS/d_audit_mgmt.htm#ARPLS241 Oracle Database Upgrade Guide: http://docs.oracle.com/database/121/UPGRD
Verify, using vendor and system documentation if necessary, that the DBMS is configured to use Oracle's auditing features, or that a third-party product or custom code is deployed and configured to satisfy this requirement. If a third-party product or custom code is used, compare its current configuration with the audit requirements. If any of the requirements is not covered by the configuration, this is a finding. The remainder of this Check is applicable specifically where Oracle auditing is in use. If Standard Auditing is used: To see if Oracle is configured to capture audit data, enter the following SQL*Plus command: SHOW PARAMETER AUDIT_TRAIL or the following SQL query: SELECT * FROM SYS.V$PARAMETER WHERE NAME = 'audit_trail'; If Oracle returns the value 'NONE', this is a finding. To confirm that Oracle audit is capturing sufficient information to establish where events occurred, perform a successful auditable action and an auditable action that results in an SQL error, and then view the results in the SYS.AUD$ table or the audit file, whichever is in use. If no DB ID or Object Creator (standard audit) or Object Schema (unified audit) or Object Name, or the wrong values, are returned for the auditable actions just performed, this is a finding. If no DB ID or OBJ$CREATOR or the wrong values, are returned for the auditable actions just performed, this is a finding. If correct values for USERHOST and TERMINAL are not returned when applicable, this is a finding. If Unified Auditing is used: To see if Oracle is configured to capture audit data, enter the following SQL*Plus command: SELECT * FROM V$OPTION WHERE PARAMETER = 'Unified Auditing'; If Oracle returns a value something other than "TRUE", this is a finding. To confirm that Oracle audit is capturing sufficient information to establish where events occurred, perform a successful auditable action and an auditable action that results in an SQL error, and then view the results in the SYS.UNIFIED_AUDIT_TRAIL view. If no DBID or OBJECT_SCHEMA or OBJECT_NAME, or the wrong values, are returned for the auditable actions just performed, this is a finding. If correct values for USERHOST and TERMINAL are not returned when applicable, this is a finding. For Unified Auditing, the following view can be useful for reviewing its output: CREATE OR REPLACE FORCE VIEW SYS.UNIFIED_AUDIT_TRAIL ( AUDIT_TYPE, SESSIONID, PROXY_SESSIONID, OS_USERNAME, USERHOST, TERMINAL, INSTANCE_ID, DBID, AUTHENTICATION_TYPE, DBUSERNAME, DBPROXY_USERNAME, EXTERNAL_USERID, GLOBAL_USERID, CLIENT_PROGRAM_NAME, DBLINK_INFO, XS_USER_NAME, XS_SESSIONID, ENTRY_ID, STATEMENT_ID, EVENT_TIMESTAMP, ACTION_NAME, RETURN_CODE, OS_PROCESS, TRANSACTION_ID, SCN, EXECUTION_ID, OBJECT_SCHEMA, OBJECT_NAME, SQL_TEXT, SQL_BINDS, APPLICATION_CONTEXTS, CLIENT_IDENTIFIER, NEW_SCHEMA, NEW_NAME, OBJECT_EDITION, SYSTEM_PRIVILEGE_USED, SYSTEM_PRIVILEGE, AUDIT_OPTION, OBJECT_PRIVILEGES, ROLE, TARGET_USER, EXCLUDED_USER, EXCLUDED_SCHEMA, EXCLUDED_OBJECT, ADDITIONAL_INFO, UNIFIED_AUDIT_POLICIES, FGA_POLICY_NAME, XS_INACTIVITY_TIMEOUT, XS_ENTITY_TYPE, XS_TARGET_PRINCIPAL_NAME, XS_PROXY_USER_NAME, XS_DATASEC_POLICY_NAME, XS_SCHEMA_NAME, XS_CALLBACK_EVENT_TYPE, XS_PACKAGE_NAME, XS_PROCEDURE_NAME, XS_ENABLED_ROLE, XS_COOKIE, XS_NS_NAME, XS_NS_ATTRIBUTE, XS_NS_ATTRIBUTE_OLD_VAL, XS_NS_ATTRIBUTE_NEW_VAL, DV_ACTION_CODE, DV_ACTION_NAME, DV_EXTENDED_ACTION_CODE, DV_GRANTEE, DV_RETURN_CODE, DV_ACTION_OBJECT_NAME, DV_RULE_SET_NAME, DV_COMMENT, DV_FACTOR_CONTEXT, DV_OBJECT_STATUS, OLS_POLICY_NAME, OLS_GRANTEE, OLS_MAX_READ_LABEL, OLS_MAX_WRITE_LABEL, OLS_MIN_WRITE_LABEL, OLS_PRIVILEGES_GRANTED, OLS_PROGRAM_UNIT_NAME, OLS_PRIVILEGES_USED, OLS_STRING_LABEL, OLS_LABEL_COMPONENT_TYPE, OLS_LABEL_COMPONENT_NAME, OLS_PARENT_GROUP_NAME, OLS_OLD_VALUE, OLS_NEW_VALUE, RMAN_SESSION_RECID, RMAN_SESSION_STAMP, RMAN_OPERATION, RMAN_OBJECT_TYPE, RMAN_DEVICE_TYPE, DP_TEXT_PARAMETERS1, DP_BOOLEAN_PARAMETERS1, DIRECT_PATH_NUM_COLUMNS_LOADED ) AS SELECT act.component, sessionid, proxy_sessionid, os_user, host_name, terminal, instance_id, dbid, authentication_type, userid, proxy_userid, external_userid, global_userid, client_program_name, dblink_info, xs_user_name, xs_sessionid, entry_id, statement_id, CAST (event_timestamp AS TIMESTAMP WITH LOCAL TIME ZONE), act.name, return_code, os_process, transaction_id, scn, execution_id, obj_owner, obj_name, sql_text, sql_binds, application_contexts, client_identifier, new_owner, new_name, object_edition, system_privilege_used, spx.name, aom.name, object_privileges, role, target_user, excluded_user, excluded_schema, excluded_object, additional_info, unified_audit_policies, fga_policy_name, xs_inactivity_timeout, xs_entity_type, xs_target_principal_name, xs_proxy_user_name, xs_datasec_policy_name, xs_schema_name, xs_callback_event_type, xs_package_name, xs_procedure_name, xs_enabled_role, xs_cookie, xs_ns_name, xs_ns_attribute, xs_ns_attribute_old_val, xs_ns_attribute_new_val, dv_action_code, dv_action_name, dv_extended_action_code, dv_grantee, dv_return_code, dv_action_object_name, dv_rule_set_name, dv_comment, dv_factor_context, dv_object_status, ols_policy_name, ols_grantee, ols_max_read_label, ols_max_write_label, ols_min_write_label, ols_privileges_granted, ols_program_unit_name, ols_privileges_used, ols_string_label, ols_label_component_type, ols_label_component_name, ols_parent_group_name, ols_old_value, ols_new_value, rman_session_recid, rman_session_stamp, rman_operation, rman_object_type, rman_device_type, dp_text_parameters1, dp_boolean_parameters1, direct_path_num_columns_loaded FROM gv$unified_audit_trail uview, all_unified_audit_actions act, system_privilege_map spx, stmt_audit_option_map aom WHERE uview.action = act.action(+) AND -uview.system_privilege = spx.privilege(+) AND uview.audit_option = aom.option#(+) AND uview.audit_type = act.TYPE;
Configure the DBMS's auditing to audit standard and organization-defined auditable events, the audit record to include where the event occurred. If preferred, use a third-party or custom tool. If using a third-party product, proceed in accordance with the product documentation. If using Oracle's capabilities, proceed as follows. If Standard Auditing is used: Use this process to ensure auditable events are captured: ALTER SYSTEM SET AUDIT_TRAIL=<audit trail type> SCOPE=SPFILE; Audit trail type can be 'OS', 'DB', 'DB,EXTENDED', 'XML' or 'XML,EXTENDED'. After executing this statement, it may be necessary to shut down and restart the Oracle database. If Unified Auditing is used: To ensure auditable events are captured: Link the oracle binary with uniaud_on, and then restart the database. Oracle Database Upgrade Guide describes how to enable unified auditing. For more information on the configuration of auditing, refer to the following documents: "Auditing Database Activity" in the Oracle Database 2 Day + Security Guide: http://docs.oracle.com/database/121/TDPSG/tdpsg_auditing.htm#TDPSG50000 "Monitoring Database Activity with Auditing" in the Oracle Database Security Guide: http://docs.oracle.com/database/121/DBSEG/part_6.htm#CCHEHCGI "DBMS_AUDIT_MGMT" in the Oracle Database PL/SQL Packages and Types Reference: http://docs.oracle.com/database/121/ARPLS/d_audit_mgmt.htm#ARPLS241 Oracle Database Upgrade Guide: http://docs.oracle.com/database/121/UPGRD/afterup.htm#UPGRD52810
Verify, using vendor and system documentation if necessary, that the DBMS is configured to use Oracle's auditing features, or that a third-party product or custom code is deployed and configured to satisfy this requirement. If a third-party product or custom code is used, compare its current configuration with the audit requirements. If any of the requirements is not covered by the configuration, this is a finding. The remainder of this Check is applicable specifically where Oracle auditing is in use. If Standard Auditing is used: To see if Oracle is configured to capture audit data, enter the following SQL*Plus command: SHOW PARAMETER AUDIT_TRAIL or the following SQL query: SELECT * FROM SYS.V$PARAMETER WHERE NAME = 'audit_trail'; If Oracle returns the value 'NONE', this is a finding. To confirm that Oracle audit is capturing sufficient information to establish the source of events, perform a successful auditable action and an auditable action that results in an SQL error, and then view the results in the SYS.AUD$ table or the audit file, whichever is in use. If correct values for User ID, User Host, and Terminal are not returned when applicable, this is a finding. If Unified Auditing is used: To see if Oracle is configured to capture audit data, enter the following SQL*Plus command: SELECT * FROM V$OPTION WHERE PARAMETER = 'Unified Auditing'; If Oracle returns a value something other than "TRUE", this is a finding. To confirm that Oracle audit is capturing sufficient information to establish the source of events, perform a successful auditable action and an auditable action that results in an SQL error, and then view the results in the SYS.UNIFIED_AUDIT_TRAIL view. If correct values for DBUSERNAME, USERHOST, and TERMINAL are not returned when applicable, this is a finding.
Configure the DBMS's auditing to audit standard and organization-defined auditable events, the audit record to include the source of the event. If preferred, use a third-party or custom tool. If using a third-party product, proceed in accordance with the product documentation. If using Oracle's capabilities, proceed as follows. If Standard Auditing is used: Use this process to ensure auditable events are captured: ALTER SYSTEM SET AUDIT_TRAIL=<audit trail type> SCOPE=SPFILE; Audit trail type can be 'OS', 'DB', 'DB,EXTENDED', 'XML' or 'XML,EXTENDED'. After executing this statement, it may be necessary to shut down and restart the Oracle database. If Unified Auditing is used: To ensure auditable events are captured: Link the oracle binary with uniaud_on, and then restart the database. Oracle Database Upgrade Guide describes how to enable unified auditing. For more information on the configuration of auditing, refer to the following documents: "Auditing Database Activity" in the Oracle Database 2 Day + Security Guide: http://docs.oracle.com/database/121/TDPSG/tdpsg_auditing.htm#TDPSG50000 "Monitoring Database Activity with Auditing" in the Oracle Database Security Guide: http://docs.oracle.com/database/121/DBSEG/part_6.htm#CCHEHCGI "DBMS_AUDIT_MGMT" in the Oracle Database PL/SQL Packages and Types Reference: http://docs.oracle.com/database/121/ARPLS/d_audit_mgmt.htm#ARPLS241 Oracle Database Upgrade Guide: http://docs.oracle.com/database/121/UPGRD/afterup.htm#UPGRD52810
Verify, using vendor and system documentation if necessary, that the DBMS is configured to use Oracle's auditing features, or that a third-party product or custom code is deployed and configured to satisfy this requirement. If a third-party product or custom code is used, compare its current configuration with the audit requirements. If any of the requirements is not covered by the configuration, this is a finding. The remainder of this Check is applicable specifically where Oracle auditing is in use. If Standard Auditing is used: To see if Oracle is configured to capture audit data, enter the following SQL*Plus command: SHOW PARAMETER AUDIT_TRAIL or the following SQL query: SELECT * FROM SYS.V$PARAMETER WHERE NAME = 'audit_trail'; If Oracle returns the value 'NONE', this is a finding. To confirm that Oracle audit is capturing sufficient information to establish outcomes, perform a successful auditable action and an auditable action that results in an SQL error, and then view the results in the SYS.AUD$ table or the audit file, whichever is in use. If no return code or other outcome information is returned for the auditable action just performed, this is a finding. If error is indicated for the successful action, this is a finding. If no error is indicated for the unsuccessful action, this is a finding. If Unified Auditing is used: To see if Oracle is configured to capture audit data, enter the following SQL*Plus command: SELECT * FROM V$OPTION WHERE PARAMETER = 'Unified Auditing'; If Oracle returns a value something other than "TRUE", this is a finding To confirm that Oracle audit is capturing sufficient information to establish outcomes, perform a successful auditable action and an auditable action that results in an SQL error, and then view the results in the SYS.UNIFIED_AUDIT_TRAIL view. If no return code or other outcome information is returned for the auditable action just performed, this is a finding. If error is indicated for the successful action, this is a finding. If no error is indicated for the unsuccessful action, this is a finding.
Configure the DBMS's auditing to audit standard and organization-defined auditable events, the audit record to include the outcome. If preferred, use a third-party or custom tool. If using a third-party product, proceed in accordance with the product documentation. If using Oracle's capabilities, proceed as follows. If Standard Auditing is used: Use this process to ensure auditable events are captured: ALTER SYSTEM SET AUDIT_TRAIL=<audit trail type> SCOPE=SPFILE; Audit trail type can be 'OS', 'DB', 'DB,EXTENDED', 'XML' or 'XML,EXTENDED'. After executing this statement, it may be necessary to shut down and restart the Oracle database. If unified Auditing is used: To ensure auditable events are captured: Link the oracle binary with uniaud_on, and then restart the database. Oracle Database Upgrade Guide describes how to enable unified auditing. For more information on the configuration of auditing, refer to the following documents: "Auditing Database Activity" in the Oracle Database 2 Day + Security Guide: http://docs.oracle.com/database/121/TDPSG/tdpsg_auditing.htm#TDPSG50000 "Monitoring Database Activity with Auditing" in the Oracle Database Security Guide: http://docs.oracle.com/database/121/DBSEG/part_6.htm#CCHEHCGI "DBMS_AUDIT_MGMT" in the Oracle Database PL/SQL Packages and Types Reference: http://docs.oracle.com/database/121/ARPLS/d_audit_mgmt.htm#ARPLS241 Oracle Database Upgrade Guide: http://docs.oracle.com/database/121/UPGRD/afterup.htm#UPGRD52810
Verify, using vendor and system documentation if necessary, that the DBMS is configured to use Oracle's auditing features, or that a third-party product or custom code is deployed and configured to satisfy this requirement. If a third-party product or custom code is used, compare its current configuration with the audit requirements. If any of the requirements is not covered by the configuration, this is a finding. The remainder of this Check is applicable specifically where Oracle auditing is in use. If Standard Auditing is used: To see if Oracle is configured to capture audit data, enter the following SQL*Plus command: SHOW PARAMETER AUDIT_TRAIL or the following SQL query: SELECT * FROM SYS.V$PARAMETER WHERE NAME = 'audit_trail'; If Oracle returns a value something other than "TRUE", this is a finding To confirm that Oracle audit is capturing sufficient information to establish the identity of the user/subject or process, perform a successful auditable action and an auditable action that results in an SQL error, and then view the results in the SYS.AUD$ table or the audit file, whichever is in use. If no user ID, or the wrong value, is returned for the auditable actions just performed, this is a finding. If Unified Auditing is used: To see if Oracle is configured to capture audit data, enter the following SQL*Plus command: SELECT * FROM V$OPTION WHERE PARAMETER = 'Unified Auditing'; If Oracle returns the value "TRUE", this is not a finding. To confirm that Oracle audit is capturing sufficient information to establish the identity of the user/subject or process, perform a successful auditable action and an auditable action that results in an SQL error, and then view the results in the SYS.UNIFIED_AUDIT_TRAIL view, whichever is in use. If no user ID, or the wrong value, is returned for the auditable actions just performed, this is a finding.
Configure the DBMS's auditing to audit standard and organization-defined auditable events, the audit record to include the identity of any user/subject or process associated with the event. If preferred, use a third-party or custom tool. If using a third-party product, proceed in accordance with the product documentation. If using Oracle's capabilities, proceed as follows. If Standard Auditing is used: Use this process to ensure auditable events are captured: ALTER SYSTEM SET AUDIT_TRAIL=<audit trail type> SCOPE=SPFILE; Audit trail type can be 'OS', 'DB', 'DB,EXTENDED', 'XML' or 'XML,EXTENDED'. After executing this statement, it may be necessary to shut down and restart the Oracle database. If unified Auditing is used: To ensure auditable events are captured: Link the oracle binary with uniaud_on, and then restart the database. Oracle Database Upgrade Guide describes how to enable unified auditing. For more information on the configuration of auditing, refer to the following documents: "Auditing Database Activity" in the Oracle Database 2 Day + Security Guide: http://docs.oracle.com/database/121/TDPSG/tdpsg_auditing.htm#TDPSG50000 "Monitoring Database Activity with Auditing" in the Oracle Database Security Guide: http://docs.oracle.com/database/121/DBSEG/part_6.htm#CCHEHCGI "DBMS_AUDIT_MGMT" in the Oracle Database PL/SQL Packages and Types Reference: http://docs.oracle.com/database/121/ARPLS/d_audit_mgmt.htm#ARPLS241 Oracle Database Upgrade Guide: http://docs.oracle.com/database/121/UPGRD/afterup.htm#UPGRD52810 http://docs.oracle.com/database/121/UPGRD/afterup.htm#UPGRD52810
Verify, using vendor and system documentation if necessary, that the DBMS is configured to use Oracle's auditing features, or that a third-party product or custom code is deployed and configured to satisfy this requirement. If a third-party product or custom code is used, compare its current configuration with the audit requirements. If any of the requirements is not covered by the configuration, this is a finding. The remainder of this Check is applicable specifically where Oracle auditing is in use. If Standard Auditing is used: To see if Oracle is configured to capture audit data, enter the following SQL*Plus command: SHOW PARAMETER AUDIT_TRAIL or the following SQL query: SELECT * FROM SYS.V$PARAMETER WHERE NAME = 'audit_trail'; If Oracle returns a value something other than "TRUE", this is a finding Compare the organization-defined auditable events with the Oracle documentation to determine whether standard auditing covers all the requirements. If it does, this is not a finding. Compare those organization-defined auditable events that are not covered by the standard auditing, with the existing Fine-Grained Auditing (FGA) specifications returned by the following query: SELECT * FROM SYS.DBA_FGA_AUDIT_TRAIL; If any such auditable event is not covered by the existing FGA specifications, this is a finding. If Unified Auditing is used: To see if Oracle is configured to capture audit data, enter the following SQL*Plus command: SELECT * FROM V$OPTION WHERE PARAMETER = 'Unified Auditing'; If Oracle returns the value "TRUE", this is not a finding. Compare the organization-defined auditable events with the Oracle documentation to determine whether standard auditing covers all the requirements. If it does, this is not a finding. Compare those organization-defined auditable events that are not covered by unified auditing with the existing Fine-Grained Auditing (FGA) specifications returned by the following query: SELECT * FROM SYS.UNIFIED_AUDIT_TRAIL WHERE AUDIT_TYPE = 'FineGrainedAudit'; If any such auditable event is not covered by the existing FGA specifications, this is a finding.
Either configure the DBMS's auditing to audit organization-defined auditable events, or, if preferred, use a third-party or custom tool. The tool must provide the minimum capability to audit the required events. If using a third-party product, proceed in accordance with the product documentation. If using Oracle's capabilities, proceed as follows. If Standard Auditing is used: Use this process to ensure auditable events are captured: ALTER SYSTEM SET AUDIT_TRAIL=<audit trail type> SCOPE=SPFILE; Audit trail type can be "OS", "DB", "DB,EXTENDED", "XML" or "XML,EXTENDED". After executing this statement, it may be necessary to shut down and restart the Oracle database. If the organization-defined additional audit requirements are not covered by the default audit options, deploy and configure Fine-Grained Auditing. For details, refer to Oracle documentation at the location below. If the site-specific audit requirements are not covered by the default audit options, deploy and configure Fine-Grained Auditing. For details, refer to Oracle documentation, at the location below. If Unified Auditing is used: Use this process to ensure auditable events are captured: SELECT * FROM V$OPTION WHERE PARAMETER = 'Unified Auditing'; If Oracle returns the value "TRUE", this is not a finding. Otherwise, Link the oracle binary with uniaud_on, and then restart the database. Oracle Database Upgrade Guide describes how to enable unified auditing. If the organization-defined additional audit requirements are not covered by the default audit options, deploy and configure Fine-Grained Auditing. For details, refer to Oracle documentation at the location below. If the site-specific audit requirements are not covered by the default audit options, deploy and configure Fine-Grained Auditing. For details, refer to Oracle documentation, at the location below. For more information on the configuration of auditing, refer to the following documents: "Auditing Database Activity" in the Oracle Database 2 Day + Security Guide: http://docs.oracle.com/database/121/TDPSG/tdpsg_auditing.htm#TDPSG50000 "Monitoring Database Activity with Auditing" in the Oracle Database Security Guide: http://docs.oracle.com/database/121/DBSEG/part_6.htm#CCHEHCGI "DBMS_AUDIT_MGMT" in the Oracle Database PL/SQL Packages and Types Reference: http://docs.oracle.com/database/121/ARPLS/d_audit_mgmt.htm#ARPLS241 Oracle Database Upgrade Guide: http://docs.oracle.com/database/121/UPGRD/afterup.htm#UPGRD52810
Review locations of audit logs, both internal to the database and database audit logs located at the operating system-level. Verify there are appropriate controls and permissions to protect the audit information from unauthorized access. If appropriate controls and permissions do not exist, this is a finding. - - - - - If Standard Auditing is used: DBA_TAB_PRIVS describes all object grants in the database. Check to see who has permissions on the AUD$ table. Related View DBA_TAB_PRIVS describes the object grants for which the current user is the object owner, grantor, or grantee. Column Datatype NULL Description GRANTEE VARCHAR2(30) NOT NULL Name of the user to whom access was granted OWNER VARCHAR2(30) NOT NULL Owner of the object TABLE_NAME VARCHAR2(30) NOT NULL Name of the object GRANTOR VARCHAR2(30) NOT NULL Name of the user who performed the grant PRIVILEGE VARCHAR2(40) NOT NULL Privilege on the object GRANTABLE VARCHAR2(3) Indicates whether the privilege was granted with the GRANT OPTION (YES) or not (NO) HIERARCHY VARCHAR2(3) Indicates whether the privilege was granted with the HIERARCHY OPTION (YES) or not (NO) COMMON VARCHAR2(3) TYPE VARCHAR2(24) sqlplus connect as sysdba; SQL> SELECT GRANTEE, TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS where table_name = 'AUD$'; If Unified Auditing is used: DBA_TAB_PRIVS describes all object grants in the database. Check to see who has permissions on the AUDSYS tables. Related View DBA_TAB_PRIVS describes the object grants for which the current user is the object owner, grantor, or grantee. Column Datatype NULL Description GRANTEE VARCHAR2(30) NOT NULL Name of the user to whom access was granted OWNER VARCHAR2(30) NOT NULL Owner of the object TABLE_NAME VARCHAR2(30) NOT NULL Name of the object GRANTOR VARCHAR2(30) NOT NULL Name of the user who performed the grant PRIVILEGE VARCHAR2(40) NOT NULL Privilege on the object GRANTABLE VARCHAR2(3) Indicates whether the privilege was granted with the GRANT OPTION (YES) or not (NO) HIERARCHY VARCHAR2(3) Indicates whether the privilege was granted with the HIERARCHY OPTION (YES) or not (NO) COMMON VARCHAR2(3) TYPE VARCHAR2(24) sqlplus connect as sysdba; SQL> SELECT GRANTEE, TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS where owner='AUDSYS';
Add controls and modify permissions to protect database audit log data from unauthorized access, whether stored in the database itself or at the OS level.
Review locations of audit logs, both internal to the database and database audit logs located at the operating system-level. Verify there are appropriate controls and permissions to protect the audit information from unauthorized modification. If appropriate controls and permissions do not exist, this is a finding. - - - - - If Standard Auditing is used: DBA_TAB_PRIVS describes all object grants in the database. Check to see who has permissions on the AUD$ table. Related View DBA_TAB_PRIVS describes the object grants for which the current user is the object owner, grantor, or grantee. Column Datatype NULL Description GRANTEE VARCHAR2(30) NOT NULL Name of the user to whom access was granted VARCHAR2(30) NOT NULL Owner of the object TABLE_NA VARCHAR2(30) NOT NULL Name of the object GRANTOR VARCHAR2(30) NOT NULL Name of the user who performed the grant PRIVILEGE VARCHAR2(40) NOT NULL Privilege on the object GRANTABLE VARCHAR2(3) Indicates whether the privilege was granted with the GRANT OPTION (YES) or not (NO) HIERARCHY VARCHAR2(3) Indicates whether the privilege was granted with the HIERARCHY OPTION (YES) or not (NO) COMMON VARCHAR2(3) TYPE VARCHAR2(24) sqlplus connect as sysdba; SQL> SELECT GRANTEE, TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS where table_name = 'AUD$'; If Unified Auditing is used: DBA_TAB_PRIVS describes all object grants in the database. Check to see who has permissions on the AUDSYS tables. Related View DBA_TAB_PRIVS describes the object grants for which the current user is the object owner, grantor, or grantee. Column Datatype NULL Description GRANTEE VARCHAR2(30) NOT NULL Name of the user to whom access was granted OWNER VARCHAR2(30) NOT NULL Owner of the object TABLE_NAME VARCHAR2(30) NOT NULL Name of the object GRANTOR VARCHAR2(30) NOT NULL Name of the user who performed the grant PRIVILEGE VARCHAR2(40) NOT NULL Privilege on the object GRANTABLE VARCHAR2(3) Indicates whether the privilege was granted with the GRANT OPTION (YES) or not (NO) HIERARCHY VARCHAR2(3) Indicates whether the privilege was granted with the HIERARCHY OPTION (YES) or not (NO) COMMON VARCHAR2(3) TYPE VARCHAR2(24) sqlplus connect as sysdba; SQL> SELECT GRANTEE, TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS where owner='AUDSYS';
Add controls and modify permissions to protect database audit log data from unauthorized modification, whether stored in the database itself or at the OS level. - - - - - If Standard Auditing is used: Revoke access to the AUD$ table to anyone who should not have access to it. In the check we looked for all users who had access to the AUD$ table. To fix this, use the REVOKE command to revoke access to users who should not have access to the audit data. REVOKE statement Use the REVOKE statement to remove permissions from a specific user or from all users to perform actions on database objects. The following types of permissions can be revoked: Delete data from a specific table. Insert data into a specific table. Create a foreign key reference to the named table or to a subset of columns from a table. Select data from a table, view, or a subset of columns in a table. Create a trigger on a table. Update data in a table or in a subset of columns in a table. Run a specified routine (function or procedure). If a user named FRED had access to the AUD$ table and wanting to revoke that access, use the following command. The syntax that would be used for the REVOKE statement for tables is as follows: REVOKE privilege-type ON [ TABLE ] { table-Name | view-Name } FROM grantees SQL>REVOKE SELECT ON TABLE AUD$ FROM FRED; Revoking a privilege without specifying a column list revokes the privilege for all of the columns in the table. Syntax for routines table-privileges include DELETE | INSERT | REFERENCES [column list] | SELECT [column list] | TRIGGER | UPDATE [column list] column list ( column-identifier {, column-identifier}* ) Use the ALL PRIVILEGES privilege type to revoke all of the permissions from the user for the specified table. Can also revoke one or more table privileges by specifying a privilege-list. Use the DELETE privilege type to revoke permission to delete rows from the specified table. Use the INSERT privilege type to revoke permission to insert rows into the specified table. Use the REFERENCES privilege type to revoke permission to create a foreign key reference to the specified table. If a column list is specified with the REFERENCES privilege, the permission is revoked on only the foreign key reference to the specified columns. Use the SELECT privilege type to revoke permission to perform SELECT statements on a table or view. If a column list is specified with the SELECT privilege, the permission is revoked on only those columns. If no column list is specified, then the privilege is valid on all of the columns in the table. Use the TRIGGER privilege type to revoke permission to create a trigger on the specified table. Use the UPDATE privilege type to revoke permission to use the UPDATE statement on the specified table. If a column list is specified, the permission is revoked only on the specified columns. grantees { authorization ID | PUBLIC } [,{ authorization ID | PUBLIC } ] * Can revoke the privileges from specific users or from all users. Use the keyword PUBLIC to specify all users. The privileges revoked from PUBLIC and from individual users are independent privileges. For example, a SELECT privilege on table t is granted to both PUBLIC and to the authorization ID harry. The SELECT privilege is later revoked from the authorization ID 'Harry', but the authorization ID 'Harry' can access the table through the PUBLIC privilege. Restriction: Cannot revoke the privileges of the owner of an object. routine-designator { qualified-name [ signature ] } Cascading object dependencies For views, triggers, and constraints, if the privilege on which the object depends is revoked, the object is automatically dropped. Derby does not try to determine if there are other privileges that can replace the privileges that are being revoked. For more information, see "SQL standard authorization" in the Java DB Developer's Guide. Limitations The following limitations apply to the REVOKE statement: Table-level privileges: All of the table-level privilege types for a specified grantee and table ID are stored in one row in the SYSTABLEPERMS system table. For example, when user2 is granted the SELECT and DELETE privileges on table user1.t1, a row is added to the SYSTABLEPERMS table. The GRANTEE field contains user2 and the TABLEID contains user1.t1. The SELECTPRIV and DELETEPRIV fields are set to Y. The remaining privilege type fields are set to N. When a grantee creates an object that relies on one of the privilege types, the Derby engine tracks the dependency of the object on the specific row in the SYSTABLEPERMS table. For example, user2 creates the view v1 by using the statement SELECT * FROM user1.t1; the dependency manager tracks the dependency of view v1 on the row in SYSTABLEPERMS for GRANTEE(user2), TABLEID(user1.t1). The dependency manager knows only that the view is dependent on a privilege type in that specific row but does not track exactly which privilege type the view is dependent on. When a REVOKE statement for a table-level privilege is issued for a grantee and table ID, all of the objects that are dependent on the grantee and table ID are dropped. For example, if user1 revokes the DELETE privilege on table t1 from user2, the row in SYSTABLEPERMS for GRANTEE(user2), TABLEID(user1.t1) is modified by the REVOKE statement. The dependency manager sends a revoke invalidation message to the view user2.v1, and the view is dropped, even though the view is not dependent on the DELETE privilege for GRANTEE(user2), TABLEID(user1.t1). Column-level privileges: Only one type of privilege for a specified grantee and table ID are stored in one row in the SYSCOLPERMS system table. For example, when user2 is granted the SELECT privilege on table user1.t1 for columns c12 and c13, a row is added to the SYSCOLPERMS. The GRANTEE field contains user2, the TABLEID contains user1.t1, the TYPE field contains S, and the COLUMNS field contains c12, c13. When a grantee creates an object that relies on the privilege type and the subset of columns in a table ID, the Derby engine tracks the dependency of the object on the specific row in the SYSCOLPERMS table. For example, user2 creates the view v1 by using the statement SELECT c11 FROM user1.t1; the dependency manager tracks the dependency of view v1 on the row in SYSCOLPERMS for GRANTEE(user2), TABLEID(user1.t1), TYPE(S). The dependency manager knows that the view is dependent on the SELECT privilege type but does not track exactly which columns the view is dependent on. When a REVOKE statement for a column-level privilege is issued for a grantee, table ID, and type, all of the objects that are dependent on the grantee, table ID, and type are dropped. For example, if user1 revokes the SELECT privilege on column c12 on table user1.t1 from user2, the row in SYSCOLPERMS for GRANTEE(user2), TABLEID(user1.t1), TYPE(S) is modified by the REVOKE statement. The dependency manager sends a revoke invalidation message to the view user2.v1, and the view is dropped, even though the view is not dependent on the column c12 for GRANTEE(user2), TABLEID(user1.t1), TYPE(S). If Unified Auditing is used: Apply the same process used in standard auditing to the tables with AUDSYS as the owner.
Review locations of audit logs, both internal to the database and database audit logs located at the operating system-level. Verify there are appropriate controls and permissions to protect the audit information from unauthorized deletion. If appropriate controls and permissions do not exist, this is a finding. - - - - - If Standard Auditing is used: DBA_TAB_PRIVS describes all object grants in the database. Check to see who has permissions on the AUD$ table. Related View DBA_TAB_PRIVS describes the object grants for which the current user is the object owner, grantor, or grantee. Column Datatype NULL Description GRANTEE VARCHAR2(30) NOT NULL Name of the user to whom access was granted OWNER VARCHAR2(30) NOT NULL Owner of the object TABLE_NAME VARCHAR2(30) NOT NULL Name of the object GRANTOR VARCHAR2(30) NOT NULL Name of the user who performed the grant PRIVILEGE VARCHAR2(40) NOT NULL Privilege on the object GRANTABLE VARCHAR2(3) Indicates whether the privilege was granted with the GRANT OPTION (YES) or not (NO) HIERARCHY VARCHAR2(3) Indicates whether the privilege was granted with the HIERARCHY OPTION (YES) or not (NO) COMMON VARCHAR2(3) TYPE VARCHAR2(24) sqlplus connect as sysdba; SQL> SELECT GRANTEE, TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS where table_name = 'AUD$'; If Unified Auditing is used: DBA_TAB_PRIVS describes all object grants in the database. Check to see who has permissions on the AUDSYS tables. Related View DBA_TAB_PRIVS describes the object grants for which the current user is the object owner, grantor, or grantee. Column Datatype NULL Description GRANTEE VARCHAR2(30) NOT NULL Name of the user to whom access was granted OWNER VARCHAR2(30) NOT NULL Owner of the object TABLE_NAME VARCHAR2(30) NOT NULL Name of the object GRANTOR VARCHAR2(30) NOT NULL Name of the user who performed the grant PRIVILEGE VARCHAR2(40) NOT NULL Privilege on the object GRANTABLE VARCHAR2(3) Indicates whether the privilege was granted with the GRANT OPTION (YES) or not (NO) HIERARCHY VARCHAR2(3) Indicates whether the privilege was granted with the HIERARCHY OPTION (YES) or not (NO) COMMON VARCHAR2(3) TYPE VARCHAR2(24) sqlplus connect as sysdba; SQL> SELECT GRANTEE, TABLE_NAME, PRIVILEGE FROM DBA_TAB_PRIVS where owner='AUDSYS';
Add controls and modify permissions to protect database audit log data from unauthorized deletion, whether stored in the database itself or at the OS-level. - - - - - If Standard Auditing is used: Revoke access to the AUD$ table to anyone who should not have access to it. In the check we looked for all users who had access to the AUD$ table. To fix this, use the REVOKE command to revoke access to users who should not have access to the audit data. REVOKE statement Use the REVOKE statement to remove permissions from a specific user or from all users to perform actions on database objects. The following types of permissions can be revoked: Delete data from a specific table. Insert data into a specific table. Create a foreign key reference to the named table or to a subset of columns from a table. Select data from a table, view, or a subset of columns in a table. Create a trigger on a table. Update data in a table or in a subset of columns in a table. Run a specified routine (function or procedure). If a user named FRED had access to the AUD$ table and wanting to revoke that access, use the following command. The syntax that would be used for the REVOKE statement for tables is as follows: REVOKE privilege-type ON [ TABLE ] { table-Name | view-Name } FROM grantees SQL>REVOKE SELECT ON TABLE AUD$ FROM FRED; Revoking a privilege without specifying a column list revokes the privilege for all of the columns in the table. Syntax for routines table-privileges include DELETE | INSERT | REFERENCES [column list] | SELECT [column list] | TRIGGER | UPDATE [column list] column list ( column-identifier {, column-identifier}* ) Use the ALL PRIVILEGES privilege type to revoke all of the permissions from the user for the specified table. Can also revoke one or more table privileges by specifying a privilege-list. Use the DELETE privilege type to revoke permission to delete rows from the specified table. Use the INSERT privilege type to revoke permission to insert rows into the specified table. Use the REFERENCES privilege type to revoke permission to create a foreign key reference to the specified table. If a column list is specified with the REFERENCES privilege, the permission is revoked on only the foreign key reference to the specified columns. Use the SELECT privilege type to revoke permission to perform SELECT statements on a table or view. If a column list is specified with the SELECT privilege, the permission is revoked on only those columns. If no column list is specified, then the privilege is valid on all of the columns in the table. Use the TRIGGER privilege type to revoke permission to create a trigger on the specified table. Use the UPDATE privilege type to revoke permission to use the UPDATE statement on the specified table. If a column list is specified, the permission is revoked only on the specified columns. grantees { authorization ID | PUBLIC } [,{ authorization ID | PUBLIC } ] * Can revoke the privileges from specific users or from all users. Use the keyword PUBLIC to specify all users. The privileges revoked from PUBLIC and from individual users are independent privileges. For example, a SELECT privilege on table t is granted to both PUBLIC and to the authorization ID harry. The SELECT privilege is later revoked from the authorization ID 'Harry', but the authorization ID 'Harry' can access the table through the PUBLIC privilege. Restriction: Cannot revoke the privileges of the owner of an object. routine-designator { qualified-name [ signature ] } Cascading object dependencies For views, triggers, and constraints, if the privilege on which the object depends is revoked, the object is automatically dropped. Derby does not try to determine if there are other privileges that can replace the privileges that are being revoked. For more information, see "SQL standard authorization" in the Java DB Developer's Guide. Limitations The following limitations apply to the REVOKE statement: Table-level privileges: All of the table-level privilege types for a specified grantee and table ID are stored in one row in the SYSTABLEPERMS system table. For example, when user2 is granted the SELECT and DELETE privileges on table user1.t1, a row is added to the SYSTABLEPERMS table. The GRANTEE field contains user2 and the TABLEID contains user1.t1. The SELECTPRIV and DELETEPRIV fields are set to Y. The remaining privilege type fields are set to N. When a grantee creates an object that relies on one of the privilege types, the Derby engine tracks the dependency of the object on the specific row in the SYSTABLEPERMS table. For example, user2 creates the view v1 by using the statement SELECT * FROM user1.t1; the dependency manager tracks the dependency of view v1 on the row in SYSTABLEPERMS for GRANTEE(user2), TABLEID(user1.t1). The dependency manager knows only that the view is dependent on a privilege type in that specific row but does not track exactly which privilege type the view is dependent on. When a REVOKE statement for a table-level privilege is issued for a grantee and table ID, all of the objects that are dependent on the grantee and table ID are dropped. For example, if user1 revokes the DELETE privilege on table t1 from user2, the row in SYSTABLEPERMS for GRANTEE(user2), TABLEID(user1.t1) is modified by the REVOKE statement. The dependency manager sends a revoke invalidation message to the view user2.v1, and the view is dropped, even though the view is not dependent on the DELETE privilege for GRANTEE(user2), TABLEID(user1.t1). Column-level privileges: Only one type of privilege for a specified grantee and table ID are stored in one row in the SYSCOLPERMS system table. For example, when user2 is granted the SELECT privilege on table user1.t1 for columns c12 and c13, a row is added to the SYSCOLPERMS. The GRANTEE field contains user2, the TABLEID contains user1.t1, the TYPE field contains S, and the COLUMNS field contains c12, c13. When a grantee creates an object that relies on the privilege type and the subset of columns in a table ID, the Derby engine tracks the dependency of the object on the specific row in the SYSCOLPERMS table. For example, user2 creates the view v1 by using the statement SELECT c11 FROM user1.t1; the dependency manager tracks the dependency of view v1 on the row in SYSCOLPERMS for GRANTEE(user2), TABLEID(user1.t1), TYPE(S). The dependency manager knows that the view is dependent on the SELECT privilege type but does not track exactly which columns the view is dependent on. When a REVOKE statement for a column-level privilege is issued for a grantee, table ID, and type, all of the objects that are dependent on the grantee, table ID, and type are dropped. For example, if user1 revokes the SELECT privilege on column c12 on table user1.t1 from user2, the row in SYSCOLPERMS for GRANTEE(user2), TABLEID(user1.t1), TYPE(S) is modified by the REVOKE statement. The dependency manager sends a revoke invalidation message to the view user2.v1, and the view is dropped, even though the view is not dependent on the column c12 for GRANTEE(user2), TABLEID(user1.t1), TYPE(S). If Unified Auditing is used: Apply the same process used in standard auditing to the tables with AUDSYS as the owner.
Review access permissions to tools used to view or modify audit log data. These tools may include the DBMS itself or tools external to the database. If appropriate permissions and access controls to prevent unauthorized access are not applied to these tools, this is a finding.
Add or modify access controls and permissions to tools used to view or modify audit log data. Tools must be accessible by authorized personnel only.
Review access permissions to tools used to view or modify audit log data. These tools may include the DBMS itself or tools external to the database. If appropriate permissions and access controls are not applied to prevent unauthorized modification of these tools, this is a finding.
Add or modify access controls and permissions to tools used to view or modify audit log data. Tools must be modifiable by authorized personnel only.
Review access permissions to tools used to view or modify audit log data. These tools may include the DBMS itself or tools external to the database. If appropriate permissions and access controls are not applied to prevent unauthorized deletion of these tools, this is a finding.
Add or modify access controls and permissions to tools used to view or modify audit log data. Only authorized personnel must be able to delete these tools.
Review system documentation to identify accounts authorized to own database objects. Review accounts in DBMS that own objects. If any database objects are found to be owned by users not authorized to own database objects, this is a finding. - - - - - Query the object DBA_OBJECTS to show the users who own objects in the database. The query below will return all of the users who own objects. sqlplus connect as sysdba SQL>select owner, object_type, count(*) from dba_objects group by owner, object_type order by owner, object_type; If these owners are not authorized owners, select all of the objects these owners have generated and decide who they should belong to. To make a list of all of the objects, the unauthorized owner has to perform the following query. SQL>select * from dba_objects where owner =&unauthorized_owner;
Update system documentation to include list of accounts authorized for object ownership. Re-assign ownership of authorized objects to authorized object owner accounts.
If Oracle is hosted on a server that does not support production systems, and is designated for the deployment of samples and demonstrations, this is not applicable (NA). Review documentation and websites from Oracle and any other relevant vendors for vendor-provided demonstration or sample databases, database applications, schemas, objects, and files. Review the Oracle DBMS to determine if any of the demonstration and sample databases, schemas, database applications, or files are installed in the database or are included with the DBMS application. If any are present in the database or are included with the DBMS application, this is a finding. The Oracle Default Sample Schema User Accounts are: BI Owns the Business Intelligence schema included in the Oracle Sample Schemas. HR Manages the Human Resources schema. Schema stores information about the employees and the facilities of the company. OE Manages the Order Entry schema. Schema stores product inventories and sales of the company's products through various channels. PM Manages the Product Media schema. Schema contains descriptions and detailed information about each product sold by the company. IX Manages the Information Exchange schema. Schema manages shipping through business-to-business (B2B) applications database. SH Manages the Sales schema. Schema stores statistics to facilitate business decisions. SCOTT A demonstration account with a simple schema. Connect to Oracle as SYSDBA; run the following SQL to check for presence of Oracle Default Sample Schema User Accounts: select distinct(username) from dba_users where username in ('BI','HR','OE','PM','IX','SH','SCOTT'); If any of the users listed above is returned it means that there are demo programs installed, so this is a finding.
Remove any demonstration and sample databases, database applications, objects, and files from the DBMS. To remove an account and all objects owned by that account (using BI as an example): DROP USER BI CASCADE; To remove objects without removing their owner, use the appropriate DROP statement (DROP TABLE, DROP VIEW, etc.).
Run this query to produce a list of components and features installed with the database: SELECT comp_id, comp_name, version, status from dba_registry WHERE comp_id not in ('CATALOG','CATPROC','XDB') AND status <> 'OPTION OFF'; Review the list. If unused components are installed and are not documented and authorized, this is a finding. Starting with releases 11.1.0.7.x and above, all products are installed by default and the option to customize the product/component selection is no longer possible with the exception of those listed here: Oracle JVM, Oracle Text, Oracle Multimedia, Oracle OLAP, Oracle Spatial, Oracle Label Security, Oracle Application Express, Oracle Database Vault
If any components are required for operation of applications that will be accessing the DBMS, include them in the system documentation. One cannot remove components, either via Database Configuration Assistant (DBCA) or manually once the database has been created, either from a container or a non-container database. One can, however, use DBCA to create a non-container database and remove components during the creation process, before the database is created. When using DBCA to create a custom non-container database, select creation mode = advanced Database Template = Custom Database Options..Database Component. Components that can be selected or de-selected are: Oracle JVM, Oracle Text, Oracle Multimedia, Oracle OLAP, Oracle Spatial, Oracle Label Security, Oracle Application Express, Oracle Database Vault For a container database (CDB), the CDB$ROOT must have all possible database components available. This is because, when a pluggable database (PDB) is plugged into the CDB, the CDB must have the same components installed as the PDB. Since we do not know what components the PDBS may have, the CDB must be able to support all possible PDB configurations. Components installed in the CDB$ROOT do not need to be licensed. Components are only considered to be used if they are installed in the PDB. To configure a PDB to only use specific components, do the following: 1) Create a non-CDB 12.1 database and configure that database with the components desired. 2) Plug the non-CDB database into a CDB database, creating a new PDB. If wanted, can then create additional clones from the new PDB.
Run this query to check to see what integrated components are installed in the database: SELECT parameter, value from v$option where parameter in ( 'Data Mining', 'Oracle Database Extensions for .NET', 'OLAP', 'Partitioning', 'Real Application Testing' ); This will return all of the relevant database options and their status. TRUE means that the option is installed. If the option is not installed, the option will be set to FALSE. Review the options and check the system documentation to see what is required. If all listed components are authorized to be in use, this is not a finding. If any unused components or features are listed by the query as TRUE, this is a finding.
In the system documentation list the integrated components required for operation of applications that will be accessing the DBMS. For Oracle Database 12.1, only the following components can be enabled/disabled: Oracle Data Mining (dm) Oracle Database Extensions for .NET (ode_net) Oracle OLAP (olap) Oracle Partitioning (partitioning) Real Application Testing (rat) Use the chopt utility (an Oracle-supplied operating system command that resides in the <Oracle Home path>/bin directory) to disable each option that should not be available. The command format is chopt <enable|disable> <option> where <option> is any of the abbreviations in parentheses in the list above. For example, to disable Real Application Testing, issue the following command at an OS prompt: chopt disable rat Restart the Oracle service. (See My Oracle Support Document 948061.1 for more on the chopt command.)
Review the database for definitions of application executable objects stored external to the database. Determine if there are methods to disable use or access, or to remove definitions for external executable objects. Verify any application executable objects listed are authorized by the ISSO. To check for external procedures, execute the following query, which will provide the libraries containing external procedures, the owners of those libraries, users that have been granted access to those libraries, and the privileges they have been granted. If there are owners other than the owners Oracle provides, then there might be executable objects stored either in the database or external to the database that are called by objects in the database. (connect as sysdba) set linesize 130 column library_name format a25 column name format a15 column owner format a15 column grantee format a15 column privilege format a15 select library_name,owner, '' grantee, '' privilege from dba_libraries where file_spec is not null and owner not in ('SYS', 'ORDSYS') minus ( select library_name,o.name owner, '' grantee, '' privilege from dba_libraries l, sys.user$ o, sys.user$ ge, sys.obj$ obj, sys.objauth$ oa where l.owner=o.name and obj.owner#=o.user# and obj.name=l.library_name and oa.obj#=obj.obj# and ge.user#=oa.grantee# and l.file_spec is not null ) union all select library_name,o.name owner, --obj.obj#,oa.privilege#, ge.name grantee, tpm.name privilege from dba_libraries l, sys.user$ o, sys.user$ ge, sys.obj$ obj, sys.objauth$ oa, sys.table_privilege_map tpm where l.owner=o.name and obj.owner#=o.user# and obj.name=l.library_name and oa.obj#=obj.obj# and ge.user#=oa.grantee# and tpm.privilege=oa.privilege# and l.file_spec is not null / If any owners are returned other than those Oracle provides, ensure those owners are authorized to access those libraries. If there are users that have been granted access to libraries that are not authorized, this is a finding.
Disable use of or remove any external application executable object definitions that are not authorized. Revoke privileges granted to users that are not authorized access to external applications.
Review the System Security Plan to determine if the use of the external procedure agent is authorized. Review the ORACLE_HOME/bin directory or search the ORACLE_BASE path for the executable extproc (UNIX) or extproc.exe (Windows). If external procedure agent is not authorized for use in the System Security Plan and the executable file does not exist or is restricted, this is not a finding. If external procedure agent is not authorized for use in the System Security Plan and the executable file exists and is not restricted, this is a finding. If use of the external procedure agent is authorized, ensure extproc is restricted to execution of authorized applications. External jobs are run using the account nobody by default. Review the contents of the file ORACLE_HOME/rdbms/admin/externaljob.ora for the lines run_user= and run_group=. If the user assigned to these parameters is not "nobody", this is a finding. For versions 11.1 and later, the external procedure agent (extproc executable) is available directly from the database and does not require definition in the listener.ora file for use. Review the contents of the file ORACLE_HOME/hs/admin/extproc.ora. If the file does not exist, this is a finding. If the following entry does not appear in the file, this is a finding: EXTPROC_DLLS=ONLY:[dll full file name1]:[dll full file name2]:.. [dll full file name] represents a full path and file name. This list of file names is separated by ":". Note: If "ONLY" is specified, then the list is restricted to allow execution of only the DLLs specified in the list and is not a finding. If "ANY" is specified, then there are no restrictions for execution except what is controlled by operating system permissions and is a finding. If no specification is made, any files located in the %ORACLE_HOME%\bin directory on Windows systems or $ORACLE_HOME/lib directory on UNIX systems can be executed (the default) and is a finding. Ensure that EXTPROC is not accessible from the listener. Review the listener.ora file. If any entries reference "extproc", this is a finding. Determine if the external procedure agent is in use per Oracle 10.x conventions. Review the listener.ora file. If any entries reference "extproc", then the agent is in use. If external procedure agent is not authorized for use in the System Security Plan and references to "extproc" exist, this is a finding. Sample listener.ora entries with extproc included: LISTENER = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = 127.0.0.1)(PORT = 1521)) ) EXTLSNR = (DESCRIPTION = (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC)) ) SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (GLOBAL_DBNAME = ORCL) (ORACLE_HOME = /home/oracle/app/oracle/product/11.1.0/db_1) (SID_NAME = ORCL) ) ) SID_LIST_EXTLSNR = (SID_LIST = (SID_DESC = (PROGRAM = extproc) (SID_NAME = PLSExtProc) (ORACLE_HOME = /home/oracle/app/oracle/product/11.1.0/db_1) (ENVS="EXTPROC_DLLS=ONLY:/home/app1/app1lib.so:/home/app2/app2lib.so, LD_LIBRARY_PATH=/private/app2/lib:/private/app1, MYPATH=/usr/fso:/usr/local/packages") ) ) Sample tnsnames.ora entries with extproc included: ORCL = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = 127.0.0.1)(PORT = 1521)) ) (CONNECT_DATA = (SERVICE_NAME = ORCL) ) ) EXTPROC_CONNECTION_DATA = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = IPC)(KEY = extproc)) ) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = PLSExtProc) ) ) If EXTPROC is in use, confirm that a listener is dedicated to serving the external procedure agent (as shown above). View the protocols configured for the listener. For the listener to be dedicated, the only entries will be to specify extproc. If there is not a dedicated listener in use for the external procedure agent, this is a finding. If the PROTOCOL= specified is other than IPC, this is a finding. Verify and ensure extproc is restricted executing authorized external applications only and extproc is restricted to execution of authorized applications. Review the listener.ora file. If the following entry does not exist, this is a finding: EXTPROC_DLLS=ONLY:[dll full file name1]:[dll full file name2]:... Note: [dll full file name] represents a full path and file name. This list of file names is separated by ":". Note: If "ONLY" is specified, then the list is restricted to allow execution of only the DLLs specified in the list and is not a finding. If "ANY" is specified, then there are no restrictions for execution except what is controlled by operating system permissions and is a finding. If no specification is made, any files located in the %ORACLE_HOME%\bin directory on Windows systems or $ORACLE_HOME/lib directory on UNIX systems can be executed (the default) and is a finding. View the listener.ora file (usually in ORACLE_HOME/network/admin or directory specified by the TNS_ADMIN environment variable). If multiple listener processes are running, then the listener.ora file for each must be viewed. For each process, determine the directory specified in the ORACLE_HOME or TNS_ADMIN environment variable defined for the process account to locate the listener.ora file.
If use of the external procedure agent is required, then authorize and document the requirement in the System Security Plan. If the external procedure agent must be accessible to the Oracle listener, then specify this and authorize it in the System Security Plan. If use of the Oracle External Procedure agent is not required: - Stop the Oracle Listener process - Remove all references to extproc in the listener.ora and tnsnames.ora files - Alter the permissions on the executable files: UNIX - Remove read/write/execute permissions from owner, group and world Windows - Remove Groups/Users from the executable (except groups SYSTEM and ADMINISTRATORS) and allow READ [only] for SYSTEM and ADMINISTRATORS groups If required: - Restrict extproc execution to only authorized applications. - Specify EXTPROC_DLLS=ONLY: [list of authorized DLLS] in the extproc.ora and the listener.ora files - Create a separate, dedicated listener for use by the external procedure agent See the Oracle Net Services Administrators Guides, External Procedures section for detailed configuration information.
Review the DBMS settings for functions, ports, protocols, and services that are not approved. If any are found, this is a finding. (For definitive information on Ports, Protocols, and Services Management [PPSM], refer to https://cyber.mil/ppsm/) - - - - - In the Oracle database, the communications with the database and incoming requests are performed by the Oracle Listener. The Oracle Listener listens on a specific port or ports for connections to a specific database. The Oracle Listener has configuration files located in the $ORACLE_HOME/network/admin directory. To check the ports and protocols in use, go to that directory and review the SQLNET.ora, LISTENER.ora, and the TNSNAMES.ora. If protocols or ports are in use that are not authorized, this is a finding.
Disable functions, ports, protocols, and services that are not approved. - - - - - Change the SQLNET.ora, LISTENER.ora, and TNSNAMES.ora files to reflect the proper use of ports, protocols, and services that are approved at the site. If changes to the Listener are made, the files associated with the Listener must be reloaded. Do that by issuing the following commands at the UNIX/Linux or Windows prompt. Issue the command to see what the current status is: $ lsnrctl stat Load the new file that was corrected to reflect site-specific requirements. $ lsnrctl reload Check the status again to see that the changes have taken place. $ lsnrctl stat
Oracle stores and displays its passwords in encrypted form. Nevertheless, this should be verified by reviewing the relevant system views, along with the other items to be checked here. Ask the DBA to review the list of DBMS database objects, database configuration files, associated scripts, and applications defined within and external to the DBMS that access the database. The list should also include files, tables, or settings used to configure the operational environment for the DBMS and for interactive DBMS user accounts. Ask the database administrator (DBA) and/or information system security officer (ISSO) to determine if any DBMS database objects, database configuration files, associated scripts, and applications defined within or external to the DBMS that access the database, and DBMS/user environment files/settings/tables, contain database passwords. If any do, confirm that DBMS passwords stored internally or externally to the DBMS are encoded or encrypted. If any passwords are stored in clear text, this is a finding. Ask the DBA/system administrator (SA)/application support staff if they have created an external password store for applications, batch jobs, and scripts to use. Verify that all passwords stored there are encrypted. If a password store is used and any password is not encrypted, this is a finding. - - - - - The following are notes on implementing a Secure External Password Store using Oracle Wallet. Password credentials can be stored for connecting to databases using a client-side Oracle wallet. An Oracle wallet is a secure software container that stores authentication and signing credentials. This wallet usage can simplify large-scale deployments that rely on password credentials for connecting to databases. When this feature is configured, application code, batch jobs, and scripts no longer need embedded user names and passwords. This reduces risk because the passwords are no longer exposed, and password management policies are more easily enforced without changing application code whenever user names or passwords change. The external password store of the wallet is separate from the area where public key infrastructure (PKI) credentials are stored. Consequently, Oracle Wallet Manager cannot be used to manage credentials in the external password store of the wallet. Instead, use the command-line utility mkstore to manage these credentials. How Does the External Password Store Work? Typically, users (and applications, batch jobs, and scripts) connect to databases by using a standard CONNECT statement that specifies a database connection string. This string can include a user name and password, and an Oracle Net service name identifying the database on an Oracle Database network. If the password is omitted, the connection prompts the user for the password. For example, the service name could be the URL that identifies that database, or a TNS alias entered in the tnsnames.ora file in the database. Another possibility is a host:port:sid string. The following examples are standard CONNECT statements that could be used for a client that is not configured to use the external password store: CONNECT salesapp@sales_db.us.example.com Enter password: password CONNECT salesapp@orasales Enter password: password CONNECT salesapp@ourhost37:1527:DB17 Enter password: password In these examples, salesapp is the user name, with the unique connection string for the database shown as specified in three different ways; use its URL sales_db.us.example.com, or its TNS alias, orasales, from the tnsnames.ora file, or its host:port:sid string. However, when clients are configured to use the secure external password store, applications can connect to a database with the following CONNECT statement syntax, without specifying database logon credentials: CONNECT /@db_connect_string CONNECT /@db_connect_string AS SYSDBA CONNECT /@db_connect_string AS SYSOPER In this specification, db_connect_string is a valid connection string to access the intended database, such as the service name, URL, or alias as shown in the earlier examples. Each user account must have its own unique connection string and cannot create one connection string for multiple users. In this case, the database credentials, user name and password, are securely stored in an Oracle wallet created for this purpose. The autologon feature of this wallet is turned on, so the system does not need a password to open the wallet. From the wallet, it gets the credentials to access the database for the user they represent.
Develop, document, and maintain a list of DBMS database objects, database configuration files, associated scripts, and applications defined within, or external to, the DBMS that access the database, and DBMS/user environment files/settings in the System Security Plan (SSP). Record whether they do or do not contain DBMS passwords. If passwords are present, ensure they are encoded or encrypted and protected by host system security. - - - - - The following are notes on implementing a Secure External Password Store using Oracle Wallet. Oracle provides the capability to provide for a secure external password facility. Use the Oracle mkstore to create a secure storage area for passwords for applications, batch jobs, and scripts to use, or deploy a site-authorized facility to perform this function. Check to see what has been stored in the Oracle External Password Store. To view all contents of a client wallet external password store, check specific credentials by viewing them. Listing the external password store contents provides information that can be used to decide whether to add or delete credentials from the store. To list the contents of the external password store, enter the following command at the command line: $ mkstore -wrl wallet_location -listCredential For example: $ mkstore -wrl c:\oracle\product\12.1.0\db_1\wallets -listCredential The wallet_location specifies the path to the directory where the wallet, whose external password store contents is to be viewed, is located. This command lists all of the credential database service names (aliases) and the corresponding user name (schema) for that database. Passwords are not listed. Configuring Clients to Use the External Password Store: If the client is already configured to use external authentication, such as Windows built-in authentication or TLS, then Oracle Database uses that authentication method. The same credentials used for this type of authentication are typically also used to log on to the database. For clients not using such authentication methods or wanting to override them for database authentication, can set the SQLNET.WALLET_OVERRIDE parameter in sqlnet.ora to TRUE. The default value for SQLNET.WALLET_OVERRIDE is FALSE, allowing standard use of authentication credentials as before. If wanting a client to use the secure external password store feature, then perform the following configuration task: 1. Create a wallet on the client by using the following syntax at the command line: mkstore -wrl wallet_location -create For example: mkstore -wrl c:\oracle\product\12.1.0\db_1\wallets -create Enter password: password The wallet_location is the path to the directory where the wallet is to be created and stored. This command creates an Oracle wallet with the autologon feature enabled at the location specified. The autologon feature enables the client to access the wallet contents without supplying a password. The mkstore utility -create option uses password complexity verification. 2. Create database connection credentials in the wallet by using the following syntax at the command line: mkstore -wrl wallet_location -createCredential db_connect_string username Enter password: password For example: mkstore -wrl c:\oracle\product\12.1.0\db_1\wallets -createCredential oracle system Enter password: password In this specification, the wallet_location is the path to the directory where the wallet was created. The db_connect_string used in the CONNECT /@db_connect_string statement must be identical to the db_connect_string specified in the -createCredential command. The db_connect_string is the TNS alias used to specify the database in the tnsnames.ora file or any service name used to identify the database on an Oracle network. By default, tnsnames.ora is located in the $ORACLE_HOME/network/admin directory on UNIX systems and in ORACLE_HOME\network\admin on Windows. The username is the database logon credential. When prompted, enter the password for this user. 3. In the client sqlnet.ora file, enter the WALLET_LOCATION parameter and set it to the directory location of the wallet created in Step 1. For example, if the wallet was created in $ORACLE_HOME/network/admin and Oracle home is set to /private/ora12, then enter the following into client sqlnet.ora file: WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /private/ora12/network/admin) ) ) 4. In the client sqlnet.ora file, enter the SQLNET.WALLET_OVERRIDE parameter and set it to TRUE as follows: SQLNET.WALLET_OVERRIDE = TRUE This setting causes all CONNECT /@db_connect_string statements to use the information in the wallet at the specified location to authenticate to databases. When external authentication is in use, an authenticated user with such a wallet can use the CONNECT /@db_connect_string syntax to access the previously specified databases without providing a user name and password. However, if a user fails that external authentication, then these connect statements also fail. Below is a sample sqlnet.ora file with the WALLET_LOCATION and the SQLNET.WALLET_OVERRIDE parameters set as described in Steps 3 and 4. WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /private/ora12/network/admin) ) ) SQLNET.WALLET_OVERRIDE = TRUE SSL_CLIENT_AUTHENTICATION = FALSE SSL_VERSION = 1.2 Note: This assumes that a single sqlnet.ora file, in the default location, is in use. Refer to the supplemental file "Non-default sqlnet.ora configurations.pdf" for how to find multiple and/or differently located sqlnet.ora files.
If all accounts are authenticated by the OS or an enterprise-level authentication/access mechanism and not by Oracle, this is not a finding. Review DBMS configuration to verify the certificates being accepted by the DBMS have a valid certification path with status information to an accepted trust anchor. If certification paths are not being validated back to a trust anchor, this is a finding. - - - - - The database supports PKI-based authentication by using digital certificates over TLS in addition to the native encryption and data integrity capabilities of these protocols. Oracle provides a complete PKI that is based on RSA Security, Inc., Public-Key Cryptography Standards, and which interoperates with Oracle servers and clients. The database uses a wallet that is a container that is used to store authentication and signing credentials, including private keys, certificates, and trusted certificates needed by TLS. In an Oracle environment, every entity that communicates over TLS must have a wallet containing an X.509 version 3 certificate, private key, and list of trusted certificates. If the $ORACLE_HOME/network/admin/sqlnet.ora contains the following entries, TLS is installed. WALLET_LOCATION = (SOURCE= (METHOD = FILE) (METHOD_DATA = DIRECTORY=/wallet) SSL_CIPHER_SUITES=(SSL_cipher_suiteExample) SSL_VERSION = 1.2 SSL_CLIENT_AUTHENTICATION=TRUE (Note: This assumes that a single sqlnet.ora file, in the default location, is in use. Please see the supplemental file "Non-default sqlnet.ora configurations.pdf" for how to find multiple and/or differently located sqlnet.ora files.)
Configure the DBMS to validate certificates by constructing a certification path with status information to an accepted trust anchor. Configure the database to support Transport Layer Security (TLS) protocols and the Oracle Wallet to store authentication and signing credentials, including private keys.
Review DBMS configuration to verify DBMS user accounts are being mapped directly to authenticated identity information being passed via the PKI. If user accounts are not being mapped to authenticated identity information being passed via the PKI, this is a finding.
Configure the DBMS to map the authenticated identity directly to the DBMS user account.
Check the following settings to verify FIPS 140 authentication/encryption is configured. If encryption is required but not configured, check with the DBA and system administrator to verify if other mechanisms or third-party cryptography products are deployed for authentication. To verify if Oracle is configured for FIPS 140 SSL/TLS authentication and/or Encryption: Verify the DBMS version: select * from V$VERSION; If the version displayed for Oracle Database is lower than 12.1.0.2, this is a finding. If the operating system is Windows and the DBMS version is 12.1.0.2, use the opatch command to display the patches applied to the DBMS. If the patches listed do not include "WINDOWS DB BUNDLE PATCH 12.1.0.2.7", this is a finding. Open the fips.ora file in a browser or editor. (The default location for fips.ora is $ORACLE_HOME/ldap/admin/ but alternate locations are possible. An alternate location, if it is in use, is specified in the FIPS_HOME environment variable.) If the line "SSLFIPS_140=TRUE" is not found in fips.ora, or the file does not exist, this is a finding.
Utilize NIST-validated FIPS 140-2 or 140-3 compliant cryptography for all authentication mechanisms. Where not already in effect, upgrade the DBMS to version 12.1.0.2 or higher. Where the operating system is Windows and the DBMS version is 12.1.0.2, install patch "WINDOWS DB BUNDLE PATCH 12.1.0.2.7" if not already deployed. Open the fips.ora file in an editor. (The default location for fips.ora is $ORACLE_HOME/ldap/admin/ but alternate locations are possible. An alternate location, if it is in use, is specified in the FIPS_HOME environment variable.) Create or modify fips.ora to include the line "SSLFIPS_140=TRUE". - - - - - The strength requirements are dependent upon data classification. For unclassified data, where cryptography is required: AES 128 for encryption SHA 256 for hashing NSA has established the suite B encryption requirements for protecting National Security Systems (NSS) as follows. AES 128 for Secret AES 256 for Top Secret SHA 256 for Secret SHA 384 for Top Secret National Security System is defined as: (OMB Circular A-130) Any telecommunications or information system operated by the United States Government, the function, operation, or use of which (1) involves intelligence activities; (2) involves cryptologic activities related to national security; (3) involves command and control of military forces; (4) involves equipment that is an integral part of a weapon or weapons system; or (5) is critical to the direct fulfillment of military or intelligence missions, but excluding any system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications). There is more information on this topic in the Oracle Database 12c Advanced Security Administrator's Guide, located at https://docs.oracle.com/database/121/DBSEG/E48135-11.pdf. (Note: Because of changes in Oracle's licensing policy, it is no longer necessary to purchase Oracle Advanced Security to use network encryption and advanced authentication.) FIPS documentation can be downloaded from https://csrc.nist.gov/publications/fips
Review DBMS settings and vendor documentation to verify user sessions are terminated upon user logout. If they are not, this is a finding. Review system documentation and organization policy to identify other events that should result in session terminations. If other session termination events are defined, review DBMS settings to verify occurrences of these events would cause session termination. If occurrences of defined session-terminating events do not cause session terminations, this is a finding. When a user logs off of an Oracle session gracefully or has the session terminated for an idle timeout or any other reason, the session is terminated, and the resources are returned to the system. Check with the DBA to see what mechanism is used to disconnect the session and what events the site uses to determine if a connection needs to be terminated. To test for timeout, open a connection and leave it idle for a period greater than the defined idle timeout setting enforced by the system. Then try to use the connection. If the connection is no longer active, then the mechanism deployed to terminate the connection is active and working.
Configure DBMS settings to terminate sessions upon user logoff. Configure DBMS settings to terminate sessions upon the occurrence of any organization or policy-defined session termination event. - - - - - To configure specific session termination processes, we need to define the organization or policy-defined session termination event. Below are some examples. Oracle has several ways to disconnect idle sessions, both from within SQL*Plus via resources profiles (connect_time, idle_time) and with the SQL*net expire time parameter. Can use profiles to set the connect time and idle time with "alter profile" statements: alter profile senior_claim_analyst limit connect_time 15 sessions_per_user 2 ldle_time 10; Profiles comprise a named set of resource limits. By default, when users are created, they are given the default profile, which provides unlimited use of all resources. The syntax to create a profile follows: CREATE PROFILE LIMIT resource_parameters|password_parameters; Resource_parameters: [SESSIONS_PER_USER n|UNLIMITED|DEFAULT] [CPU_PER_SESSION n|UNLIMITED|DEFAULT] [CPU_PER_CALL n|UNLIMITED|DEFAULT] [CONNECT_TIME n|UNLIMITED|DEFAULT] [IDLE_TIME n|UNLIMITED|DEFAULT] By setting resource limits, can prevent users from performing operations that will tie up the system and prevent other users from performing operations. Can use resource limits for security, to ensure that users log off the system, so as not to leave the session connected for long periods of time. The system resource limits can be enforced at the session level, the call level, or both. The session level is calculated from the time the user logs on to the database until the user exits. The call level applies to each SQL command issued. Session-level limits are enforced for each connection. When a session-level limit is exceeded, only the last SQL command issued is rolled back; no further work can be performed until a commit, rollback, or exit is performed. Using SQLNET.EXPIRE_TIME The sqlnet.expire_time parameter is used to set a time interval, in minutes, to determine how often a probe should be sent verifying that client/server connections are active. If there is a need to ensure that connections are not left open indefinitely (or up to the time set by operating system-specific parameters), set a value that is greater than 0. This protects the system from connections left open due to an abnormal client termination. When the probe detects a terminated connection or a connection no longer in use, it signals an error, causing the server process to exit. This setting is intended for use on the database server side of the connection, which usually handles multiple connections at any one time. Limitations on using this terminated (dead) connection detection feature are: sqlnet.expire_time cannot be used on bequeathed connections. The SQL*Net expire_time probe packet will generate additional network traffic that may downgrade the network's performance, depending on the number of connections. Depending on the operating system that is in use, additional server processing may need to be performed to distinguish the connection probe from other events that occur. This overhead for detection of probe events can result in downgraded network performance. Turning-on expire_time To set up these advanced features, simply edit the sqlnet.ora file. If a beginner, follow this procedure: Start the Oracle Network Manager GUI. In the GUI navigator pane, expand the icons Local >> Profile. From the list on the right-hand pane, select General. Click on the Advanced tab. Next, enter the values for the fields or options to set. When finished, choose File >> Save Network Configuration to write the changes to the sqlnet.ora file. (Note: This assumes that a single sqlnet.ora file, in the default location, is in use. Please see the supplemental file "Non-default sqlnet.ora configurations.pdf" for how to find multiple and/or differently located sqlnet.ora files.) The sqlnet.ora inbound_connect_timeout parameter The sqlnet.ora inbound_connect_timeout parameter is used to limit the time, set in seconds, for a client to connect with the database server and provide the required authentication information. Also see sqlnet.inbound_connect_timeout tips. To limit consumption of Oracle resources by unauthorized users and enable an audit trail, should set time-limit values for the sqlnet.inbound_connect_timeout parameter in wall-clock seconds. (This parameter does not have default values.) Failure resulting from sqlnet.inbound_connect_timeout will throw an ORA-03136 inbound connection timed out error.
If the database is used solely for transient data (such as one dedicated to Extract-Transform-Load (ETL)), and a clear plan exists for the recovery of the database by means other than archiving, this is not a finding. If it has been determined that up-to-the second recovery is not necessary and this fact is recorded in the system documentation, with appropriate approval, this is not a finding. Check DBMS settings to determine whether system state information is being preserved in the event of a system failure. The necessary state information is defined as "information necessary to determine cause of failure and to return to operations with least disruption to mission/business processes". Oracle creates what is known as archive logs. Archive logs contain information required to replay a transaction should something happen. The redo logs are also used to copy transactions or pieces of transactions. Issue the following commands to check the status of archive log mode: $ sqlplus connect as sysdba --Check current archivelog mode in database SQL> archive log list Database log mode Archive Mode Automatic archival Enabled Archive destination /home/oracle/app/oracle/arc2/ORCL Oldest online log sequence 433 Next log sequence to archive 435 Current log sequence 435 If archive log mode is not enabled, this is a finding.
Configure DBMS settings to preserve all required system state information in the event of a system failure. If the database is not in archive log mode, issue the following commands to put the database in archive log mode. The database must be normally shutdown and restarted before it can be placed in archive log mode. $ sqlplus connect as sysdba -- stop and dismount database and shutdown instance. SQL> shutdown immediate; Database closed. Database dismounted. ORACLE instance shut down. SQL> startup mount; -- Restart instance. ORACLE instance started. Total System Global Area 1653518336 bytes Fixed Size 2228904 bytes Variable Size 1325403480 bytes Database Buffers 318767104 bytes Redo Buffers 7118848 bytes Database mounted. SQL> alter database archivelog; -- Enable ArchiveLog Database altered. SQL> alter database open; -- Re-open database Database altered. Issue the following command to see the new status: SQL> select log_mode from v$database; LOG_MODE ------------ ARCHIVELOG SQL> archive log list; Database log mode Archive Mode Automatic archival Enabled Archive destination USE_DB_RECOVERY_FILE_DEST Oldest online log sequence 294 Next log sequence to archive 296 Current log sequence 296 The database is now in archive log mode, and transactions are either being recorded to transport to another database or being re-applied if the database becomes corrupt and needs to be restored from the last backup. Use the redo logs to replay transactions not captured in the backup.
If the application owner and Authorizing Official have determined that encryption of data at rest is NOT required, this is not a finding. Review DBMS settings to determine whether controls exist to protect the confidentiality and integrity of data at rest in the database. If controls do not exist or are not enabled, this is a finding. To ensure that the appropriate controls are in place, discuss the precautions taken with the site Database Administrators and System Administrators and try to modify data at rest. Oracle recommends using Transparent Data Encryption to protect data. To check to see if the data is encrypted, for example, upon an auditor's request Oracle provides views that document the encryption status of the database. For TDE column encryption, use the view "dba_encrypted_columns", which lists the owner, table name, column name, encryption algorithm, and salt for all encrypted columns. For TDE tablespace encryption, the following SQL statement lists all encrypted tablespaces with their encryption algorithm and corresponding, encrypted, data files. Issue the following commands to check to see if the data at rest is encrypted. $ sqlplus connect as sysdba SQL> SELECT t.name "TSName", e.encryptionalg "Algorithm", d.file_name "File Name" FROM v$tablespace t, v$encrypted_tablespaces e, dba_data_files d WHERE t.ts# = e.ts# and t.name = d.tablespace_name; The next SQL statement lists the table owner, tables within encrypted tablespaces, and the encryption algorithm: SQL> SELECT a.owner "Owner", a.table_name "Table Name", e.encryptionalg "Algorithm" FROM dba_tables a, v$encrypted_tablespaces e WHERE a.tablespace_name in (select t.name from v$tablespace t, v$encrypted_tablespaces e where t.ts# = e.ts#);
Apply appropriate controls to protect the confidentiality and integrity of data at rest in the database. If no site-specific precautions are in place, use Oracle Advanced Security Option to encrypt data at rest. If ASO is not an option, use site-specific procedures to secure data at rest.
Check DBMS settings to determine whether objects or code implementing security functionality are located in a separate security domain, such as a separate database or schema created specifically for security functionality. If security-related database objects or code are not kept separate, this is a finding. The Oracle elements of security functionality, such as the roles, permissions, and profiles, along with password complexity requirements, are stored in separate schemas in the database. Review any site-specific applications security modules built into the database and determine what schema they are located in and take appropriate action. The Oracle objects will be in the Oracle Data Dictionary.
Locate security-related database objects and code in a separate database, schema, or other separate security domain from database objects and code implementing application logic. (This is the default behavior for Oracle.) Review any site-specific applications security modules built into the database: determine what schema they are located in and take appropriate action.
Verify there are proper procedures in place for the refreshing of development/test data from production. Review any scripts or code that exists for the movement of production data to development/test, and verify copies of production data are not left in unprotected locations. If there is no documented procedure for data movement from production to development/test, this is a finding. If the code that exists for data movement does not remove any copies of production data from unprotected locations, this is a finding.
Create and document a process for moving data from production to development/test systems, and follow the process. Modify any code used for moving data from production to development/test systems to ensure copies of production data are not left in nonsecured locations. Moving data is only a part of the challenge of protecting the data. When the data is moved, it should also be changed so sensitive information is not made available in development environments. With the Oracle Data Masking Pack for Oracle Enterprise Manager, organizations can comply with data privacy and protection mandates that restrict the use of actual customer data. With Oracle Data Masking Pack, sensitive information, such as credit card or social security numbers, can be replaced with realistic values, allowing production data to be safely used for development, testing, or sharing with out-source or off-shore partners for other nonproduction purposes. When used in conjunction with Oracle Enterprise Manager, it is easy to develop a secure process that is capable of obfuscating the data during the movement process. If the Oracle Data Masking Pack and Enterprise Manager are not available, develop site-specific procedures to manage and obfuscate sensitive data.
Review DBMS code, settings, field definitions, constraints, and triggers to determine whether or not data being input into the database is validated. If code exists that allows invalid data to be acted upon or input into the database, this is a finding. If field definitions do not exist in the database, this is a finding. If fields do not contain enabled constraints where required, this is a finding. - - - - - Oracle provides built-in processes to keep data and its integrity intact by using constraints. Integrity Constraint States Can specify that a constraint is enabled (ENABLE) or disabled (DISABLE). If a constraint is enabled, data is checked as it is entered or updated in the database, and data that does not conform to the constraint is prevented from being entered. If a constraint is disabled, then data that does not conform can be allowed to enter the database. Additionally, can specify that existing data in the table must conform to the constraint (VALIDATE). Conversely, if specified NOVALIDATE, are not ensured that existing data conforms. An integrity constraint defined on a table can be in one of the following states: ENABLE, VALIDATE ENABLE, NOVALIDATE DISABLE, VALIDATE DISABLE, NOVALIDATE For details about the meaning of these states and an understanding of their consequences, see the Oracle Database SQL Language Reference. Some of these consequences are discussed here. Disabling Constraints To enforce the rules defined by integrity constraints, the constraints should always be enabled. However, consider temporarily disabling the integrity constraints of a table for the following performance reasons: - When loading large amounts of data into a table - When performing batch operations that make massive changes to a table (for example, changing every employee's number by adding 1000 to the existing number) - When importing or exporting one table at a time In all three cases, temporarily disabling integrity constraints can improve the performance of the operation, especially in data warehouse configurations. It is possible to enter data that violates a constraint while that constraint is disabled. Thus, always enable the constraint after completing any of the operations listed in the preceding bullet list. Enabling Constraints While a constraint is enabled, no row violating the constraint can be inserted into the table. However, while the constraint is disabled, such a row can be inserted. This row is known as an exception to the constraint. If the constraint is in the ENABLE, NOVALIDATE state, violations resulting from data entered while the constraint was disabled remain. The rows that violate the constraint must be either updated or deleted in order for the constraint to be put in the validated state. Can identify exceptions to a specific integrity constraint while attempting to enable the constraint. See "Reporting Constraint Exceptions". All rows violating constraints are noted in an EXCEPTIONS table, which can be examined. ENABLE, NOVALIDATE Constraint State When a constraint is in the ENABLE, NOVALIDATE state, all subsequent statements are checked for conformity to the constraint. However, any existing data in the table is not checked. A table with ENABLE, NOVALIDATE constraints can contain invalid data, but it is not possible to add new invalid data to it. Constraints in the ENABLE, NOVALIDATE state is most useful in data warehouse configurations that are uploading valid OLTP data. Enabling a constraint does not require validation. Enabling a constraint novalidate is much faster than enabling and validating a constraint. Also, validating a constraint that is already enabled does not require any DML locks during validation (unlike validating a previously disabled constraint). Enforcement guarantees that no violations are introduced during the validation. Hence, enabling without validating reduces the downtime typically associated with enabling a constraint. Efficient Use of Integrity Constraints: A Procedure Using integrity constraint states in the following order can ensure the best benefits: Disable state. Perform the operation (load, export, import). ENABLE, NOVALIDATE state. Enable state. Some benefits of using constraints in this order are: No locks are held. All constraints can go to enable state concurrently. Constraint enabling is done in parallel. Concurrent activity on table is permitted. Setting Integrity Constraints Upon Definition When an integrity constraint is defined in a CREATE TABLE or ALTER TABLE statement, it can be enabled, disabled, or validated or not validated as determined by the specification of the ENABLE/DISABLE clause. If the ENABLE/DISABLE clause is not specified in a constraint definition, the database automatically enables and validates the constraint. Disabling Constraints Upon Definition The following CREATE TABLE and ALTER TABLE statements both define and disable integrity constraints: CREATE TABLE emp ( empno NUMBER(5) PRIMARY KEY DISABLE, . . . ; ALTER TABLE emp ADD PRIMARY KEY (empno) DISABLE; An ALTER TABLE statement that defines and disables an integrity constraint never fails because of rows in the table that violate the integrity constraint. The definition of the constraint is allowed because its rule is not enforced. Enabling Constraints Upon Definition The following CREATE TABLE and ALTER TABLE statements both define and enable integrity constraints: CREATE TABLE emp ( empno NUMBER(5) CONSTRAINT emp.pk PRIMARY KEY, . . . ; ALTER TABLE emp ADD CONSTRAINT emp.pk PRIMARY KEY (empno); An ALTER TABLE statement that defines and attempts to enable an integrity constraint can fail because rows of the table violate the integrity constraint. If this case, the statement is rolled back, and the constraint definition is not stored and not enabled. When enabling a UNIQUE or PRIMARY KEY constraint, an associated index is created.
Modify database code to properly validate data before it is put into the database or acted upon by the database. Modify database to contain field definitions for each field in the database. Modify database to contain constraints on database columns and tables that require them for data validity. Review the application schemas implemented on the system. Check the DDL for the tables that are created for the applications to see if constraints have been enabled. - - - - - Enabling Constraints Upon Definition The following CREATE TABLE and ALTER TABLE statements both define and enable integrity constraints: CREATE TABLE emp ( empno NUMBER(5) CONSTRAINT emp.pk PRIMARY KEY, . . . ) ; ALTER TABLE emp ADD CONSTRAINT emp.pk PRIMARY KEY (empno); An ALTER TABLE statement that defines and attempts to enable an integrity constraint can fail because existing rows of the table violate the integrity constraint. In this case, the statement is rolled back, and the constraint definition is not stored and not enabled. When enabling a UNIQUE or PRIMARY KEY constraint, an associated index is created.
Check DBMS settings and custom database and application code to verify error messages do not contain information beyond what is needed for troubleshooting the issue. If database errors contain PII data, sensitive business data, or information useful for identifying the host system, this is a finding. Notes on Oracle's approach to this issue: Out of the box, Oracle covers this. For example, if a user does not have access to a table, the error is just that the table or view does not exist. The Oracle database is not going to display a Social Security Number in an error code unless an application is programmed to do so. Oracle applications will not expose the actual transactional data to a screen. The only way Oracle will capture this information is to enable specific logging levels. Custom code would require a review to ensure compliance.
Configure DBMS and custom database and application code not to divulge sensitive information or information useful for system identification in error information.
Check DBMS settings and custom database code to determine if error messages are ever displayed to unauthorized individuals: i) Review all end-user-facing applications that use the database, to determine whether they display any DBMS-generated error messages to general users. If they do, this is a finding. ii) Review whether the database is accessible to users who are not authorized system administrators or database administrators, via the following types of software: iia) Oracle SQL*Plus iib) Reporting and analysis tools iic) Database management and/or development tools, such as, but not limited to, Toad. iid) Application development tools, such as, but not limited to, Oracle JDeveloper, Microsoft Visual Studio, PowerBuilder, or Eclipse. If the answer to the preceding question (iia through iid) is Yes, inquire whether, for each role or individual with respect to each tool, this access is required to enable the user(s) to perform authorized job duties. If No, this is a finding. If Yes, continue: For each tool in use, determine whether it is capable of suppressing DBMS-generated error messages, and if it is, whether it is configured to do so. Determine whether the role or individual, with respect to each tool, needs to see detailed DBMS-generated error messages. If No, and if the tool is not configured to suppress such messages, this is a finding. If Yes, determine whether the role/user's need to see such messages is documented in the System Security Plan. If so, this is not a finding. If not, this is a finding.
i) For each end-user-facing application that displays DBMS-generated error messages, configure or recode it to suppress these messages. If the application is coded in Oracle PL/SQL, the EXCEPTION block can be used to suppress or divert error messages. Most other programming languages provide comparable facilities, such as TRY ... CATCH. ii) For each unauthorized user of each tool, remove the ability to access it. For each tool where access to DBMS error messages is not required and can be configured, suppress the messages. For each role/user that needs access to the error messages, or needs a tool where the messages cannot be suppressed, document the need in the system security plan.
Interview the DBA to determine if any applications that access the database allow for entry of the account name and password on the command line. If any do, determine whether these applications obfuscate authentication data. If they do not, this is a finding.
Configure or modify applications to prohibit display of passwords in clear text on the command line.
For Oracle SQL*Plus, which cannot be configured not to accept a plain-text password, and any other essential tool with the same limitation, verify that the system documentation explains the need for the tool, who uses it, and any relevant mitigations; and that AO approval has been obtained. If not, this is a finding. Request evidence that all users of the tool are trained in the importance of not using the plain-text password option and in how to keep the password hidden; and that they adhere to this practice. If not, this is a finding.
"For Oracle SQL*Plus, which cannot be configured not to accept a plain-text password, and any other essential tool with the same limitation: 1) Document the need for it, who uses it, and any relevant mitigations, and obtain AO approval. 2) Train all users of the tool in the importance of not using the plain-text password option and in how to keep the password hidden. - - - - - Consider wrapping the startup command with a shell or wrapper and using an Oracle external password store. Oracle provides the capability to provide for a secure external password facility. Use the Oracle mkstore to create a secure storage area for passwords for applications, batch jobs, and scripts to use or deploy a site-authorized facility to perform this function. Check to see what has been stored in the Oracle External Password Store. To view all contents of a client wallet external password store, check specific credentials by viewing them. Listing the external password store contents provides information used to decide whether to add or delete credentials from the store. To list the contents of the external password store, enter the following command at the command line: $ mkstore -wrl wallet_location -listCredential For example: $ mkstore -wrl c:\oracle\product\12.1.0\db_1\wallets -listCredential The wallet_location specifies the path to the directory where the wallet, whose external password store contents is to be viewed, is located. This command lists all of the credential database service names (aliases) and the corresponding user name (schema) for that database. Passwords are not listed. Configuring Clients to Use the External Password Store If the client is already configured to use external authentication, such as Windows native authentication or Transport Layer Security (TLS), then Oracle Database uses that authentication method. The same credentials used for this type of authentication are typically also used to log on to the database. For clients not using such authentication methods or wanting to override them for database authentication, set the SQLNET.WALLET_OVERRIDE parameter in sqlnet.ora to TRUE. The default value for SQLNET.WALLET_OVERRIDE is FALSE, allowing standard use of authentication credentials as before. If wanting a client to use the secure external password store feature, then perform the following configuration task: 1. Create a wallet on the client by using the following syntax at the command line: orapki create -wallet wallet_location -auto_login_local For example: orapki wallet create -wallet c:\oracle\product\12.1.0\db_1\wallets -auto_login_local Enter password: password The wallet_location is the path to the directory where the wallet is to be created and stored. This command creates an Oracle wallet with the autologon feature enabled at the location specified. The autologon feature enables the client to access the wallet contents without supplying a password. The mkstore utility -create option uses password complexity verification. 2. Create database connection credentials in the wallet by using the following syntax at the command line: mkstore -wrl wallet_location -createCredential db_connect_string username Enter password: password For example: mkstore -wrl c:\oracle\product\12.1.0\db_1\wallets -createCredential oracle system Enter password: password In this specification: The wallet_location is the path to the directory where the wallet was created. The db_connect_string used in the CONNECT /@db_connect_string statement must be identical to the db_connect_string specified in the -createCredential command. The db_connect_string is the TNS alias used to specify the database in the tnsnames.ora file or any service name used to identify the database on an Oracle network. By default, tnsnames.ora is located in the $ORACLE_HOME/network/admin directory on UNIX systems and in ORACLE_HOME\network\admin on Windows. The username is the database logon credential. When prompted, enter the password for this user. 3. In the client sqlnet.ora file, enter the WALLET_LOCATION parameter and set it to the directory location of the wallet created in Step 1. For example, if the wallet was created in $ORACLE_HOME/network/admin and the Oracle home is set to /private/ora12, then need to enter the following into the client sqlnet.ora file: WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /private/ora12/network/admin) ) ) 4. In the client sqlnet.ora file, enter the SQLNET.WALLET_OVERRIDE parameter and set it to TRUE as follows: SQLNET.WALLET_OVERRIDE = TRUE This setting causes all CONNECT /@db_connect_string statements to use the information in the wallet at the specified location to authenticate to databases. When external authentication is in use, an authenticated user with such a wallet can use the CONNECT /@db_connect_string syntax to access the previously specified databases without providing a user name and password. However, if a user fails that external authentication, then these connect statements also fail. Below is a sample sqlnet.ora file with the WALLET_LOCATION and the SQLNET.WALLET_OVERRIDE parameters set as described in Steps 3 and 4. Below is a sample SQLNET.ORA File with Wallet Parameters Set WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /private/ora12/network/admin) ) ) SQLNET.WALLET_OVERRIDE = TRUE SSL_CLIENT_AUTHENTICATION = FALSE SSL_VERSION =1.2 (Note: This assumes that a single sqlnet.ora file, in the default location, is in use. Please see the supplemental file "Non-default sqlnet.ora configurations.pdf" for how to find multiple and/or differently located sqlnet.ora files.)
Review the DBMS settings to determine whether audit logging is configured to produce logs consistent with the amount of space allocated for logging. If auditing will generate excessive logs so that they may outgrow the space reserved for logging, this is a finding. If file-based auditing is in use, check that sufficient space is available to support the file(s). If not, this is a finding. If standard, table-based auditing is used, the audit logs are written to a table called AUD$; and if a Virtual Private Database is deployed, a table is created called FGA_LOG$. First, check the current location of the audit trail tables. CONN / AS SYSDBA SELECT table_name, tablespace_name FROM dba_tables WHERE table_name IN ('AUD$', 'FGA_LOG$') ORDER BY table_name; TABLE_NAME TABLESPACE_NAME ------------------------------ ------------------------------ AUD$ SYSTEM FGA_LOG$ SYSTEM If the tablespace name is SYSTEM, the table needs to be relocated to its own tablespace. Ensure that adequate space is allocated to that tablespace. If Unified Auditing is used: Audit logs are written to tables in the AUDSYS schema. The default tablespace for AUDSYS is USERS. A separate tablespace should be created to contain audit data. Ensure that adequate space is allocated to that tablespace. Investigate whether there have been any incidents where the DBMS ran out of audit log space since the last time the space was allocated or other corrective measures were taken. If there have been, this is a finding.
Allocate sufficient audit file/table space to support peak demand. Ensure that audit tables are in their own tablespaces and that the tablespaces have enough room for the volume of log data that will be produced.
Review monitoring procedures and implementation evidence to verify that monitoring of changes to database software libraries, related applications, and configuration files is done. Verify that the list of files and directories being monitored is complete. If monitoring does not occur or is not complete, this is a finding.
Implement procedures to monitor for unauthorized changes to DBMS software libraries, related software application libraries, and configuration files. If a third-party automated tool is not employed, an automated job that reports file information on the directories and files of interest and compares them to the baseline report for the same will meet the requirement. File hashes or checksums should be used for comparisons since file dates may be manipulated by malicious users.
Review monitoring procedures and implementation evidence to verify that monitoring of changes to database logic modules is done. Verify the list of objects (packages, procedures, functions, and triggers) being monitored is complete. If monitoring does not occur or is not complete, this is a finding.
Implement procedures to monitor for unauthorized changes to database logic modules. If a third-party automated tool is not employed, an automated job that reports on the objects of interest and compares them to the baseline report for the same will meet the requirement.
Review procedures for controlling and granting access to use of the DBMS software installation account. If access or use of this account is not restricted to the minimum number of personnel required, or if unauthorized access to the account has been granted, this is a finding.
Develop, document, and implement procedures to restrict use of the DBMS software installation account.
Review the DBMS software library directory and note other root directories located on the same disk directory or any subdirectories. If any non-DBMS software directories exist on the disk directory, examine or investigate their use. If any of the directories are used by other applications, including third-party applications that use the DBMS, this is a finding. Only applications that are required for the functioning and administration, not use, of the DBMS should be located on the same disk directory as the DBMS software libraries. For databases located on mainframes, confirm that the database and its configuration files are isolated in their own DASD pools. If database software and database configuration files share DASD with other applications, this is a finding.
Install all applications on directories, or pools, separate from the DBMS software library directory. Re-locate any directories or re-install other application software that currently shares the DBMS software library directory to separate directories. For mainframe-based databases, locate database software and configuration files in separate DASD pools from other mainframe applications.
Review DBMS settings, OS settings, and/or enterprise-level authentication/access mechanism settings, and site practices, to determine whether organizational users are uniquely identified and authenticated when logging on to the system. If organizational users are not uniquely identified and authenticated, this is a finding.
Configure DBMS, OS and/or enterprise-level authentication/access mechanism to uniquely identify and authenticate all organizational users who log on to the system. Ensure that each user has a separate account from all other users.
Review DBMS settings to determine whether non-organizational users are uniquely identified and authenticated when logging onto the system. If non-organizational users are not uniquely identified and authenticated, this is a finding.
Configure DBMS settings to uniquely identify and authenticate all non-organizational users who log onto the system.
Check DBMS settings and vendor documentation to verify administrative functionality is separate from user functionality. If administrator and general user functionality is not separated either physically or logically, this is a finding.
Configure DBMS settings to separate database administration and general user functionality. Provide those who have both administrative and general-user responsibilities with separate accounts for these separate functions.
If there are no shared accounts available to more than one user, this is not a finding. If a shared account is used by an application to interact with the database, review the System Security Plan, the tables in the database, and the application source code/documentation to determine whether the application captures the individual user's identity and stores that identity along with all data inserted and updated (also with all records of reads and/or deletions, if these are required to be logged). If there are gaps in the application's ability to do this, and the gaps and the risk are not defined in the system documentation and accepted by the AO, this is a finding. If users are sharing a group account to log on to Oracle tools or third-party products that access the database, this is a finding. If Standard Auditing is used: To ensure that user activities other than SELECT, INSERT, UPDATE, and DELETE are also monitored and attributed to individuals, verify that Oracle auditing is enabled. To see if Oracle is configured to capture audit data, enter the following SQL*Plus command: SHOW PARAMETER AUDIT_TRAIL or the following SQL query: SELECT * FROM SYS.V$PARAMETER WHERE NAME = 'audit_trail'; If Oracle returns the value "NONE", this is a finding. If Unified Auditing is used: To ensure that user activities other than SELECT, INSERT, UPDATE, and DELETE are also monitored and attributed to individuals, verify that Oracle auditing is enabled. To see if Oracle is configured to capture audit data, enter the following SQL*Plus command: SELECT * FROM V$OPTION WHERE PARAMETER = 'Unified Auditing'; If Oracle returns a value something other than "TRUE", this is a finding.
Use accounts assigned to individual users where feasible. Configure DBMS to provide individual accountability at the DBMS level, and in audit logs, for actions performed under a shared database account. Modify applications and data tables that are not capturing individual user identity to do so. Create and enforce the use of individual user IDs for logging on to Oracle tools and third-party products. If Oracle auditing is not already enabled, enable it. If Standard Auditing is used: If Oracle (or third-party) auditing is not already enabled, enable it. For Oracle auditing, use this query: ALTER SYSTEM SET AUDIT_TRAIL=<audit trail type> SCOPE=SPFILE; Audit trail type can be 'OS', 'DB', 'DB,EXTENDED', 'XML' or 'XML,EXTENDED'. After executing this statement, it may be necessary to shut down and restart the Oracle database. If Unified Auditing is used: Link the oracle binary with uniaud_on, and then restart the database. Oracle Database Upgrade Guide describes how to enable unified auditing. For more information on the configuration of auditing, refer to the following documents: "Auditing Database Activity" in the Oracle Database 2 Day + Security Guide: http://docs.oracle.com/database/121/TDPSG/tdpsg_auditing.htm#TDPSG50000 "Monitoring Database Activity with Auditing" in the Oracle Database Security Guide: http://docs.oracle.com/database/121/DBSEG/part_6.htm#CCHEHCGI "DBMS_AUDIT_MGMT" in the Oracle Database PL/SQL Packages and Types Reference: http://docs.oracle.com/database/121/ARPLS/d_audit_mgmt.htm#ARPLS241 Oracle Database Upgrade Guide: http://docs.oracle.com/database/121/UPGRD/afterup.htm#UPGRD52810 If the site-specific audit requirements are not covered by the default audit options, deploy and configure Fine-Grained Auditing. For details, refer to Oracle documentation at the locations above. If this level of auditing does not meet site-specific requirements, consider deploying the Oracle Audit Vault. The Audit Vault is a highly configurable option from Oracle made specifically for performing the audit functions. It has reporting capabilities as well as user-defined rules that provide additional flexibility for complex auditing requirements.
Review host system privileges assigned to the Oracle DBA group and all individual Oracle DBA accounts. Note: do not include the Oracle software installation account in any results for this check. For UNIX systems (as root): cat /etc/group | grep -i dba groups root If "root" is returned in the first list, this is a finding. If any accounts listed in the first list are also listed in the second list, this is a finding. Investigate any user account group memberships other than DBA or root groups that are returned by the following command (also as root): groups [dba user account] Replace [dba user account] with the user account name of each DBA account. If individual DBA accounts are assigned to groups that grant access or privileges for purposes other than DBA responsibilities, this is a finding. For Windows Systems (click or select): Start / Settings / Control Panel / Administrative Tools / Computer Management / Local Users and Groups / Groups / ORA_DBA Start / Settings / Control Panel / Administrative Tools / Computer Management / Local Users and Groups / Groups / ORA_[SID]_DBA (if present) Note: Users assigned DBA privileges on a Windows host are granted membership in the ORA_DBA and/or ORA_[SID]_DBA groups. The ORA_DBA group grants DBA privileges to any database on the system. The ORA_[SID]_DBA groups grant DBA privileges to specific Oracle instances only. Make a note of each user listed. For each user (click or select): Start / Settings / Control Panel / Administrative Tools / Computer Management / Local Users and Groups / Users / [DBA user name] / Member of If DBA users belong to any groups other than DBA groups and the Windows Users group, this is a finding. Examine User Rights assigned to DBA groups or group members: Start / Settings / Control Panel / Administrative Tools / Local Security Policy / Security Settings / Local Policies / User Rights Assignments If any User Rights are assigned directly to the DBA group(s) or DBA user accounts, this is a finding.
Revoke all host system privileges from the DBA group accounts and DBA user accounts not required for DBMS administration. Revoke all OS group memberships that assign excessive privileges to the DBA group accounts and DBA user accounts. Remove any directly applied permissions or user rights from the DBA group accounts and DBA user accounts. Document all DBA group accounts and individual DBA account-assigned privileges in the System Security Plan.
When the Quarterly CPU is released, check the CPU Notice and note the specific patch number for the system. Then, issue the following command: SELECT patch_id, version, action, status, description from dba_registry_sqlpatch; This will generate the patch levels for the home and any specific patches that have been applied to it. If the currently installed patch levels are lower than the latest, this is a finding.
Follow the process below to apply the security patch. Log on to My Oracle Support. Select patches and download the specific patch number and corresponding MD5 checksum. Once the patch is downloaded to the server, check the MD5 checksum to make sure the patch is valid. To check the MD5 Checksum in Linux/UNIX, the command is: $md5sum absolute_path_of_file_name - file_name is the complete location of the downloaded file. $md5sum /home/oracle/test.zip a34d8cd98f00cf24e9800998ecf823e4 /home/oracle/test.zip Once the checksum is validated, apply the patch: $ cd $ORACLE_HOME $ opatch apply Check that the patch was applied and the inventory was updated with the following command (UNIX/Linux): $ opatch lsinventory -detail Windows: > opatch lsinventory –detail
Use this query to identify the Oracle-supplied accounts that still have their default passwords: SELECT * FROM SYS.DBA_USERS_WITH_DEFPWD; If any accounts other than XS$NULL are listed, this is a finding. (XS$NULL is an internal account that represents the absence of a user in a session. Because XS$NULL is not a user, this account can only be accessed by the Oracle Database instance. XS$NULL has no privileges and no one can authenticate as XS$NULL, nor can authentication credentials ever be assigned to XS$NULL.)
Change passwords for DBMS accounts to non-default values. Where necessary, unlock or enable accounts to change the password, and then return the account to disabled or locked status.
Check DBMS settings to determine whether cryptographic mechanisms are used to prevent the unauthorized disclosure of information during transmission. Determine whether physical measures are being used instead of cryptographic mechanisms. If neither cryptographic nor physical measures are being utilized, this is a finding. To check that network encryption is enabled and using site-specified encryption procedures, look in SQLNET.ORA located at $ORACLE_HOME/network/admin/sqlnet.ora. (Note: This assumes that a single sqlnet.ora file, in the default location, is in use. Please see the supplemental file "Non-default sqlnet.ora configurations.pdf" for how to find multiple and/or differently located sqlnet.ora files.) If encryption is set, entries like the following will be present: SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT= (SHA384) SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER= (SHA384) SQLNET.ENCRYPTION_TYPES_CLIENT= (AES256) SQLNET.ENCRYPTION_TYPES_SERVER= (AES256) SQLNET.CRYPTO_CHECKSUM_CLIENT = requested SQLNET.CRYPTO_CHECKSUM_SERVER = required (The values assigned to the parameters may be different, the combination of parameters may be different, and not all of the example parameters will necessarily exist in the file.)
Configure DBMS and/or operating system to use cryptographic mechanisms to prevent unauthorized disclosure of information during transmission where physical measures are not being utilized.
Review the PPSM Technical Assurance List to acquire an up-to-date list of network protocols deemed nonsecure. (For definitive information on Ports, Protocols, and Services Management (PPSM), refer to https://cyber.mil/ppsm/) Review DBMS settings to determine if the database is utilizing any network protocols deemed nonsecure. If the DBMS is not using any network protocols deemed nonsecure, this is not a finding. If the database is utilizing protocols specified as nonsecure in the PPSM, verify the protocols are explicitly identified in the System Security Plan (SSP) and that they are in support of specific operational requirements. If they are not identified in the SSP or are not supporting specific operational requirements, this is a finding. If nonsecure network protocols are not being used but are not disabled in the DBMS's configuration, this is a finding. After determining the site-specific operational requirements and the protocols explicitly defined in the SSP, check the $TNS_ADMIN setting for the location of the Oracle listener.ora file. The listener.ora file is a configuration file for Oracle Net Listener that identifies the following: A unique name for the listener, typically LISTENER A protocol address that it is accepting connection requests on, and A service it is listening for. If the listener.ora file shows a PROTOCOL= statement and the PROTOCOL is deemed nonsecure, that is a finding. LISTENER= (DESCRIPTION= (ADDRESS_LIST= (ADDRESS=(PROTOCOL=tcp)(HOST=sale-server)(PORT=1521)) (ADDRESS=(PROTOCOL=ipc)(KEY=extproc)))) SID_LIST_LISTENER= (SID_LIST= (SID_DESC= (GLOBAL_DBNAME=sales.us.example.com) (ORACLE_HOME=/oracle12c) (SID_NAME=sales)) (SID_DESC= (SID_NAME=plsextproc) (ORACLE_HOME=/oracle12c) (PROGRAM=extproc))) Protocol Parameters The Oracle Listener and the Oracle Connection Manager are identified by protocol addresses. The information below contains the "Protocol-Specific Parameters" used by the Oracle protocol support. Protocol-Specific Parameters Protocol: IPC Parameter: PROTOCOL Notes: Specify ipc as the value. Protocol: IPC Parameter: KEY Notes: Specify a unique name for the service. Oracle recommends using the service name or SID of the service. Example: (PROTOCOL=ipc)(KEY=sales) Protocol: Named Pipes Parameter: PROTOCOL Notes: Specify nmp as the value. Protocol: Named Pipes Parameter: SERVER Notes: Specify the name of the Oracle server. Protocol: Named Pipes Parameter: PIPE Notes: Specify the pipe name used to connect to the database server. This is the same PIPE keyword specified on the server with Named Pipes. This name can be any name. Example: (Protocol=nmp) (SERVER=USDOD) (PIPE=dbpipe01) Protocol: SDP Parameter: PROTOCOL Notes: Specify sdp as the value. Protocol: SDP Parameter: HOST Notes: Specify the host name or IP address of the computer. Protocol: SDP Parameter: PORT Notes: Specify the listening port number. Example: (PROTOCOL=sdp)(HOST=sales-server)(PORT=1521) (PROTOCOL=sdp)(HOST=192.168.2.204)(PORT=1521) Protocol: TCP/IP Parameter: PROTOCOL Notes: Specify TCP as the value. Protocol: TCP/IP Parameter: HOST Notes: Specify the host name or IP address of the computer. Protocol: TCP/IP Parameter: PORT Notes: Specify the listening port number. Example: (PROTOCOL=tcp)(HOST=sales-server)(PORT=1521) (PROTOCOL=tcp)(HOST=192.168.2.204)(PORT=1521) Protocol: TCP/IP with TLS Parameter: PROTOCOL Notes: Specify tcps as the value. Protocol: TCP/IP with TLS Parameter: HOST Notes: Specify the host name or IP address of the computer. Protocol: TCP/IP with TLS Parameter: PORT Notes: Specify the listening port number. Example:(PROTOCOL=tcps)(HOST=sales-server) (PORT=2484) (PROTOCOL=tcps)(HOST=192.168.2.204)(PORT=2484)
Disable any network protocol listed as nonsecure in the PPSM documentation. To disable the protocol deemed not secure, stop the listener by issuing the following command as the Oracle Software owner, typically Oracle: $ lsnrctl stop This will stop the listener. Edit the LISTENER.ORA file and remove the protocols deemed not secure and restart the listener. For example, if TCP was deemed as not secure, the listener.ora would need to be changed and the tcp entry would need to be removed. That would only allow the listener to listen for an IPC connection. LISTENER= (DESCRIPTION= (ADDRESS_LIST= (ADDRESS=(PROTOCOL=tcp)(HOST=sale-server)(PORT=1521)) - remove this line and properly balance the parentheses - (ADDRESS=(PROTOCOL=ipc)(KEY=extproc)))) SID_LIST_LISTENER= (SID_LIST= (SID_DESC= (GLOBAL_DBNAME=sales.us.example.com) (ORACLE_HOME=/oracle12c) (SID_NAME=sales)) (SID_DESC= (SID_NAME=plsextproc) (ORACLE_HOME=/oracle12c) (PROGRAM=extproc))) Revise the client side TNSNAMES.ORA to align the PROTOCOL value in the PROTOCOL portion of the connect string. For example, if TCP was deemed as not secure and the listener.ora was changed to listen for an IPC connection the code below would be required: net_service_name= (DESCRIPTION= (ADDRESS=(PROTOCOL=tcp)(HOST=sales1-svr)(PORT=1521)) (ADDRESS=(PROTOCOL=tcp)(HOST=sales2-svr)(PORT=1521)) (CONNECT_DATA= (SERVICE_NAME=sales.us.example.com)))
: If the organization has a policy, consistently enforced, forbidding the creation of emergency or temporary accounts, this is not a finding. If all user accounts are authenticated by the OS or an enterprise-level authentication/access mechanism and not by Oracle, this is not a finding. If using the database to identify temporary accounts, and temporary accounts exist, there should be a temporary profile. If a profile for temporary accounts cannot be identified, this is a finding. To check for a temporary profile, run the scripts below: To obtain a list of profiles: SELECT PROFILE#, NAME FROM SYS.PROFNAME$; To obtain a list of users assigned a given profile (TEMPORARY_USERS, in this example): SELECT USERNAME, PROFILE FROM SYS.DBA_USERS WHERE PROFILE = 'TEMPORARY_USERS' ORDER BY USERNAME;
Use a profile with a distinctive name (for example, TEMPORARY_USERS), so that temporary users can be easily identified. Whenever a temporary user account is created, assign it to this profile. To enable resource limiting via profiles, use the SQL statement: ALTER SYSTEM SET RESOURCE_LIMIT = TRUE; Set values in the profile as needed for temporary users - see below for further information. The values here are examples; set them to values appropriate to the situation: CREATE PROFILE TEMPORARY_USERS LIMIT SESSIONS_PER_USER <limit> CPU_PER_SESSION <limit> CPU_PER_CALL <limit> CONNECT_TIME <limit> LOGICAL_READS_PER_SESSION DEFAULT LOGICAL_READS_PER_CALL <limit> PRIVATE_SGA <limit> COMPOSITE_LIMIT <limit> FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LIFE_TIME 7 PASSWORD_REUSE_TIME 60 PASSWORD_REUSE_MAX 5 PASSWORD_VERIFY_FUNCTION ORA12c_STRONG_VERIFY_FUNCTION PASSWORD_LOCK_TIME UNLIMITED PASSWORD_GRACE_TIME 3; CREATE USER <username> IDENTIFIED BY <password> PROFILE TEMPORARY_USERS; Resource Parameters: COMPOSITE_LIMIT - Specify the total resource cost for a session, expressed in service units. Oracle Database calculates the total service units as a weighted sum of CPU_PER_SESSION, CONNECT_TIME, LOGICAL_READS_PER_SESSION, and PRIVATE_SGA. SESSIONS_PER_USER - Specify the number of concurrent sessions to limit the user to. CPU_PER_SESSION - Specify the CPU time limit for a session, expressed in hundredths of seconds. CPU_PER_CALL - Specify the CPU time limit for a call (a parse, execute, or fetch), expressed in hundredths of seconds. LOGICAL_READS_PER_SESSION - Specify the permitted number of data blocks read in a session, including blocks read from memory and disk. LOGICAL_READS_PER_CALL - Specify the permitted number of data blocks read for a call to process a SQL statement (a parse, execute, or fetch). PRIVATE_SGA - Specify the amount of private space a session can allocate in the shared pool of the system global area (SGA). Refer to size_clause for information on that clause. CONNECT_TIME - Specify the total elapsed time limit for a session, expressed in minutes. IDLE_TIME - Specify the permitted periods of continuous inactive time during a session, expressed in minutes. Long-running queries and other operations are not subject to this limit. COMPOSITE_LIMIT - See Oracle documentation for more details. Password Parameters Use the following clauses to set password parameters. Parameters that set lengths of time are interpreted in number of days. For testing purposes, specify minutes (n/1440) or even seconds (n/86400). FAILED_LOGIN_ATTEMPTS - Specify the number of failed attempts to log on to the user account before the account is locked. If omitting this clause, then the default is 10 times. PASSWORD_LIFE_TIME - Specify the number of days the same password can be used for authentication. If setting a value for PASSWORD_GRACE_TIME, then the password expires if it is not changed within the grace period, and further connections are rejected. If omitting this clause, then the default is 180 days. PASSWORD_REUSE_TIME and PASSWORD_REUSE_MAX - These two parameters must be set in conjunction with each other. PASSWORD_REUSE_TIME specifies the number of days before which a password cannot be reused. PASSWORD_REUSE_MAX specifies the number of password changes required before the current password can be reused. For these parameters to have any effect, specify an integer for both of them. If specifying a value for both of these parameters, then the user cannot reuse a password until the password has been changed the number of times specified for PASSWORD_REUSE_MAX during the number of days specified for PASSWORD_REUSE_TIME. For example, if specifying PASSWORD_REUSE_TIME to 30 and PASSWORD_REUSE_MAX to 10, then the user can reuse the password after 30 days if the password has already been changed 10 times. If specifying a value for either of these parameters and specify UNLIMITED for the other, then the user can never reuse a password. If specifying DEFAULT for either parameter, then Oracle Database uses the value defined in the DEFAULT profile. By default, all parameters are set to UNLIMITED in the DEFAULT profile. If the default setting of UNLIMITED in the DEFAULT profile has not changed, then the database treats the value for that parameter as UNLIMITED. If setting both of these parameters to UNLIMITED, then the database ignores both of them. This is the default if omitting both parameters. PASSWORD_LOCK_TIME - Specify the number of days an account will be locked after the specified number of consecutive failed logon attempts. If omitting this clause, then the default is 1 day. PASSWORD_GRACE_TIME - Specify the number of days after the grace period begins during which a warning is issued and logon is allowed. If omitting this clause, then the default is 7 days. PASSWORD_VERIFY_FUNCTION - The PASSWORD_VERIFY_FUNCTION clause lets a PL/SQL password complexity verification script be passed as an argument to the CREATE PROFILE statement. Oracle Database provides a default script, but can create your own routine or use third-party software instead.
If the organization has a policy, consistently enforced, forbidding the creation of emergency or temporary accounts, this is not a finding. If all user accounts are authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding. Check DBMS settings, OS settings, and/or enterprise-level authentication/access mechanisms settings to determine if the site utilizes a mechanism whereby temporary are terminated after a 72 hour time period. If not, this is a finding.
If using database mechanisms to satisfy this requirement, use a profile with a distinctive name (for example, TEMPORARY_USERS), so that temporary users can be easily identified. Whenever a temporary user account is created, assign it to this profile. Create a job to lock accounts under this profile that are more than 72 hours old.
Check DBMS settings to determine if users are able to assign and revoke rights to the objects and information that they own. If users cannot assign or revoke rights to the objects and information that they own to groups, roles, or individual users, this is a finding.
Modify DBMS settings to allow users to assign or revoke access rights to objects and information owned by the user. The ability to grant or revoke rights must include the ability to grant or revoke those rights down to the granularity of a single user. (Note: In most cases, no fix will be necessary. This is default functionality for Oracle.)
Review procedures for providing database connection information to users/user workstations. If procedures do not indicate or implement restrictions to connections required by the particular user, this is a finding. Note: This check is specific for the DBMS host system and not directed at client systems (client systems are included in the Application STIG/Checklist); however, detection of unauthorized client connections to the DBMS host system obtained through log files should be performed regularly and documented where authorized.
Implement procedures to supply database connection information to only those databases authorized for the user.
Check the production system to ensure no developer accounts have rights to modify the production database structure or alter production data. If developer accounts with these rights exist, ask for documentation that shows these accounts have formal approval and risk acceptance. If this documentation does not exist, this is a finding. If developer accounts exist with the right to create and maintain tables (or other database objects) in production tablespaces, this is a finding.
Restrict developer privileges to production objects to only objects and data where those privileges are required and authorized. Document the approval and risk acceptance. Consider using separate accounts for a person's developer duties and production duties. At a minimum, use separate roles for developer privileges and production privileges. If developers need the ability to create and maintain tables (or other database objects) as part of their development activities, provide dedicated tablespaces, and revoke any rights that allowed them to use production tablespaces for this purpose.
Identify whether any hosts contain both development and production databases. If no hosts contain both production and development databases, this is NA. For any host containing both a development and a production database, determine if developers have been granted elevated privileges on the production database or on the OS. If they have, ask for documentation that shows these accounts have formal approval and risk acceptance. If this documentation does not exist, this is a finding. If developer accounts exist with the right to create and maintain tables (or other database objects) in production tablespaces, this is a finding. (Where applicable, to check the number of instances on the host machine, check the /etc/oratab. The /etc/oratab file is updated by the Oracle Installer when the database is installed when the root.sh file is executed. Each line in the represents an ORACLE_SID:ORACLE_HOME:Y or N. The ORACLE_SID and ORACLE_HOME are self-explanatory. The Y or N signals the DBSTART program to automatically start or not start that specific instance when the machine is restarted. Check with the system owner and application development team to see what each entry represents. If a system is deemed to be a production system, review the system for development users.)
Restrict developer privileges to production objects to only objects and data where those privileges are required and authorized. Document the approval and risk acceptance. Consider using separate accounts for a person's developer duties and production duties. At a minimum, use separate roles for developer privileges and production privileges. If developers need the ability to create and maintain tables (or other database objects) as part of their development activities, provide dedicated tablespaces, and revoke any rights that allowed them to use production tablespaces for this purpose.
Review user privileges to system tables and configuration data stored in the Oracle database. If non-DBA users are assigned privileges to access system tables and tables containing configuration data, this is a finding. To obtain a list of users and roles that have been granted access to any dictionary table, run the query: SELECT unique grantee from dba_tab_privs where table_name in (select table_name from dictionary) order by grantee; To obtain a list of dictionary tables and assigned privileges granted to a specific user or role, run the query: SELECT grantee, table_name, privilege from dba_tab_privs where table_name in (select table_name from dictionary) and grantee = '<applicable account>';
Restrict accessibility of Oracle system tables and other configuration information or metadata to DBAs or other authorized users.
Review accounts for direct assignment of administrative privileges. Connected as SYSDBA, run the query: SELECT grantee, privilege FROM dba_sys_privs WHERE grantee IN ( SELECT username FROM dba_users WHERE username NOT IN ( 'XDB', 'SYSTEM', 'SYS', 'LBACSYS', 'DVSYS', 'DVF', 'SYSMAN_RO', 'SYSMAN_BIPLATFORM', 'SYSMAN_MDS', 'SYSMAN_OPSS', 'SYSMAN_STB', 'DBSNMP', 'SYSMAN', 'APEX_040200', 'WMSYS', 'SYSDG', 'SYSBACKUP', 'SPATIAL_WFS_ADMIN_USR', 'SPATIAL_CSW_ADMIN_US', 'GSMCATUSER', 'OLAPSYS', 'SI_INFORMTN_SCHEMA', 'OUTLN', 'ORDSYS', 'ORDDATA', 'OJVMSYS', 'ORACLE_OCM', 'MDSYS', 'ORDPLUGINS', 'GSMADMIN_INTERNAL', 'MDDATA', 'FLOWS_FILES', 'DIP', 'CTXSYS', 'AUDSYS', 'APPQOSSYS', 'APEX_PUBLIC_USER', 'ANONYMOUS', 'SPATIAL_CSW_ADMIN_USR', 'SYSKM', 'SYSMAN_TYPES', 'MGMT_VIEW', 'EUS_ENGINE_USER', 'EXFSYS', 'SYSMAN_APM' ) ) AND privilege NOT IN ('UNLIMITED TABLESPACE' , 'REFERENCES', 'INDEX', 'SYSDBA', 'SYSOPER' ) ORDER BY 1, 2; If any administrative privileges have been assigned directly to a database account, this is a finding. (The list of special accounts that are excluded from this requirement may not be complete. It is expected that the DBA will edit the list to suit local circumstances, adding other special accounts as necessary, and removing any that are not supposed to be in use in the Oracle deployment that is under review.)
Create roles for administrative function assignments. Assign the necessary privileges for the administrative functions to a role. Do not assign administrative privileges directly to users, except for those that Oracle does not permit to be assigned via roles.
Review permissions for objects owned by DBA or other administrative accounts. If any objects owned by administrative accounts can be accessed by non-DBA/non-administrative users, either directly or indirectly, this is a finding. Verify DBAs have separate administrative accounts. If DBAs do not have a separate account for database administration purposes, this is a finding. To list all objects owned by an administrative account that have had access granted to another account, run the query: SELECT grantee, table_name, grantor, privilege, type from dba_tab_privs where owner= '<applicable account>';
Revoke DBA privileges, and privileges to administer DBA-owned objects, from non-DBA accounts. Provide separate accounts to DBA for database administration.
Determine which OS accounts are used by the DBMS to run external procedures. Validate that these OS accounts have only the privileges necessary to perform the required functionality. If any OS accounts, utilized by the database for running external procedures, have privileges beyond those required for running the external procedures, this is a finding. If use of the external procedure agent is authorized, ensure extproc is restricted to execution of authorized applications. External jobs are run using the account nobody by default. Review the contents of the file ORACLE_HOME/rdbms/admin/externaljob.ora for the lines run_user= and run_group=. If the user assigned to these parameters is not "nobody", this is a finding. System views providing privilege information are: DBA_SYS_PRIVS DBA_TAB_PRIVS DBA_ROLE_PRIVS
Limit privileges to DBMS-related OS accounts to those required to perform their DBMS specific functionality.
The account lockout duration is defined in the profile assigned to a user. To see what profile is assigned to a user, enter the query: SQL>SELECT profile FROM dba_users WHERE username = '<username>' This will return the profile name assigned to that user. The user profile, ORA_STIG_PROFILE, has been provided (starting with Oracle 12.1.0.2) to satisfy the STIG requirements pertaining to the profile parameters. Oracle recommends that this profile be customized with any site-specific requirements and assigned to all users where applicable. Note: It remains necessary to create a customized replacement for the password validation function, ORA12C_STRONG_VERIFY_FUNCTION, if relying on this technique to verify password complexity. Now check the values assigned to the profile returned from the query above: column profile format a20 column limit format a20 SQL>SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE PROFILE = 'ORA_STIG_PROFILE'; Check the settings for password_lock_time - this specifies how long to lock the account after the number of consecutive failed logon attempts reaches the limit. If the value is not UNLIMITED, this is a finding.
Configure the DBMS settings to specify indefinite lockout duration: ALTER PROFILE ORA_STIG_PROFILE LIMIT PASSWORD_LOCK_TIME UNLIMITED;
The limit on the number of consecutive failed logon attempts is defined in the profile assigned to a user. Check the FAILED_LOGIN_ATTEMPTS value assigned to the profiles returned from this query: SQL>SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES; Check the setting for FAILED_LOGIN_ATTEMPTS - this is the number of consecutive failed logon attempts before locking the Oracle user account. If the value is greater than three on any of the profiles, this is a finding.
Configure the DBMS setting to specify the maximum number of consecutive failed logon attempts to three (or less): ALTER PROFILE {PROFILE_NAME} LIMIT FAILED_LOGIN_ATTEMPTS 3; (ORA_STIG_PROFILE is available in DBA_PROFILES, starting with Oracle 12.1.0.2. Note: It remains necessary to create a customized replacement for the password validation function, ORA12C_STRONG_VERIFY_FUNCTION, if relying on this technique to verify password complexity.)
Verify the DBMS has the ability to grant permissions without the grantee receiving the right to grant those same permissions to another user. Review organization policies regarding access propagation. If an access propagation policy limiting the propagation of rights does not exist, this is a finding. Review DBMS configuration to verify access propagation policies are enforced by the DBMS as configured. If the DBMS does not enforce the access propagation policy, this is a finding.
Create and document an access propagation policy that limits the propagation of rights. Configure the DBMS to enforce the access propagation policy. When a user is granted access to an object, they have access to the object. When a user is granted access to an object with the GRANT option, then they can provide permissions to others. Without the GRANT option, a user cannot grant access to an object. No configuration is required.
Check DBMS settings and documentation to determine if users are able to assign and revoke rights to the objects and information they own. If users cannot assign or revoke rights to the objects and information they own to the granularity of a single user, this is a finding. (This is default Oracle behavior.)
Modify DBMS settings to allow users to assign or revoke access rights to objects and information owned by the user. The ability to grant or revoke rights must include the ability to grant or revoke those rights down to the granularity of a single user. (This is default Oracle behavior.)
Review DBMS, OS, or third-party logging application settings to determine whether a warning will be provided when a specific percentage of log storage capacity is reached. If no warning will be provided, this is a finding.
Modify DBMS, OS, or third-party logging application settings to alert appropriate personnel when a specific percentage of log storage capacity is reached. For ease of management, it is recommended that the audit tables be kept in a dedicated tablespace. If Oracle Enterprise Manager is in use, the capability to issue such an alert is built in and configurable via the console so an email can be sent to a designated administrator. If Enterprise Manager is unavailable, the following script can be used to monitor storage space; this can be combined with additional code to email the appropriate administrator so they can take action. sqlplus connect as sysdba set pagesize 300 set linesize 120 column sumb format 9,999,999,999,999 column extents format 999999 column bytes format 9,999,999,999,999 column largest format 9,999,999,999,999 column Tot_Size format 9,999,999,999,999 column Tot_Free format 9,999,999,999,999 column Pct_Free format 9,999,999,999,999 column Chunks_Free format 9,999,999,999,999 column Max_Free format 9,999,999,999,999 set echo off spool TSINFO.txt PROMPT SPACE AVAILABLE IN TABLESPACES select a.tablespace_name,sum(a.tots) Tot_Size, sum(a.sumb) Tot_Free, sum(a.sumb)*100/sum(a.tots) Pct_Free, sum(a.largest) Max_Free,sum(a.chunks) Chunks_Free from ( select tablespace_name,0 tots,sum(bytes) sumb, max(bytes) largest,count(*) chunks from dba_free_space a group by tablespace_name union select tablespace_name,sum(bytes) tots,0,0,0 from dba_data_files group by tablespace_name) a group by a.tablespace_name; Sample Output SPACE AVAILABLE IN TABLESPACES TABLESPACE_NAME TOT_SIZE TOT_FREE PCT_FREE MAX_FREE CHUNKS_FREE ------------------------ ------------ ------------ ------------ ------------ ------------ DES2 41,943,040 30,935,040 74 30,935,040 1 DES2_I 31,457,280 23,396,352 74 23,396,352 1 RBS 60,817,408 57,085,952 94 52,426,752 16 SYSTEM 94,371,840 5,386,240 6 5,013,504 3 TEMP 563,200 561,152 100 133,120 5 TOOLS 120,586,240 89,407,488 74 78,190,592 12 USERS 1,048,576 26,624 3 26,624 1
Review Oracle Corp., OS, or third-party logging software settings to determine whether a real-time alert will be sent to the appropriate personnel when auditing fails for any reason. If real-time alerts are not sent upon auditing failure, this is a finding.
Configure logging software to send a real-time alert to appropriate personnel when auditing fails for any reason. (Oracle recommends the use of Oracle Enterprise Manager.)
Review DBMS settings and vendor documentation to ensure the database supports and does not interfere with enforcement of logical access restrictions associated with changes to the DBMS configuration and to the database itself. If the DBMS software in any way restricts the implementation of logical access controls implemented to protect its integrity or availability, this is a finding.
Configure the DBMS to allow implementation of logical access restrictions aimed at protecting the DBMS from unauthorized changes to its configuration and to the database itself. - - - - - When the Oracle Database is installed on a Unix-like operating system, the required umask is 022, and the file permissions are set so that any modifications to the startup files can only be performed by the owner of the software, a member of the group DBA, or the root user. Changing the umask has caused problems when patching the environment. If changes are to be made, they should be reverted to the status they were in before the modification for patching and upgrades.
Review the database backup procedures and implementation evidence. Evidence of implementation includes records of backup events and physical review of backup media. Evidence should match the backup plan as recorded in the system documentation. If backup procedures do not exist or are not implemented in accordance with the procedures, this is a finding. - - - - - The Oracle recommended process for backup and recovery is Oracle RMAN. If Oracle RMAN is deployed, execute the following commands to ensure that the evidence of the implementation of the backup policy includes validating that the files are restorable: Validating Database Files with BACKUP VALIDATE --Use the BACKUP VALIDATE command to do the following: --Check datafiles for physical and logical block corruption --Confirm that all database files exist and are in the correct locations --When BACKUP VALIDATE is run, RMAN reads the files to be backed up in their entirety, as it would during a real backup. RMAN does not, however, actually produce any backup sets or image copies. --Cannot use the BACKUPSET, MAXCORRUPT, or PROXY parameters with BACKUP VALIDATE. --To validate files with the BACKUP VALIDATE command: 1. Start RMAN and connect to a target database and recovery catalog (if used). 2. Run the BACKUP VALIDATE command. For example, can validate that all database files and archived logs can be backed up by running a command as shown in the following example. This command checks for physical corruptions only. BACKUP VALIDATE DATABASE ARCHIVELOG ALL; To check for logical corruptions in addition to physical corruptions, run the following variation of the preceding command: BACKUP VALIDATE CHECK LOGICAL DATABASE ARCHIVELOG ALL; In the preceding examples, the RMAN client displays the same output that it would if it were really backing up the files. If RMAN cannot back up one or more of the files, then it issues an error message. Validating Backups Before Restoring Them Run RESTORE ... VALIDATE to test whether RMAN can restore a specific file or set of files from a backup. RMAN chooses which backups to use. The database must be mounted or open for this command. Do not have to take datafiles off-line when validating the restore of datafiles, because validation of backups of the datafiles only reads the backups and does not affect the production datafiles. When validating files on disk or tape, RMAN reads all blocks in the backup piece or image copy. RMAN also validates off-site backups. The validation is identical to a real restore operation except that RMAN does not write output files. To validate backups with the RESTORE command: 1. Run the RESTORE command with the VALIDATE option. This following example illustrates validating the restore of the database and all archived redo logs: RESTORE DATABASE VALIDATE; RESTORE ARCHIVELOG ALL VALIDATE; If an RMAN error stack is not generated, then skip the subsequent steps. The lack of error messages means that RMAN had confirmed that it can use these backups successfully during a real restore and recovery. 2. If error messages are seen in the output and one is the RMAN-06026 message, then investigate the cause of the problem. If possible, correct the problem that is preventing RMAN from validating the backups and retry the validation. The following error means that RMAN cannot restore one or more of the specified files from available backups: RMAN-06026: some targets not found - aborting restore The following sample output shows that RMAN encountered a problem reading the specified backup: RMAN-03009: failure of restore command on c1 channel at 12-DEC-14 23:22:30 ORA-19505: failed to identify file "oracle/dbs/1fafv9gl_1_1" ORA-27037: unable to obtain file status SVR4 Error: 2: No such file or directory Additional information: 3
Develop, document, and implement database backup procedures.
Review the testing and verification procedures documented in the system documentation. Review evidence of implementation of testing and verification procedures by reviewing logs from backup and recovery implementation. Logs may be in electronic form or hardcopy and may include email or other notification. If testing and verification of backup and recovery procedures is not documented in the system documentation, this is a finding. If evidence of testing and verification of backup and recovery procedures does not exist, this is a finding.
Develop, document, and implement testing and verification procedures for database backup and recovery. Include requirements for documenting database backup and recovery testing and verification activities in the procedures.
Review file protections assigned to online backup and restoration files. Review access protections and procedures for off-line backup and restoration files. If backup or restoration files are subject to unauthorized access, this is a finding. It may be necessary to review backup and restoration procedures to determine ownership and access during all phases of backup and recovery.
Implement protection for backup and restoration files. Document personnel and the level of access authorized for each to the backup and restoration files in the system documentation.
If all user accounts are authenticated by the organization-level authentication/access mechanism and not by the DBMS, this is not a finding. Review DBMS settings, OS settings, and/or enterprise-level authentication/access mechanism settings to determine whether user accounts are required to use multifactor authentication. If user accounts are not required to use multifactor authentication, this is a finding. If the $ORACLE_HOME/network/admin/sqlnet.ora contains entries similar to the following, TLS is enabled. (Note: This assumes that a single sqlnet.ora file, in the default location, is in use. Refer to the supplemental file "Non-default sqlnet.ora configurations.pdf" for how to find multiple and/or differently located sqlnet.ora files.) SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS) SSL_VERSION = 1.2 SSL_CLIENT_AUTHENTICATION = TRUE WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /u01/app/oracle/product/12.1.0/dbhome_1/owm/wallets) ) ) SSL_CIPHER_SUITES= (SSL_RSA_WITH_AES_256_CBC_SHA384) ADR_BASE = /u01/app/oracle
Configure DBMS, OS and/or enterprise-level authentication/access mechanism to require multifactor authentication for user accounts. If appropriate, enable support for TLS protocols and multifactor authentication through the use of smart cards (CAC/PIV). Oracle Database is capable of being configured to integrate users with an enterprise-level authentication/access mechanism. The directions are in the Oracle Database Security Guide, Section 6: https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/database-security-guide.pdf This section will give detailed step-by-step directions to configure authentication using PKI certificates for centrally managed users by configuring SSL in the Oracle database and integrating with LDAP.
Review DBMS settings, OS settings, and/or enterprise-level authentication/access mechanism settings to determine whether shared accounts exist. If group accounts do not exist, this is NA. Review DBMS settings to determine if individual authentication is required before shared authentication. If shared authentication does not require prior individual authentication, this is a finding. (Oracle Access Manager may be helpful in meeting this requirement. Notes on Oracle Access Manager follow.) Oracle Access Manager is used when there is a need for multifactor authentication of applications front-ending Oracle Datasets that may use group accounts. Oracle Access Manager supports using PKI-based smart cards (CAC, PIV) for multifactor authentication. When a user authenticates to a smart card application, the smart card engine produces a certificate-based authentication token. Can configure a certificate-based authentication scheme in Oracle Access Manager that uses information from the smart card certificate. Certificate-based authentication works with any smart card or similar device that presents an X.509 certificate. Check: First, check that the Authentication Module is set up properly: 1) Go to Oracle Access Manager Home Screen and click the Policy Configuration tab. Select the X509Scheme. 2) Make sure the Authentication Module option is set to X509Plugin. Second, check that the Authentication policy is using the x509Scheme: 1) Go to Oracle Access Manager Home Screen and click the Policy Configuration tab. 2) Select Application Domains. Select Search. 3) Select the application domain protecting the Oracle Database. 4) Select the Authentication Polices tab and Click Protected Resource Policy. 5) Make sure the Authentication Scheme is set to x509Scheme.
Configure DBMS, OS and/or enterprise-level authentication/access mechanism to require individual authentication prior to authentication for shared account access. If appropriate, install Oracle Access Manager to provide multifactor authentication of applications front-ending Oracle Databases and using shared accounts. After installation, use x509 Authentication modules provided out of the box.
If all user accounts are managed and authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding. For accounts managed by Oracle, check DBMS settings to determine if accounts are automatically disabled by the system after 35 days of inactivity. In Oracle 12c, Oracle introduced a new security parameter in the profile called INACTIVE_ACCOUNT_TIME. The INACTIVE_ACCOUNT_TIME parameter specifies the number of days permitted the account will be in OPEN state since the last login, after that will be LOCKED if no successful logins happens after the specified duration. Check to see what profile each user is associated with, if any, with this query: select username, profile from dba_users order by 1,2; Then check the profile to see what the inactive_account_time is set to in the table dba_profiles; the inactive_account_time is a value stored in the LIMIT column, and identified by the value inactive_account_time in the RESOURCE_NAME column. SQL>select profile, resource_name, resource_type, limit from dba_profiles where upper(resource_name) = 'INACTIVE_ACCOUNT_TIME'; If the INACTIVE_ACCOUNT_TIME parameter is set to UNLIMITED (default) or it is set to more than 35 days, this is a finding. If INACTIVE_ACCOUNT_TIME is not a parameter associated with the profile then check for a script or an automated job that is run daily that checks the audit trail or other means to make sure every user account has logged in within the last 35 days. If one is not present, this is a finding.
For accounts managed by Oracle, issue the statement: ALTER PROFILE profile_name LIMIT inactive_account_time 35; Or Change the profile for the DBMS account to ORA_STIG_PROFILE (which has the inactive_account_time parameter set to 35): ALTER USER user_name PROFILE ora_stig_profile; An alternate method is to create a script or store procedure that runs once a day. Write a SQL statement to determine accounts that have not logged in within 35 days: Example: select username from dba_audit_trail where action_name = 'LOGON' group by username having max(timestamp) < sysdate - 36 And then disable all accounts that have not logged in within 35 days.
If all user accounts are authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding. For each profile that can be applied to accounts where authentication is under Oracle's control, determine the password verification function, if any, that is in use: SELECT * FROM SYS.DBA_PROFILES WHERE RESOURCE_NAME = 'PASSWORD_VERIFY_FUNCTION' [AND PROFILE NOT IN (<list of non-applicable profiles>)] ORDER BY PROFILE; Bearing in mind that a profile can inherit from another profile, and the root profile is called DEFAULT, determine the name of the password verification function effective for each profile. If, for any profile, the function name is null, this is a finding. For each password verification function, examine its source code. If it does not enforce the DOD-defined minimum length (15 unless otherwise specified), this is a finding.
If all user accounts are authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, no fix to the DBMS is required. If any user accounts are managed by Oracle, develop, test, and implement a password verification function that enforces DOD requirements. Oracle supplies a sample function called ORA12C_STRONG_VERIFY_FUNCTION. This can be used as the starting point for a customized function. The script file is found in the following location on the server depending on OS: Windows: %ORACLE_HOME%\RDBMS\ADMIN\catpvf.sql UNIX/Linux: $ORACLE_HOME/rdbms/admin/catpvf.sql
If all user accounts are authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding. For each profile that can be applied to accounts where authentication is under Oracle's control, determine the password reuse rule, if any, that is in effect: SELECT * FROM SYS.DBA_PROFILES WHERE RESOURCE_NAME IN ('PASSWORD_REUSE_MAX', 'PASSWORD_REUSE_TIME') [AND PROFILE NOT IN (<list of non-applicable profiles>)] ORDER BY PROFILE, RESOURCE_NAME; Bearing in mind that a profile can inherit from another profile, and the root profile is called DEFAULT, determine the value of the PASSWORD_REUSE_MAX effective for each profile. If, for any profile, the PASSWORD_REUSE_MAX value does not enforce the DOD-defined minimum number of password changes before a password may be repeated (five or greater), this is a finding. PASSWORD_REUSE_MAX is effective if and only if PASSWORD_REUSE_TIME is specified, so if both are UNLIMITED, this is a finding.
If all user accounts are authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, no fix to the DBMS is required. If any user accounts are managed by Oracle, for each profile, set the PASSWORD_REUSE_MAX to enforce the DOD-defined minimum number of password changes before a password may be repeated (five or greater). PASSWORD_REUSE_MAX is effective if and only if PASSWORD_REUSE_TIME is specified, so ensure also that it has a meaningful value. Since the minimum password lifetime is one day, the smallest meaningful value is the same as the PASSWORD_REUSE_MAX value. Using PPPPPP as an example, the statement to do this is: ALTER PROFILE PPPPPP LIMIT PASSWORD_REUSE_MAX 5 PASSWORD_REUSE_TIME 5;
If all user accounts are managed and authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding. For each profile that can be applied to accounts where authentication is under Oracle's control, determine the password verification function, if any, that is in use: SELECT * FROM SYS.DBA_PROFILES WHERE RESOURCE_NAME = 'PASSWORD_VERIFY_FUNCTION' [AND PROFILE NOT IN (<list of non-applicable profiles>)] ORDER BY PROFILE; Bearing in mind that a profile can inherit from another profile, and the root profile is called DEFAULT, determine the name of the password verification function effective for each profile. If, for any profile, the function name is null, this is a finding. For each password verification function, examine its source code. If it does not enforce the organization-defined minimum number of uppercase characters (one, unless otherwise specified), this is a finding.
If all user accounts are authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, no fix to the DBMS is required. If any user accounts are managed by Oracle, develop, test, and implement a password verification function that enforces DOD requirements. Oracle supplies a sample function called ORA12C_STRONG_VERIFY_FUNCTION. This can be used as the starting point for a customized function. The script file is found in the following location on the server depending on OS: Windows: %ORACLE_HOME%\RDBMS\ADMIN\catpvf.sql UNIX/Linux: $ORACLE_HOME/rdbms/admin/catpvf.sql
If all user accounts are managed and authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding. For each profile that can be applied to accounts where authentication is under Oracle's control, determine the password verification function, if any, that is in use: SELECT * FROM SYS.DBA_PROFILES WHERE RESOURCE_NAME = 'PASSWORD_VERIFY_FUNCTION' [AND PROFILE NOT IN (<list of non-applicable profiles>)] ORDER BY PROFILE; Bearing in mind that a profile can inherit from another profile, and the root profile is called DEFAULT, determine the name of the password verification function effective for each profile. If, for any profile, the function name is null, this is a finding. For each password verification function, examine its source code. If it does not enforce the organization-defined minimum number of lowercase characters (one, unless otherwise specified), this is a finding.
If all user accounts are authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, no fix to the DBMS is required. If any user accounts are managed by Oracle, develop, test, and implement a password verification function that enforces DOD requirements. Oracle supplies a sample function called ORA12C_STRONG_VERIFY_FUNCTION. This can be used as the starting point for a customized function. The script file is found in the following location on the server depending on OS: Windows: %ORACLE_HOME%\RDBMS\ADMIN\catpvf.sql UNIX/Linux: $ORACLE_HOME/rdbms/admin/catpvf.sql
If all user accounts are managed and authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding. For each profile that can be applied to accounts where authentication is under Oracle's control, determine the password verification function, if any, that is in use: SELECT * FROM SYS.DBA_PROFILES WHERE RESOURCE_NAME = 'PASSWORD_VERIFY_FUNCTION' [AND PROFILE NOT IN (<list of non-applicable profiles>)] ORDER BY PROFILE; Bearing in mind that a profile can inherit from another profile, and the root profile is called DEFAULT, determine the name of the password verification function effective for each profile. If, for any profile, the function name is null, this is a finding. For each password verification function, examine its source code. If it does not enforce the organization-defined minimum number of numeric characters (one, unless otherwise specified), this is a finding.
If all user accounts are authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, no fix to the DBMS is required. If any user accounts are managed by Oracle, develop, test, and implement a password verification function that enforces DOD requirements. Oracle supplies a sample function called ORA12C_STRONG_VERIFY_FUNCTION. This can be used as the starting point for a customized function. The script file is found in the following location on the server depending on OS: Windows: %ORACLE_HOME%\RDBMS\ADMIN\catpvf.sql UNIX/Linux: $ORACLE_HOME/rdbms/admin/catpvf.sql
If all user accounts are managed and authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding. For each profile that can be applied to accounts where authentication is under Oracle's control, determine the password verification function, if any, that is in use: SELECT * FROM SYS.DBA_PROFILES WHERE RESOURCE_NAME = 'PASSWORD_VERIFY_FUNCTION' [AND PROFILE NOT IN (<list of non-applicable profiles>)] ORDER BY PROFILE; Bearing in mind that a profile can inherit from another profile, and the root profile is called DEFAULT, determine the name of the password verification function effective for each profile. If, for any profile, the function name is null, this is a finding. For each password verification function, examine its source code. If it does not enforce the organization-defined minimum number of special characters (one, unless otherwise specified), this is a finding.
If all user accounts are authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, no fix to the DBMS is required. If any user accounts are managed by Oracle, develop, test, and implement a password verification function that enforces DOD requirements. Oracle supplies a sample function called ORA12C_STRONG_VERIFY_FUNCTION. This can be used as the starting point for a customized function. The script file is found in the following location on the server depending on OS: Windows: %ORACLE_HOME%\RDBMS\ADMIN\catpvf.sql UNIX/Linux: $ORACLE_HOME/rdbms/admin/catpvf.sql
If all user accounts are managed and authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding. For each profile that can be applied to accounts where authentication is under Oracle's control, determine the password verification function, if any, that is in use: SELECT * FROM SYS.DBA_PROFILES WHERE RESOURCE_NAME = 'PASSWORD_VERIFY_FUNCTION' [AND PROFILE NOT IN (<list of non-applicable profiles>)] ORDER BY PROFILE; Bearing in mind that a profile can inherit from another profile, and the root profile is called DEFAULT, determine the name of the password verification function effective for each profile. If, for any profile, the function name is null, this is a finding. For each password verification function, examine its source code. If it does not enforce the organization-defined minimum number of characters by which the password must differ from the previous password (eight characters unless otherwise specified), this is a finding.
If any user accounts are managed by Oracle, develop, test, and implement a password verification function that enforces DOD requirements. Oracle supplies a sample function called ORA12C_STRONG_VERIFY_FUNCTION. This can be used as the starting point for a customized function. The script file is found in the following location on the server depending on OS: Windows: %ORACLE_HOME%\RDBMS\ADMIN\catpvf.sql UNIX/Linux: $ORACLE_HOME/rdbms/admin/catpvf.sql
If all user accounts are authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding. Where accounts are authenticated using passwords, review procedures and implementation evidence for creation of temporary passwords. If the procedures or evidence do not exist or do not enforce passwords to meet DOD password requirements, this is a finding.
Implement procedures for assigning temporary passwords to user accounts. Procedures should include instructions to meet current DOD password length and complexity requirements and provide a secure method to relay the temporary password to the user.
Review application source code required to be encoded or encrypted for database accounts used by applications or batch jobs to access the database. Review source batch job code prior to compiling, encoding, or encrypting for database accounts used by applications or the batch jobs themselves to access the database. Determine if the compiled, encoded, or encrypted application source code or batch jobs contain passwords used for authentication to the database. If any of the identified compiled, encoded, or encrypted application source code or batch job code do contain passwords used for authentication to the database, this is a finding. - - - - - The check would depend on the information provided by the DBA. In a default Oracle installation, all passwords are stored in an encrypted manner. Ask the DBA if they have created an External Password Store for applications, batch jobs, and scripts to use. Secure External Password Store Can store password credentials for connecting to databases by using a client-side Oracle wallet. An Oracle wallet is a secure software container that stores authentication and signing credentials. This wallet usage can simplify large-scale deployments that rely on password credentials for connecting to databases. When this feature is configured, application code, batch jobs, and scripts no longer need embedded user names and passwords. This reduces risk because the passwords are no longer exposed, and password management policies are more easily enforced without changing application code whenever user names or passwords change. The external password store of the wallet is separate from the area where public key infrastructure (PKI) credentials are stored. Consequently, cannot use Oracle Wallet Manager to manage credentials in the external password store of the wallet. Instead, use the command-line utility mkstore to manage these credentials. How Does the External Password Store Work? Typically, users (and as applications, batch jobs, and scripts) connect to databases by using a standard CONNECT statement that specifies a database connection string. This string can include a user name and password, and an Oracle Net service name identifying the database on an Oracle Database network. If the password is omitted, the connection prompts the user for the password. For example, the service name could be the URL that identifies that database, or a TNS alias entered in the tnsnames.ora file in the database. Another possibility is a host:port:sid string. The following examples are standard CONNECT statements that could be used for a client that is not configured to use the external password store: CONNECT salesapp@sales_db.us.example.com Enter password: password CONNECT salesapp@orasales Enter password: password CONNECT salesapp@ourhost37:1527:DB17 Enter password: password In these examples, salesapp is the user name, with the unique connection string for the database shown as specified in three different ways. Could use its URL sales_db.us.example.com, or its TNS alias, orasales, from the tnsnames.ora file, or its host:port:sid string. However, when clients are configured to use the secure external password store, applications can connect to a database with the following CONNECT statement syntax, without specifying database logon credentials: CONNECT /@db_connect_string CONNECT /@db_connect_string AS SYSDBA CONNECT /@db_connect_string AS SYSOPER In this specification, db_connect_string is a valid connection string to access the intended database, such as the service name, URL, or alias as shown in the earlier examples. Each user account must have its own unique connection string; cannot create one connection string for multiple users. In this case, the database credentials, user name and password, are securely stored in an Oracle wallet created for this purpose. The autologon feature of this wallet is turned on, so the system does not need a password to open the wallet. From the wallet, it gets the credentials to access the database for the user they represent.
Design DBMS application code and batch job code that is compiled, encoded or encrypted, to NOT contain passwords. - - - - - Oracle provides the capability to provide for a secure external password facility. Use the Oracle mkstore to create a secure storage area for passwords for applications, batch jobs, and scripts to use or deploy a site-authorized facility to perform this function. Check to see what has been stored in the Oracle External Password Store To view all contents of a client wallet external password store, check specific credentials by viewing them. Listing the external password store contents provides information can use to decide whether to add or delete credentials from the store. To list the contents of the external password store, enter the following command at the command line: $ mkstore -wrl wallet_location -listCredential For example: $ mkstore -wrl c:\oracle\product\12.1.0\db_1\wallets -listCredential The wallet_location specifies the path to the directory where the wallet, whose external password store contents is to be viewed, is located. This command lists all of the credential database service names (aliases) and the corresponding user name (schema) for that database. Passwords are not listed. Configuring Clients to Use the External Password Store If the client is already configured to use external authentication, such as Windows native authentication or Transport Layer Security (TLS), then Oracle Database uses that authentication method. The same credentials used for this type of authentication are typically also used to log on to the database. For clients not using such authentication methods or wanting to override them for database authentication, can set the SQLNET.WALLET_OVERRIDE parameter in sqlnet.ora to TRUE. The default value for SQLNET.WALLET_OVERRIDE is FALSE, allowing standard use of authentication credentials as before. If wanting a client to use the secure external password store feature, then perform the following configuration task: 1. Create a wallet on the client by using the following syntax at the command line: mkstore -wrl wallet_location -create For example: mkstore -wrl c:\oracle\product\12.1.0\db_1\wallets -create Enter password: password The wallet_location is the path to the directory where the wallet is to be created and stored. This command creates an Oracle wallet with the autologon feature enabled at the location specified. The autologon feature enables the client to access the wallet contents without supplying a password. The mkstore utility -create option uses password complexity verification. 2. Create database connection credentials in the wallet by using the following syntax at the command line: mkstore -wrl wallet_location -createCredential db_connect_string username Enter password: password For example: mkstore -wrl c:\oracle\product\12.1.0\db_1\wallets -createCredential oracle system Enter password: password In this specification: The wallet_location is the path to the directory where the wallet was created. The db_connect_string used in the CONNECT /@db_connect_string statement must be identical to the db_connect_string specified in the -createCredential command. The db_connect_string is the TNS alias used to specify the database in the tnsnames.ora file or any service name used to identify the database on an Oracle network. By default, tnsnames.ora is located in the $ORACLE_HOME/network/admin directory on UNIX systems and in ORACLE_HOME\network\admin on Windows. The username is the database logon credential. When prompted, enter the password for this user. 3. In the client sqlnet.ora file, enter the WALLET_LOCATION parameter and set it to the directory location of the wallet created in Step 1. For example, if the wallet was created in $ORACLE_HOME/network/admin and Oracle home is set to /private/ora12, then need to enter the following into your client sqlnet.ora file: WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /private/ora12/network/admin) ) ) 4. In the client sqlnet.ora file, enter the SQLNET.WALLET_OVERRIDE parameter and set it to TRUE as follows: SQLNET.WALLET_OVERRIDE = TRUE setting causes all CONNECT /@db_connect_string statements to use the information in the wallet at the specified location to authenticate to databases. When external authentication is in use, an authenticated user with such a wallet can use the CONNECT /@db_connect_string syntax to access the previously specified databases without providing a user name and password. However, if a user fails that external authentication, then these connect statements also fail. Below is a sample sqlnet.ora file with the WALLET_LOCATION and the SQLNET.WALLET_OVERRIDE parameters set as described in Steps 3 and 4. Below is a sample SQLNET.ORA File with Wallet Parameters Set WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /private/ora12/network/admin) ) ) SQLNET.WALLET_OVERRIDE = TRUE SSL_CLIENT_AUTHENTICATION = FALSE SSL_VERSION = 1.2 (Note: this assumes that a single sqlnet.ora file, in the default location, is in use. Please see the supplemental file, "Non-default sqlnet.ora configurations.pdf" for how to find multiple and/or differently-located sqlnet.ora files.)
If all user accounts are authenticated by the OS or an enterprise-level authentication/access mechanism and not by Oracle, this is not a finding. Review DBMS settings to determine if passwords must be changed periodically. Run the following script: SELECT p1.profile, CASE DECODE(p1.limit, 'DEFAULT', p3.limit, p1.limit) WHEN 'UNLIMITED' THEN 'UNLIMITED' ELSE CASE DECODE(p2.limit, 'DEFAULT', p4.limit, p2.limit) WHEN 'UNLIMITED' THEN 'UNLIMITED' ELSE TO_CHAR(DECODE(p1.limit, 'DEFAULT', p3.limit, p1.limit) + DECODE(p2.limit, 'DEFAULT', p4.limit, p2.limit)) END END effective_life_time FROM dba_profiles p1, dba_profiles p2, dba_profiles p3, dba_profiles p4 WHERE p1.profile=p2.profile AND p3.profile='DEFAULT' AND p4.profile='DEFAULT' AND p1.resource_name='PASSWORD_LIFE_TIME' AND p2.resource_name='PASSWORD_GRACE_TIME' AND p3.resource_name='PASSWORD_LIFE_TIME' -- from DEFAULT profile AND p4.resource_name='PASSWORD_GRACE_TIME' -- from DEFAULT profile order by 1; If the EFFECTIVE_LIFE_TIME is greater than 60 for any profile applied to user accounts, and the need for this has not been documented and approved by the information system security officer (ISSO), this is a finding. If PASSWORD_LIFE_TIME or PASSWORD_GRACE_TIME is set to "UNLIMITED", this is a finding.
For user accounts managed by Oracle, modify DBMS settings to force users to periodically change their passwords. For example, using "PPPPPP" to stand for a profile name: ALTER PROFILE PPPPPP LIMIT PASSWORD_LIFE_TIME 35 PASSWORD_GRACE_TIME 0; Do this for each profile applied to user accounts. Note: Although the DOD requirement is for a password change every 60 days, using a value of 35 facilitates the use of PASSWORD_LIFE_TIME as a means of locking accounts inactive for 35 days. But if 35 is not a practical or acceptable limit for password lifetime, set it to the standard DOD value of 60. Where a password lifetime longer than 60 is needed, document the reasons and obtain ISSO approval.
Review DBMS settings, OS settings, and vendor documentation to verify network connections are terminated when a database communications session is ended or after 15 minutes of inactivity. If the network connection is not terminated, this is a finding. The defined duration for these timeouts 15 minutes, except to fulfill documented and validated mission requirements.
Configure DBMS and/or OS settings to disconnect network sessions when database communication sessions have ended or after the DoD-defined period of inactivity. To configure this in Oracle, modify each relevant profile. The resource name is IDLE_TIME, which is expressed in minutes. Using PPPPPP as an example of a profile, set the timeout to 15 minutes with: ALTER PROFILE PPPPPP LIMIT IDLE_TIME 15;
If encryption is not required for the database, this is not a finding. If the DBMS has not implemented federally required cryptographic protections for the level of classification of the data it contains, this is a finding. Check the following settings to verify FIPS 140-2 or 140-3 encryption is configured. If encryption is not configured, check with the DBA and SYSTEM Administrator to verify if other mechanisms or third-party products are deployed to encrypt data during the transmission or storage of data. For Transparent Data Encryption and DBMS_CRYPTO: To verify if Oracle is configured for FIPS 140 Transparent Data Encryption and/or DBMS_CRYPTO, enter the following SQL*Plus command: SHOW PARAMETER DBFIPS_140 or the following SQL query: SELECT * FROM SYS.V$PARAMETER WHERE NAME = 'DBFIPS_140'; If Oracle returns the value 'FALSE', or returns no rows, this is a finding. To verify if Oracle is configured for FIPS 140 SSL/TLS authentication and/or Encryption: Verify the DBMS version: select * from V$VERSION; If the version displayed for Oracle Database is lower than 12.1.0.2, this is a finding. If the operating system is Windows and the DBMS version is 12.1.0.2, use the opatch command to display the patches applied to the DBMS. If the patches listed do not include "WINDOWS DB BUNDLE PATCH 12.1.0.2.7", this is a finding. Open the fips.ora file in a browser or editor. (The default location for fips.ora is $ORACLE_HOME/ldap/admin/ but alternate locations are possible. An alternate location, if it is in use, is specified in the FIPS_HOME environment variable.) If the line "SSLFIPS_140=TRUE" is not found in fips.ora, or the file does not exist, this is a finding. For (Native) Network Data Encryption: If the line, SQLNET.FIPS_140=TRUE is not found in $ORACLE_HOME/network/admin/sqlnet.ora, this is a finding. (Note: This assumes that a single sqlnet.ora file, in the default location, is in use. Please see the supplemental file "Non-default sqlnet.ora configurations.pdf" for how to find multiple and/or differently located sqlnet.ora files.) Note: For the Solaris platform, when DBFIPS_140 is FALSE, TDE (but not DBMS_CRYPTO) can still operate in a FIPS 140-compliant manner if FIPS 140 operation is enabled for the Solaris Cryptographic Framework.
Implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Where not already in effect, upgrade the DBMS to version 12.1.0.2 or higher. Where the operating system is Windows and the DBMS version is 12.1.0.2, install patch "WINDOWS DB BUNDLE PATCH 12.1.0.2.7" if not already deployed. Open the fips.ora file in an editor. (The default location for fips.ora is $ORACLE_HOME/ldap/admin/ but alternate locations are possible. An alternate location, if it is in use, is specified in the FIPS_HOME environment variable.) Create or modify fips.ora to include the line "SSLFIPS_140=TRUE". - - - - - The strength requirements are dependent upon data classification. For unclassified data, where cryptography is required: AES 128 for encryption SHA 256 for hashing NSA has established the suite B encryption requirements for protecting National Security Systems (NSS) as follows: AES 128 for Secret AES 256 for Top Secret SHA 256 for Secret SHA 384 for Top Secret National Security System is defined as: (OMB Circular A-130) Any telecommunications or information system operated by the United States Government, the function, operation, or use of which (1) involves intelligence activities; (2) involves cryptologic activities related to national security; (3) involves command and control of military forces; (4) involves equipment that is an integral part of a weapon or weapons system; or (5) is critical to the direct fulfillment of military or intelligence missions, but excluding any system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications).
If the database does not handle sensitive information, this is not a finding. Review the system documentation to determine whether the database handles classified information. If the database handles classified information, upgrade the severity Category Code to I. Review the system documentation to discover sensitive or classified data identified by the Information Owner that requires encryption. If no sensitive or classified data is identified as requiring encryption by the Information Owner, this is not a finding. Have the DBA use select statements in the database to review sensitive data stored in tables as identified in the system documentation. To see if Oracle is configured for FIPS 140 Transparent Data Encryption and/or DBMS_CRYPTO, enter the following SQL*Plus command: SHOW PARAMETER DBFIPS_140 or the following SQL query: SELECT * FROM SYS.V$PARAMETER WHERE NAME = 'DBFIPS_140'; If Oracle returns the value 'FALSE', or returns no rows, this is a finding. To see if there are encrypted tablespaces, enter the following SQL*Plus command: SELECT * FROM V$ENCRYPTED_TABLESPACES; If no rows are returned, then there are no encrypted tablespaces. To see if there are encrypted columns within existing tables, enter the following SQL*Plus command: SELECT * FROM DBA_ENCRYPTED_COLUMNS; If no rows are returned, then there are no encrypted columns within existing tables. If all sensitive data identified is encrypted within the database objects, encryption of the DBMS data files is optional and not a finding. If all sensitive data is not encrypted within database objects, review encryption applied to the DBMS host data files. If no encryption is applied, this is a finding.
Obtain and utilize native or third-party NIST-validated FIPS 140-2 or 140-3 compliant cryptography solution for the DBMS. Configure cryptographic functions to use FIPS 140 compliant algorithms and hashing functions. The strength requirements are dependent upon data classification. For unclassified data, where cryptography is required: AES 128 for encryption SHA 256 for hashing NSA has established the suite B encryption requirements for protecting National Security Systems (NSS) as follows. AES 128 for Secret AES 256 for Top Secret SHA 256 for Secret SHA 384 for Top Secret National Security System is defined as: (OMB Circular A-130) Any telecommunications or information system operated by the United States Government, the function, operation, or use of which (1) involves intelligence activities; (2) involves cryptologic activities related to national security; (3) involves command and control of military forces; (4) involves equipment that is an integral part of a weapon or weapons system; or (5) is critical to the direct fulfillment of military or intelligence missions, but excluding any system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications). There is more information on this topic in the Oracle Database 12c Advanced Security Administrator's Guide, which may be found at https://docs.oracle.com/database/121/ASOAG/toc.htm. (Note, however, that because of changes in Oracle's licensing policy, it is no longer necessary to purchase Oracle Advanced Security to use network encryption and advanced authentication.) FIPS documentation can be downloaded from https://csrc.nist.gov/publications/fips
If the organization has a policy, consistently enforced, forbidding the creation of emergency or temporary accounts, this is not a finding. Check DBMS settings, OS settings, and/or enterprise-level authentication/access mechanisms settings to determine if emergency accounts are being automatically terminated by the system after an organization-defined time period. Check also for custom code (scheduled jobs, procedures, triggers, etc.) for achieving this. If emergency accounts are not being terminated after an organization-defined time period, this is a finding.
Create a profile specifically for emergency or temporary accounts. When creating the accounts, assign them to this profile. Configure DBMS, OS, and/or enterprise-level authentication/access mechanisms, or implement custom code, to terminate accounts with this profile after an organization-defined time period.
Review DBMS settings to verify the DBMS implements measures to limit the effects of the organization-defined types of Denial of Service (DoS) attacks. If measures have not been implemented, this is a finding. Check the $ORACLE_HOME/network/admin/listener.ora to see if a Rate Limit has been established. A rate limit is used to prevent denial of service (DOS) attacks on a database or to control a logon storm such as may be caused by an application server reboot. - - - - - Example of a listener configuration with rate limiting in effect: CONNECTION_RATE_LISTENER=10 LISTENER= (ADDRESS_LIST= (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521)(RATE_LIMIT=yes)) (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1522)(RATE_LIMIT=yes)) (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1526)) ) LISTENER= (ADDRESS_LIST= (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521)(RATE_LIMIT=8)) (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1522)(RATE_LIMIT=12)) (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1526)) )
Implement measures to limit the effects of organization-defined types of Denial of Service attacks. Modify the $ORACLE_HOME/network/admin/listener.ora to establish a Rate Limit.
Verify the DBMS system initialization/parameter files and software is included in the configuration of any third-party software or custom scripting at the OS level to perform integrity verification. If neither a third-party application nor the OS is performing integrity verification of DBMS system files, this is a finding.
Utilize the OS or a third-party product to perform file verification of DBMS system file integrity. (Using Oracle Configuration Manager with Enterprise Manager, configured to perform this verification, is one possible way of satisfying this requirement.)
Review system documentation to identify the installation account. Verify whether the account is used for anything involving interactive activity beyond DBMS software installation, upgrade, and maintenance actions. If the account is used for anything involving interactive activity beyond DBMS software installation, upgrade, and maintenance actions, this is a finding.
Restrict interactive use of the DBMS software installation account to DBMS software installation, upgrade, and maintenance actions only. If possible, disable installation accounts when authorized actions are not being performed. Otherwise, disable the use of the account(s) for interactive activity.
Review permissions that control access to the DBMS software libraries. The software library location may be determined from vendor documentation or service/process executable paths. Typically, only the DBMS software installation/maintenance account or SA account requires access to the software library for operational support such as backups. Any other accounts should be scrutinized and the reason for access documented. Accounts should have the least amount of privilege required to accompTypically, only the DBMS software installation/maintenance account or SA account requires access to the software library for operational support such as backups. Any other accounts should be scrutinized and the reason for access documented. Accounts should have the least amount of privilege required to accomplish the job. Below is one example for how to review accounts with access to software libraries for a Linux-based system: cat /etc/group |grep -i dba --Example output: dba:x:102: --take above number and input in below grep command cat /etc/passwd |grep 102 If any accounts are returned that are not required and authorized to have access to the software library location do have access, this is a finding.
Restrict access to the DBMS software libraries to accounts that require access based on job function.
Review the system documentation for a description of how audit records are off-loaded. If the DBMS has a continuous network connection to the centralized log management system, but the DBMS audit records are not written directly to the centralized log management system or transferred in near-real-time, this is a finding. If the DBMS does not have a continuous network connection to the centralized log management system, and the DBMS audit records are not transferred to the centralized log management system weekly or more often, this is a finding.
Configure the DBMS or deploy and configure software tools to transfer audit records to a centralized log management system, continuously and in near-real-time where a continuous network connection to the log management system exists, or at least weekly in the absence of such a connection. For more information on auditing, refer to the following documents: https://docs.oracle.com/database/121/DBSEG/auditing.htm#DBSEG1024
Review the system documentation and interview the database administrator. Identify all database software components. Review the version and release information. From SQL*Plus: Select version from v$instance; Access the vendor website or use other means to verify the version is still supported. Oracle Release schedule: https://support.oracle.com/knowledge/Oracle%20Database%20Products/742060_1.html If the Oracle version or any of the software components are not supported by the vendor, this is a finding.
Remove or decommission all unsupported software products. Upgrade unsupported DBMS or unsupported components to a supported version of the product.