Oracle Database 12c Security Technical Implementation Guide

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]

Details

Version / Release: V1R18

Published: 2020-06-12

Updated At: 2020-08-15 20:24:34

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-75899r1_rule O121-BP-021100 CCI-000366 MEDIUM Audit trail data must be retained for at least one year. Without preservation, a complete discovery of an attack or suspicious activity may not be determined. DBMS audit data also contributes to the complete investigation of unauthorized activity and needs to be included in audit retention plans and procedures
    SV-75901r1_rule O121-BP-021200 CCI-000366 MEDIUM Access to default accounts used to support replication must be restricted to authorized DBAs. Replication database accounts are used for database connections between databases. Replication requires the configuration of these accounts using the same username and password on all databases participating in the replication. Replication connections use
    SV-75903r1_rule O121-BP-021300 CCI-000366 MEDIUM Oracle instance names must not contain Oracle version numbers. Service names may be discovered by unauthenticated users. If the service name includes version numbers or other database product information, a malicious user may use that information to develop a targeted attack.
    SV-75905r2_rule O121-BP-021400 CCI-000366 MEDIUM Fixed user and public database links must be authorized for use. Database links define connections that may be used by the local database to access remote Oracle databases. These links provide a means for a compromise to the local database to spread to remote databases in the distributed database environment. Limiting
    SV-75907r3_rule O121-BP-021500 CCI-000366 LOW A minimum of two Oracle control files must be defined and configured to be stored on separate, archived disks (physical or virtual) or archived partitions on a RAID device. Oracle control files are used to store information critical to Oracle database integrity. Oracle uses these files to maintain time synchronization of database files as well as at system startup to verify the validity of system data and log files. Loss of
    SV-75909r1_rule O121-BP-021600 CCI-000366 MEDIUM A minimum of two Oracle redo log groups/files must be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device. The Oracle redo log files store the detailed information on changes made to the database. This information is critical to database recovery in case of a database failure.
    SV-75911r3_rule O121-BP-021700 CCI-000366 MEDIUM The Oracle WITH GRANT OPTION privilege must not be granted to non-DBA or non-Application administrator user accounts. An account permission to grant privileges within the database is an administrative function. Minimizing the number and privileges of administrative accounts reduces the chances of privileged account exploitation. Application user accounts must never requi
    SV-75915r1_rule O121-BP-021900 CCI-000366 HIGH The Oracle REMOTE_OS_AUTHENT parameter must be set to FALSE. Setting this value to TRUE allows operating system authentication over an unsecured connection. Trusting remote operating systems can allow a user to impersonate another operating system user and connect to the database without having to supply a password
    SV-75917r1_rule O121-BP-022000 CCI-000366 HIGH The Oracle REMOTE_OS_ROLES parameter must be set to FALSE. Setting REMOTE_OS_ROLES to TRUE allows operating system groups to control Oracle roles. The default value of FALSE causes roles to be identified and managed by the database. If REMOTE_OS_ROLES is set to TRUE, a remote user could impersonate another operat
    SV-75919r1_rule O121-BP-022100 CCI-000366 MEDIUM The Oracle SQL92_SECURITY parameter must be set to TRUE. The configuration option SQL92_SECURITY specifies whether table-level SELECT privileges are required to execute an update or delete that references table column values. If this option is disabled (set to FALSE), the UPDATE privilege can be used to determi
    SV-75921r4_rule O121-BP-022200 CCI-000366 MEDIUM The Oracle password file ownership and permissions should be limited and the REMOTE_LOGIN_PASSWORDFILE parameter must be set to EXCLUSIVE or NONE. It is critically important to the security of your system that you protect your password file and the environment variables that identify the location of the password file. Any user with access to these could potentially compromise the security of the con
    SV-75923r4_rule O121-BP-022300 CCI-000366 MEDIUM System privileges granted using the WITH ADMIN OPTION must not be granted to unauthorized user accounts. The WITH ADMIN OPTION allows the grantee to grant a privilege to another database account. Best security practice restricts the privilege of assigning privileges to authorized personnel. Authorized personnel include DBAs, object owners, and, where designe
    SV-75925r1_rule O121-BP-022400 CCI-000366 MEDIUM System Privileges must not be granted to PUBLIC. System privileges can be granted to users and roles and to the user group PUBLIC. All privileges granted to PUBLIC are accessible to every user in the database. Many of these privileges convey considerable authority over the database and should be granted
    SV-75927r4_rule O121-BP-022500 CCI-000366 MEDIUM Oracle roles granted using the WITH ADMIN OPTION must not be granted to unauthorized accounts. The WITH ADMIN OPTION allows the grantee to grant a role to another database account. Best security practice restricts the privilege of assigning privileges to authorized personnel. Authorized personnel include DBAs, object owners, and, where designed and
    SV-75929r4_rule O121-BP-022600 CCI-000366 MEDIUM Object permissions granted to PUBLIC must be restricted. Permissions on objects may be granted to the user group PUBLIC. Because every database user is a member of the PUBLIC group, granting object permissions to PUBLIC gives all users in the database access to that object. In a secure environment, granting obj
    SV-75931r2_rule O121-BP-022700 CCI-000366 HIGH The Oracle Listener must be configured to require administration authentication. Oracle listener authentication helps prevent unauthorized administration of the Oracle listener. Unauthorized administration of the listener could lead to DoS exploits; loss of connection audit data, unauthorized reconfiguration or other unauthorized acce
    SV-75933r1_rule O121-BP-022800 CCI-000366 MEDIUM Application role permissions must not be assigned to the Oracle PUBLIC role. Permissions granted to PUBLIC are granted to all users of the database. Custom roles must be used to assign application permissions to functional groups of application users. The installation of Oracle does not assign role permissions to PUBLIC.
    SV-75935r2_rule O121-BP-022900 CCI-000366 MEDIUM Oracle application administration roles must be disabled if not required and authorized. Application administration roles, which are assigned system or elevated application object privileges, must be protected from default activation. Application administration roles are determined by system privilege assignment (create / alter / drop user) a
    SV-75937r2_rule O121-BP-023000 CCI-000366 MEDIUM Connections by mid-tier web and application systems to the Oracle DBMS from a DMZ or external network must be encrypted. Multi-tier systems may be configured with the database and connecting middle-tier system located on an internal network, with the database located on an internal network behind a firewall and the middle-tier system located in a DMZ. In cases where either
    SV-75939r3_rule O121-BP-023100 CCI-000366 MEDIUM Database job/batch queues must be reviewed regularly to detect unauthorized database job submissions. Unauthorized users may bypass security mechanisms by submitting jobs to job queues managed by the database to be run under a more privileged security context of the database or host system. These queues must be monitored regularly to detect any such unaut
    SV-75941r1_rule O121-BP-023200 CCI-000366 MEDIUM Unauthorized database links must not be defined and active. DBMS links provide a communication and data transfer path definition between two databases that may be used by malicious users to discover and obtain unauthorized access to remote systems. Database links between production and development DBMSs provide a
    SV-75943r2_rule O121-BP-023300 CCI-000366 MEDIUM Sensitive information from production database exports must be modified before import to a development database. Data export from production databases may include sensitive data. Application developers do not have a need to know to sensitive data. Any access they may have to production data would be considered unauthorized access and subject the sensitive data to un
    SV-75945r1_rule O121-BP-023400 CCI-000366 MEDIUM Application user privilege assignment must be reviewed monthly or more frequently to ensure compliance with least privilege and documented policy. Users granted privileges not required to perform their assigned functions are able to make unauthorized modifications to the production data or database. Monthly or more frequent periodic review of privilege assignments assures that organizational and/or
    SV-75947r1_rule O121-BP-023500 CCI-000366 MEDIUM Audit trail data must be reviewed daily or more frequently. Review of audit trail data provides a means for detection of unauthorized access or attempted access. Frequent and regularly scheduled reviews ensure that such access is discovered in a timely manner.
    SV-75949r3_rule O121-BP-023600 CCI-000366 MEDIUM Only authorized system accounts must have the SYSTEM tablespace specified as the default tablespace. The Oracle SYSTEM tablespace is used by the database to store all DBMS system objects. Other use of the system tablespace may compromise system availability and the effectiveness of host system access controls to the tablespace files.
    SV-75951r3_rule O121-BP-023700 CCI-000366 MEDIUM Application owner accounts must have a dedicated application tablespace. Separation of tablespaces by application helps to protect the application from resource contention and unauthorized access that could result from storage space reuses or host system access controls. Application data must be stored separately from system a
    SV-75953r1_rule O121-BP-023800 CCI-000366 MEDIUM The directories assigned to the LOG_ARCHIVE_DEST* parameters must be protected from unauthorized access. The LOG_ARCHIVE_DEST parameter is used to specify the directory to which Oracle archive logs are written. Where the DBMS availability and recovery to a specific point in time is critical, the protection of archive log files is critical. Archive log files
    SV-75955r1_rule O121-BP-023900 CCI-000366 MEDIUM The Oracle _TRACE_FILES_PUBLIC parameter if present must be set to FALSE. The _TRACE_FILES_PUBLIC parameter is used to make trace files used for debugging database applications and events available to all database users. Use of this capability precludes the discrete assignment of privileges based on job function. Additionally,
    SV-75957r4_rule O121-BP-024000 CCI-000366 MEDIUM Application object owner accounts must be disabled when not performing installation or maintenance actions. Object ownership provides all database object permissions to the owned object. Access to the application object owner accounts requires special protection to prevent unauthorized access and use of the object ownership privileges. In addition to the high p
    SV-75977r1_rule O121-BP-024100 CCI-000366 MEDIUM DBMS production application and data directories must be protected from developers on shared production/development DBMS host systems. Developer roles must not be assigned DBMS administrative privileges to production DBMS application and data directories. The separation of production DBA and developer roles helps protect the production system from unauthorized, malicious or unintentional
    SV-75979r1_rule O121-BP-024200 CCI-000366 MEDIUM Use of the DBMS installation account must be logged. The DBMS installation account may be used by any authorized user to perform DBMS installation or maintenance. Without logging, accountability for actions attributed to the account is lost.
    SV-75981r1_rule O121-BP-024300 CCI-000366 MEDIUM The DBMS host platform and other dependent applications must be configured in compliance with applicable STIG requirements. The security of the data stored in the DBMS is also vulnerable to attacks against the host platform, calling applications, and other application or optional components.
    SV-75983r1_rule O121-BP-024400 CCI-000366 MEDIUM Remote administrative access to the database must be monitored by the ISSO or ISSM. Remote administrative access to systems provides a path for access to and exploit of DBA privileges. Where the risk has been accepted to allow remote administrative access, it is imperative to instate increased monitoring of this access to detect any abus
    SV-75985r1_rule O121-BP-024500 CCI-000366 MEDIUM The database must not be directly accessible from public or unauthorized networks. Databases often store critical and/or sensitive information used by the organization. For this reason, databases are targeted for attacks by malicious users. Additional protections provided by network defenses that limit accessibility help protect the dat
    SV-75987r1_rule O121-BP-024600 CCI-000366 MEDIUM The ISSM must review changes to DBA role assignments. Unauthorized assignment of DBA privileges can lead to a compromise of DBMS integrity. Providing oversight to the authorization and assignment of privileges provides the separation of duty to support sufficient oversight.
    SV-75989r1_rule O121-BP-024700 CCI-000366 MEDIUM Plans and procedures for testing DBMS installations, upgrades and patches must be defined and followed prior to production implementation. Updates and patches to existing software have the intention of improving the security or enhancing or adding features to the product. However, it is unfortunately common that updates or patches can render production systems inoperable or even introduce se
    SV-75991r1_rule O121-BP-024800 CCI-000366 MEDIUM Procedures and restrictions for import of production data to development databases must be documented, implemented and followed. Data export from production databases may include sensitive data. Application developers may not be cleared for or have need-to-know to sensitive data. Any access they may have to production data would be considered unauthorized access and subject the sen
    SV-75993r1_rule O121-BP-024900 CCI-000366 MEDIUM Sensitive data stored in the database must be identified in the System Security Plan and AIS Functional Architecture documentation. A DBMS that does not have the correct confidentiality level identified or any confidentiality level assigned is not being secured at a level appropriate to the risk it poses.
    SV-75997r1_rule O121-BP-025200 CCI-000366 MEDIUM Credentials stored and used by the DBMS to access remote databases or applications must be authorized and restricted to authorized users. Credentials defined for access to remote databases or applications may provide unauthorized access to additional databases and applications to unauthorized or malicious users.
    SV-75999r1_rule O121-BP-025300 CCI-000366 MEDIUM The DBMS must not share a host supporting an independent security service. The Security Support Structure is a security control function or service provided by an external system or application. An example of this would be a Windows domain controller that provides identification and authentication that can be used by other syste
    SV-76001r1_rule O121-BP-025400 CCI-000366 MEDIUM Access to DBMS software files and directories must not be granted to unauthorized users. The DBMS software libraries contain the executables used by the DBMS to operate. Unauthorized access to the libraries can result in malicious alteration or planting of operational executables. This may in turn jeopardize data stored in the DBMS and/or ope
    SV-76003r1_rule O121-BP-025500 CCI-000366 MEDIUM Replication accounts must not be granted DBA privileges. Replication accounts may be used to access databases defined for the replication architecture. An exploit of a replication on one database could lead to the compromise of any database participating in the replication that uses the same account name and cr
    SV-76005r2_rule O121-BP-025600 CCI-000366 MEDIUM Network access to the DBMS must be restricted to authorized personnel. Restricting remote access to specific, trusted systems helps prevent access by unauthorized and potentially malicious users.
    SV-76009r1_rule O121-BP-025800 CCI-000366 MEDIUM Changes to configuration options must be audited. The AUDIT_SYS_OPERATIONS parameter is used to enable auditing of actions taken by the user SYS. The SYS user account is a shared account by definition and holds all privileges in the Oracle database. It is the account accessed by users connecting to the d
    SV-76013r4_rule O121-BP-026000 CCI-000366 MEDIUM Remote DBMS administration must be documented and authorized or disabled. Remote administration may expose configuration and sensitive data to unauthorized viewing during transit across the network or allow unauthorized administrative access to the DBMS to remote users.
    SV-76015r1_rule O121-BP-026100 CCI-000366 MEDIUM DBMS symmetric keys must be protected in accordance with NSA or NIST-approved key management technology or processes. Symmetric keys used for encryption protect data from unauthorized access. However, if not protected in accordance with acceptable standards, the keys themselves may be compromised and used for unauthorized data access.
    SV-76017r4_rule O121-BP-026200 CCI-000366 MEDIUM Changes to DBMS security labels must be audited. Some DBMS systems provide the feature to assign security labels to data elements. If labeling is required, implementation options include the Oracle Label Security package, or a third-party product, or custom-developed functionality. The confidentiality
    SV-76019r1_rule O121-BP-026300 CCI-000366 MEDIUM Remote database or other external access must use fully-qualified names. The Oracle GLOBAL_NAMES parameter is used to set the requirement for database link names to be the same name as the remote database whose connection they define. By using the same name for both, ambiguity is avoided and unauthorized or unintended connecti
    SV-76021r2_rule O121-BP-026400 CCI-000366 MEDIUM The /diag subdirectory under the directory assigned to the DIAGNOSTIC_DEST parameter must be protected from unauthorized access. /diag indicates the directory where trace, alert, core and incident directories and files are located. The files may contain sensitive data or information that could prove useful to potential attackers.
    SV-76023r1_rule O121-BP-026500 CCI-000366 MEDIUM Remote administration must be disabled for the Oracle connection manager. Remote administration provides a potential opportunity for malicious users to make unauthorized changes to the Connection Manager configuration or interrupt its service.
    SV-76025r4_rule O121-BP-026600 CCI-000366 MEDIUM Network client connections must be restricted to supported versions. Unsupported Oracle network client installations may introduce vulnerabilities to the database. Restriction to use of supported versions helps to protect the database and helps to enforce newer, more robust security controls.
    SV-76027r1_rule O121-C1-004500 CCI-000366 HIGH DBA OS accounts must be granted only those host system privileges necessary for the administration of the DBMS. This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address those situations where an access control policy, such as Role Based Access Control (RBAC), is being impl
    SV-76029r2_rule O121-C1-011100 CCI-001499 HIGH Oracle software must be evaluated and patched against newly found vulnerabilities. Security faults with software applications and operating systems are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organiz
    SV-76031r1_rule O121-C1-015000 CCI-000199 HIGH DBMS default accounts must be assigned custom passwords. Password maximum lifetime is the maximum period of time, (typically in days) a user's password may be in effect before the user is forced to change it. Passwords need to be changed at specific policy-based intervals as per policy. Any password, no matte
    SV-76033r4_rule O121-C1-015400 CCI-000186 HIGH The DBMS, when using PKI-based authentication, must enforce authorized access to the corresponding private key. The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the priv
    SV-76035r5_rule O121-C1-019700 CCI-002421 HIGH The DBMS must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission unless the transmitted data is otherwise protected by alternative physical measures. Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Lay
    SV-76043r1_rule O121-C2-001600 CCI-002186 MEDIUM The DBMS must ensure remote sessions that access an organization-defined list of security functions and security-relevant information are audited. Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadb
    SV-76045r1_rule O121-C2-001700 CCI-000366 MEDIUM The DBMS must support the disabling of network protocols deemed by the organization to be nonsecure. This requirement is related to remote access, but more specifically to the networking protocols allowing systems to communicate. Remote access is any access to an organizational information system by a user (or an information system) communicating through
    SV-76047r2_rule O121-C2-001800 CCI-000015 MEDIUM The system must employ automated mechanisms for supporting Oracle user account management. A comprehensive application account management process that includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed. Examples include, but are not limited to, using automation to take action o
    SV-76049r3_rule O121-C2-001900 CCI-000016 MEDIUM The DBMS must provide a mechanism to automatically identify accounts designated as temporary or emergency accounts. Temporary application accounts could be used in the event of a vendor support visit where a support representative requires a temporary unique account in order to perform diagnostic testing or conduct some other support-related activity. When these types
    SV-76051r4_rule O121-C2-002000 CCI-000016 MEDIUM The DBMS must provide a mechanism to automatically remove or disable temporary user accounts after 72 hours. Temporary application accounts could ostensibly be used in the event of a vendor support visit where a support representative requires a temporary unique account in order to perform diagnostic testing or conduct some other support related activity. When t
    SV-76055r2_rule O121-C2-002200 CCI-000018 MEDIUM The DBMS must automatically audit account creation. Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation is one method
    SV-76059r2_rule O121-C2-002300 CCI-001403 MEDIUM The DBMS must automatically audit account modification. Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply modify an existing account. Auditing of account modification is
    SV-76061r4_rule O121-C2-002400 CCI-001404 MEDIUM The DBMS must automatically audit account disabling actions, to the extent such information is available. When application accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes themselves. In order to detect and respond to events affecting user ac
    SV-76063r2_rule O121-C2-002500 CCI-001405 MEDIUM The DBMS must automatically audit account termination. When application accounts are terminated, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes themselves. In order to detect and respond to events affecting user
    SV-76065r1_rule O121-C2-002700 CCI-000213 MEDIUM The DBMS must enforce approved authorizations for logical access to the system in accordance with applicable policy. Strong access controls are critical to securing application data. Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices
    SV-76067r1_rule O121-C2-003000 CCI-002165 MEDIUM The DBMS must enforce Discretionary Access Control (DAC) policy allowing users to specify and control sharing by named individuals, groups of individuals, or by both, limiting propagation of access rights and including or excluding access to the granularity of a single user. Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) are employed by organizations to control access be
    SV-76069r3_rule O121-C2-003400 CCI-000366 MEDIUM DBMS processes or services must run under custom, dedicated OS accounts. Separation of duties is a prevalent Information Technology control that is implemented at different layers of the information system, including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user m
    SV-76071r1_rule O121-C2-003500 CCI-000366 MEDIUM The DBMS must restrict grants to sensitive information to authorized user roles. Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is also applied to information system processes, ensuring that th
    SV-76073r1_rule O121-C2-003600 CCI-000366 MEDIUM A single database connection configuration file must not be used to configure all database clients. Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is also applied to information system processes, ensuring that th
    SV-76075r1_rule O121-C2-003700 CCI-000366 MEDIUM The DBMS must be protected from unauthorized access by developers. Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is also applied to information system processes, ensuring that th
    SV-76077r1_rule O121-C2-003800 CCI-000366 MEDIUM The DBMS must be protected from unauthorized access by developers on shared production/development host systems. Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is also applied to information system processes, ensuring that th
    SV-76079r2_rule O121-C2-003900 CCI-000366 MEDIUM The DBMS must restrict access to system tables and other configuration information or metadata to DBAs or other authorized users. Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is also applied to information system processes, ensuring that th
    SV-76081r3_rule O121-C2-004000 CCI-000366 MEDIUM Administrative privileges must be assigned to database accounts via database roles. Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is also applied to information system processes, ensuring that th
    SV-76083r2_rule O121-C2-004100 CCI-000366 MEDIUM Administrators must utilize a separate, distinct administrative account when performing administrative activities, accessing database security functions, or accessing security-relevant information. This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address those situations where an access control policy, such as Role Based Access Control (RBAC), is being impl
    SV-76085r2_rule O121-C2-004200 CCI-000366 MEDIUM All use of privileged accounts must be audited. This is intended to limit exposure, by making it possible to trace any unauthorized access, by a privileged user account or role that has permissions on security functions or security-relevant information, to other data or functionality.
    SV-76087r1_rule O121-C2-004210 CCI-000366 MEDIUM Owners of privileged accounts must use non-privileged accounts for non-administrative activities. Use of privileged accounts for non-administrative purposes puts data at risk of unintended or unauthorized loss, modification, or exposure. In particular, DBA accounts, if used for non-administration application development or application maintenance, can
    SV-76089r2_rule O121-C2-004300 CCI-000366 MEDIUM The DBA role must not be assigned excessive or unauthorized privileges. This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address those situations where an access control policy, such as Role Based Access Control (RBAC), is being impl
    SV-76091r2_rule O121-C2-004400 CCI-000366 MEDIUM OS accounts utilized to run external procedures called by the DBMS must have limited privileges. This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address those situations where an access control policy, such as Role Based Access Control (RBAC) is being imple
    SV-76093r2_rule O121-C2-004900 CCI-002236 MEDIUM The DBMS must verify account lockouts persist until reset by an administrator. Anytime an authentication method is exposed, to allow for the utilization of an application, there is a risk that attempts will be made to obtain unauthorized access. To defeat these attempts, organizations define the number of times a user account may c
    SV-76095r3_rule O121-C2-005000 CCI-000044 MEDIUM The DBMS must set the maximum number of consecutive invalid logon attempts to three. Anytime an authentication method is exposed, to allow for the utilization of an application, there is a risk that attempts will be made to obtain unauthorized access. To defeat these attempts, organizations define the number of times a user account may
    SV-76103r1_rule O121-C2-005600 CCI-001849 MEDIUM The DBMS must have its auditing configured to reduce the likelihood of storage capacity being exceeded. Applications need to be cognizant of potential audit log storage capacity issues. During the installation and/or configuration process, applications should detect and determine if adequate storage capacity has been allocated for audit logs. During the in
    SV-76107r1_rule O121-C2-006600 CCI-002165 MEDIUM Databases utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights. Discretionary Access Control (DAC) is based on the premise that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquire
    SV-76109r1_rule O121-C2-006700 CCI-002165 MEDIUM A DBMS utilizing Discretionary Access Control (DAC) must enforce a policy that includes or excludes access to the granularity of a single user. DAC is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating t
    SV-76111r1_rule O121-C2-006800 CCI-000169 MEDIUM The DBMS must provide audit record generation capability for organization-defined auditable events within the database. Audit records can be generated from various components within the information system. (e.g., network interface, hard disk, modem, etc.). From an application perspective, certain specific application functionalities may be audited as well. The list of aud
    SV-76113r1_rule O121-C2-006900 CCI-000171 MEDIUM The DBMS must allow designated organizational personnel to select which auditable events are to be audited by the database. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (i.e., auditable events, timestamps, sourc
    SV-76115r3_rule O121-C2-007000 CCI-000172 MEDIUM The DBMS must generate audit records for the DoD-selected list of auditable events, to the extent such information is available. Audit records can be generated from various components within the information system, such as network interfaces, hard disks, modems, etc. From an application perspective, certain specific application functionalities may be audited, as well. The list of
    SV-76117r2_rule O121-C2-007400 CCI-000130 MEDIUM The DBMS must produce audit records containing sufficient information to establish what type of events occurred. Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes: timestamps, source and destination addresses, user/process identifiers, eve
    SV-76121r1_rule O121-C2-007500 CCI-000131 MEDIUM The DBMS must produce audit records containing sufficient information to establish when (date and time) the events occurred. Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes: timestamps, source and destination addresses, user/process identifiers, eve
    SV-76123r2_rule O121-C2-007600 CCI-000132 MEDIUM The DBMS must produce audit records containing sufficient information to establish where the events occurred. Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes: timestamps, source and destination addresses, user/process identifiers, eve
    SV-76125r2_rule O121-C2-007700 CCI-000133 MEDIUM The DBMS must produce audit records containing sufficient information to establish the sources (origins) of the events. Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes, but is not limited to: timestamps, source and destination IP addresses, us
    SV-76127r1_rule O121-C2-007800 CCI-000134 MEDIUM The DBMS must produce audit records containing sufficient information to establish the outcome (success or failure) of the events. Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, but is not limited to: timestamps, source and destination IP addresses, user
    SV-76129r1_rule O121-C2-007900 CCI-001487 MEDIUM The DBMS must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event. Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes: timestamps, source and destination addresses, user/process identifiers, eve
    SV-76131r2_rule O121-C2-008000 CCI-000135 MEDIUM The DBMS must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject. Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes: timestamps, source and destination addresses, user/process identifiers, eve
    SV-76133r2_rule O121-C2-008200 CCI-001855 MEDIUM The DBMS itself, or the logging or alerting mechanism the application utilizes, must provide a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include: software/hardware errors, failures in the audit capturing mechanisms, and audit storage capac
    SV-76135r2_rule O121-C2-008300 CCI-001858 MEDIUM The system must provide a real-time alert when organization-defined audit failure events occur. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include: software/hardware errors, failures in the audit capturing mechanisms, and audit storage capac
    SV-76139r2_rule O121-C2-008900 CCI-000158 MEDIUM The system must provide the capability to automatically process audit records for events of interest based upon selectable event criteria. Before a security review, information systems and/or applications with an audit reduction capability may remove many audit records known to have little security significance. This is generally accomplished by removing records generated by specified class
    SV-76141r1_rule O121-C2-009000 CCI-000158 MEDIUM Attempts to bypass access controls must be audited. Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes: timestamps, source and destination addresses, user/process identifiers, eve
    SV-76143r2_rule O121-C2-009300 CCI-000162 MEDIUM The system must protect audit information from any type of unauthorized access. If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to audit records provides information an
    SV-76145r1_rule O121-C2-009400 CCI-000163 MEDIUM The system must protect audit information from unauthorized modification. If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data, the information system and/or the applica
    SV-76147r1_rule O121-C2-009500 CCI-000164 MEDIUM The system must protect audit information from unauthorized deletion. If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data the information system and/or the applicat
    SV-76149r1_rule O121-C2-009600 CCI-001493 MEDIUM The system must protect audit tools from unauthorized access. Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application
    SV-76151r1_rule O121-C2-009700 CCI-001494 MEDIUM The system must protect audit tools from unauthorized modification. Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application
    SV-76153r1_rule O121-C2-009800 CCI-001495 MEDIUM The system must protect audit tools from unauthorized deletion. Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application
    SV-76155r1_rule O121-C2-010000 CCI-001348 MEDIUM The DBMS must support the requirement to back up audit data and records onto a different system or media than the system being audited on an organization-defined frequency. Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto media separate from the system being audited on an organizational-defined frequency helps to assure, in the event
    SV-76157r3_rule O121-C2-010100 CCI-001350 MEDIUM The DBMS must protect audit data records and integrity by using cryptographic mechanisms. Protection of audit records and audit data is of critical importance. Cryptographic mechanisms are the industry-established standard used to protect the integrity of audit data. An example of a cryptographic mechanism is the computation and application of
    SV-76159r1_rule O121-C2-010200 CCI-000366 MEDIUM The DBMS must protect the audit records generated, as a result of remote access to privileged accounts, and the execution of privileged functions. Protection of audit records and audit data is of critical importance. Care must be taken to ensure privileged users cannot circumvent audit protections put in place. Auditing might not be reliable when performed by an information system which the user be
    SV-76161r1_rule O121-C2-010300 CCI-000345 MEDIUM The DBMS must support enforcement of logical access restrictions associated with changes to the DBMS configuration and to the database itself. When dealing with access restrictions pertaining to change control, it should be noted any changes to the hardware, software, and/or firmware components of the information system and/or application can have significant effects on the overall security of t
    SV-76163r2_rule O121-C2-011000 CCI-001499 MEDIUM Database objects must be owned by accounts authorized for ownership. Within the database, object ownership implies full privileges to the owned object including the privilege to assign access to the owned objects to other subjects. Unmanaged or uncontrolled ownership of objects can lead to unauthorized object grants and al
    SV-76165r2_rule O121-C2-011400 CCI-000366 MEDIUM The DBMS must enforce requirements for remote connections to the information system. Applications that provide remote access to information systems must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy requirements. Examples of policy requirements include, but are
    SV-76167r3_rule O121-C2-011500 CCI-000381 MEDIUM Default demonstration and sample databases, database objects, and applications must be removed. Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). It is det
    SV-76169r2_rule O121-C2-011600 CCI-000381 MEDIUM Unused database components, DBMS software, and database objects must be removed. Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). It is det
    SV-76171r2_rule O121-C2-011700 CCI-000381 MEDIUM Unused database components that are integrated in the DBMS and cannot be uninstalled must be disabled. Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). It is det
    SV-76173r2_rule O121-C2-011800 CCI-000381 MEDIUM Use of external executables must be authorized. Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). It is det
    SV-76175r2_rule O121-C2-011810 CCI-000381 MEDIUM Access to external executables must be disabled or restricted. The Oracle external procedure capability provides use of the Oracle process account outside the operation of the DBMS process. You can use it to submit and execute applications stored externally from the database under operating system controls. The exter
    SV-76177r1_rule O121-C2-011900 CCI-000382 MEDIUM The DBMS must support the organizational requirements to specifically prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services. Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additiona
    SV-76179r1_rule O121-C2-012000 CCI-000553 MEDIUM Recovery procedures and technical system features must exist to ensure recovery is done in a secure and verifiable manner. Application recovery and reconstitution constitutes executing an information system contingency plan comprised of activities that restore essential missions and business functions. Database management systems and transaction-based processing systems are
    SV-76183r2_rule O121-C2-012200 CCI-000535 MEDIUM Oracle must back up user-level information per a defined frequency. Information system backup is a critical step in maintaining data assurance and availability. User-level information is data generated by information system and/or application users. In order to assure availability of this data in the event of a system fa
    SV-76185r1_rule O121-C2-012300 CCI-000535 MEDIUM Database backup procedures must be defined, documented, and implemented. Information system backup is a critical step in maintaining data assurance and availability. User-level information is data generated by information system and/or application users. In order to assure availability of this data in the event of a system fa
    SV-76187r1_rule O121-C2-012400 CCI-000535 MEDIUM Database recovery procedures must be developed, documented, implemented, and periodically tested. Information system backup is a critical step in maintaining data assurance and availability. User-level information is data generated by information system and/or application users. In order to assure availability of this data in the event of a system fa
    SV-76189r1_rule O121-C2-012500 CCI-000535 MEDIUM DBMS backup and restoration files must be protected from unauthorized access. Information system backup is a critical step in maintaining data assurance and availability. User-level information is data generated by information system and/or application users. In order to assure availability of this data in the event of a system fa
    SV-76191r1_rule O121-C2-012600 CCI-000537 MEDIUM DBMS must conduct backups of system-level information per organization-defined frequency that is consistent with recovery time and recovery point objectives. Information system backup is a critical step in maintaining data assurance and availability. System-level information includes: system-state information, operating system and application software, and licenses. Backups shall be consistent with organiza
    SV-76193r3_rule O121-C2-012900 CCI-000765 MEDIUM The DBMS must use multifactor authentication for network access to privileged accounts. Multifactor authentication is defined as using two or more factors to achieve authentication. Factors include: (i) Something a user knows (e.g., password/PIN); (ii) Something a user has (e.g., cryptographic identification device, token); or (iii) Somet
    SV-76195r3_rule O121-C2-013000 CCI-000766 MEDIUM The DBMS must use multifactor authentication for network access to non-privileged accounts. Multifactor authentication is defined as using two or more factors to achieve authentication. Factors include: (i) Something a user knows (e.g., password/PIN); (ii) Something a user has (e.g., cryptographic identification device, token); or (iii) Someth
    SV-76197r3_rule O121-C2-013100 CCI-000767 MEDIUM The DBMS must use multifactor authentication for local access to privileged accounts. Multifactor authentication is defined as using two or more factors to achieve authentication. Factors include: (i) Something a user knows (e.g., password/PIN); (ii) Something a user has (e.g., cryptographic identification device, token); or (iii) Somet
    SV-76199r4_rule O121-C2-013200 CCI-000768 MEDIUM The DBMS must use multifactor authentication for local access to non-privileged accounts. Multifactor authentication is defined as using two or more factors to achieve authentication. Factors include: (i) Something a user knows (e.g., password/PIN); (ii) Something a user has (e.g., cryptographic identification device, token); or (iii) Somethi
    SV-76201r1_rule O121-C2-013300 CCI-000770 MEDIUM The DBMS must ensure users are authenticated with an individual authenticator prior to using a shared authenticator. To assure individual accountability and prevent unauthorized access, application users (and any processes acting on behalf of users) must be individually identified and authenticated. A shared authenticator is a generic account used by multiple individua
    SV-76203r4_rule O121-C2-013600 CCI-001941 MEDIUM The DBMS must use organization-defined replay-resistant authentication mechanisms for network access to privileged accounts. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonces (e.g., numbers gener
    SV-76205r4_rule O121-C2-013700 CCI-001942 MEDIUM The DBMS must use organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonces (e.g., numbers gener
    SV-76207r3_rule O121-C2-013800 CCI-000795 MEDIUM The DBMS must disable user accounts after 35 days of inactivity. Attackers that are able to exploit an inactive DBMS account can potentially obtain and maintain undetected access to the database. Owners of inactive DBMS accounts will not notice if unauthorized access to their user account has been obtained. All DBMS
    SV-76209r2_rule O121-C2-013900 CCI-000205 MEDIUM The DBMS must support organizational requirements to enforce minimum password length. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. To meet password policy requirements, passwords need to be changed at specific policy-based intervals. If the in
    SV-76211r2_rule O121-C2-014000 CCI-000200 MEDIUM The DBMS must support organizational requirements to prohibit password reuse for the organization-defined number of generations. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. To meet password policy requirements, passwords need to be changed at specific policy-based intervals. If the in
    SV-76213r2_rule O121-C2-014100 CCI-000192 MEDIUM The DBMS must support organizational requirements to enforce password complexity by the number of upper-case characters used. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex
    SV-76215r2_rule O121-C2-014200 CCI-000193 MEDIUM The DBMS must support organizational requirements to enforce password complexity by the number of lower-case characters used. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex
    SV-76217r2_rule O121-C2-014300 CCI-000194 MEDIUM The DBMS must support organizational requirements to enforce password complexity by the number of numeric characters used. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex
    SV-76219r2_rule O121-C2-014400 CCI-001619 MEDIUM The DBMS must support organizational requirements to enforce password complexity by the number of special characters used. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex
    SV-76221r2_rule O121-C2-014500 CCI-000195 MEDIUM The DBMS must support organizational requirements to enforce the number of characters that get changed when passwords are changed. Passwords need to be changed at specific policy-based intervals. If the information system or application allows the user to consecutively reuse extensive portions of their password when they change their password, the end result is a password that has n
    SV-76223r3_rule O121-C2-014600 CCI-000196 MEDIUM The DBMS must support organizational requirements to enforce password encryption for storage. Applications must enforce password encryption when storing passwords. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read and easily compromi
    SV-76225r1_rule O121-C2-014900 CCI-000199 MEDIUM Procedures for establishing temporary passwords that meet DoD password requirements for new accounts must be defined, documented, and implemented. Password maximum lifetime is the maximum period of time, (typically in days) a user's password may be in effect before the user is forced to change it. Passwords need to be changed at specific policy-based intervals as per policy. Any password, no matte
    SV-76227r4_rule O121-C2-015100 CCI-000199 MEDIUM DBMS passwords must not be stored in compiled, encoded, or encrypted batch jobs or compiled, encoded, or encrypted application source code. Password maximum lifetime is the maximum period of time, (typically in days) a user's password may be in effect before the user is forced to change it. Passwords need to be changed at specific policy-based intervals as per policy. Any password, no matte
    SV-76229r4_rule O121-C2-015200 CCI-000199 MEDIUM The DBMS must enforce password maximum lifetime restrictions. Password maximum lifetime is the maximum period of time, (typically in days) a user's password may be in effect before the user is forced to change it. Passwords need to be changed at specific policy-based intervals as per policy. Any password, no matter
    SV-76231r4_rule O121-C2-015300 CCI-000185 MEDIUM The DBMS, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor. A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. When there is a chain of trust, usually the top entity to be trus
    SV-76233r3_rule O121-C2-015500 CCI-000187 MEDIUM The DBMS must map the authenticated identity to the user account using PKI-based authentication. The cornerstone of the PKI is the private key used to encrypt or digitally sign information. The key by itself is a cryptographic value that does not contain specific user information. When including the DBMS in the Private Key Infrastructure, the authen
    SV-76235r2_rule O121-C2-015501 CCI-000366 MEDIUM Processes (services, applications, etc.) that connect to the DBMS independently of individual users, must use valid, current DoD-issued PKI certificates for authentication to the DBMS. Just as individual users must be authenticated, and just as they must use PKI-based authentication, so must any processes that connect to the DBMS. The DoD standard for authentication of a process or device communicating with another process or device is
    SV-76237r2_rule O121-C2-015700 CCI-000803 MEDIUM The DBMS must use NIST-validated FIPS 140-2-compliant cryptography for authentication mechanisms. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. Applic
    SV-76239r1_rule O121-C2-016000 CCI-002890 MEDIUM The DBMS must employ cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications. Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. The act of managing systems and applications includes t
    SV-76241r1_rule O121-C2-016100 CCI-000877 MEDIUM The DBMS must employ strong identification and authentication techniques when establishing nonlocal maintenance and diagnostic sessions. Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. The act of managing systems and applications includes t
    SV-76243r2_rule O121-C2-016300 CCI-000366 MEDIUM Databases employed to write data to portable digital media must use cryptographic mechanisms to protect and restrict access to information on portable digital media. When data is written to portable digital media, such as thumb drives, floppy diskettes, compact disks, magnetic tape, etc., there is risk of data loss. An organizational assessment of risk guides the selection of media and associated information containe
    SV-76245r2_rule O121-C2-016400 CCI-002262 MEDIUM The DBMS must support organizational requirements to encrypt information stored in the database and information extracted or derived from the database and stored on digital media. When data is written to digital media, such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and/or compromise. An organizational assessment of risk guides
    SV-76247r2_rule O121-C2-016500 CCI-001133 MEDIUM The DBMS must terminate the network connection associated with a communications session at the end of the session or 15 minutes of inactivity. Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. The act of managing systems and applications includes t
    SV-76249r3_rule O121-C2-016600 CCI-002450 MEDIUM The DBMS must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Use of cryptography to provide confidentiality and non-repudiation is not effective unless strong methods are employed. Many earlier encryption methods and modules have been broken and/or overtaken by increasing computing power. The NIST FIPS 140-2 crypto
    SV-76251r1_rule O121-C2-016700 CCI-002450 MEDIUM Database data files containing sensitive information must be encrypted. Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. Data files that are not encrypted are vulner
    SV-76253r1_rule O121-C2-017100 CCI-000366 MEDIUM The DBMS must protect the integrity of publicly available information and applications. The purpose of this control is to ensure organizations explicitly address the protection needs for public information and applications with such protection likely being implemented as part of other security controls. Databases designed to contain publicl
    SV-76255r2_rule O121-C2-017600 CCI-001185 MEDIUM The DBMS must terminate user sessions upon user logoff or any other organization or policy-defined session termination events, such as idle time limit exceeded. This requirement focuses on communications protection at the application session, versus network packet, level. Session IDs are tokens generated by web applications to uniquely identify an application user's session. Applications will make application
    SV-76259r3_rule O121-C2-018200 CCI-001665 MEDIUM The DBMS must preserve any organization-defined system state information in the event of a system failure. Failure in a known state can address safety or security in accordance with the mission/business needs of the organization. Failure in a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the
    SV-76261r2_rule O121-C2-018300 CCI-001199 MEDIUM The DBMS must take needed steps to protect data at rest and ensure confidentiality and integrity of application data. This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to the state of information when it is located on a secondary
    SV-76265r1_rule O121-C2-018500 CCI-001084 MEDIUM The DBMS must isolate security functions from nonsecurity functions by means of separate security domains. Security functions are defined as "the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based". Developers and impl
    SV-76267r1_rule O121-C2-018600 CCI-001682 MEDIUM The DBMS must automatically terminate emergency accounts after an organization-defined time period for each type of account. Emergency application accounts are typically created due to an unforeseen operational event or could ostensibly be used in the event of a vendor support visit where a support representative requires a temporary unique account in order to perform diagnosti
    SV-76269r1_rule O121-C2-018800 CCI-001274 MEDIUM The DBMS must employ automated mechanisms to alert security personnel of inappropriate or unusual activities with security implications. Applications will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within the application. This information can then be used for diagnostic purposes, forensics purposes, or other purposes relevant to ensuring t
    SV-76271r1_rule O121-C2-018900 CCI-001090 MEDIUM The DBMS must prevent unauthorized and unintended information transfer via shared system resources. The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current
    SV-76273r1_rule O121-C2-019100 CCI-002385 MEDIUM The DBMS must protect against or limit the effects of organization-defined types of Denial of Service (DoS) attacks. A variety of technologies exist to limit, or in some cases, eliminate the effects of DoS attacks. For example, boundary protection devices can filter certain types of packets to protect devices on an organization's internal network from being directly aff
    SV-76275r2_rule O121-C2-019500 CCI-001310 MEDIUM The DBMS must check the validity of data inputs. Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or i
    SV-76277r1_rule O121-C2-019600 CCI-002716 MEDIUM The system must verify there have not been unauthorized changes to the DBMS software and information. Organizations are required to employ integrity verification applications on information systems to look for evidence of information tampering, errors, and omissions. The organization is also required to employ good software engineering practices with rega
    SV-76279r1_rule O121-C2-019800 CCI-000366 MEDIUM The DBMS must identify potentially security-relevant error conditions. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the application is able to identify and handle error conditions is guided by organizational policy and operational re
    SV-76281r2_rule O121-C2-019900 CCI-001312 MEDIUM The DBMS must only generate error messages that provide information necessary for corrective actions without revealing organization-defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited. Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages needs to be carefully considered
    SV-76283r2_rule O121-C2-020000 CCI-001314 MEDIUM The DBMS must restrict error messages so only authorized personnel may view them. If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team.
    SV-76285r1_rule O121-C2-020300 CCI-001670 MEDIUM The DBMS must support taking organization-defined list of least disruptive actions to terminate suspicious events. System availability is a key tenet of system security. Organizations need to have the flexibility to be able to define the automated actions taken in response to an identified incident. This includes being able to define a least disruptive action the appl
    SV-76287r2_rule O121-C2-020400 CCI-001683 MEDIUM The DBMS must notify appropriate individuals when accounts are created. Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Notification of account creation is one me
    SV-76289r2_rule O121-C2-020500 CCI-001684 MEDIUM The DBMS must notify appropriate individuals when accounts are modified. Once an attacker establishes initial access to a system, they often attempt to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to modify an existing account for later use. Notification of account creat
    SV-76291r2_rule O121-C2-020600 CCI-001685 MEDIUM The DBMS must notify appropriate individuals when account disabling actions are taken. When application accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes themselves. In order to detect and respond to events that affect user
    SV-76293r2_rule O121-C2-020700 CCI-001686 MEDIUM The DBMS must notify appropriate individuals when accounts are terminated. When application accounts are terminated, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes themselves. In order to detect and respond to events that affect u
    SV-76299r3_rule O121-C3-003300 CCI-000366 LOW The DBMS must implement separation of duties through assigned information access authorizations. Separation of duties is a prevalent Information Technology control that is implemented at different layers of the information system, including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user m
    SV-76303r1_rule O121-C3-008700 CCI-001875 LOW The system must provide an audit log reduction capability. Audit reduction is used to reduce the volume of audit records in order to facilitate manual review. Before a security review, information systems and/or applications with an audit reduction capability may remove many audit records known to have little se
    SV-76305r5_rule O121-C3-019200 CCI-001094 LOW The DBMS must restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks. When it comes to DoS attacks, most of the attention is paid to ensuring that systems and applications are not victims of these attacks. While it is true that those accountable for systems want to ensure they are not affected by a DoS attack, they also ne
    SV-76307r3_rule O121-C3-019300 CCI-001095 LOW The DBMS must manage resources to limit the effects of information flooding types of Denial of Service (DoS) incidents. In the case of application DoS incidents, care must be taken when designing the application to ensure the application makes the best use of system resources. SQL queries have the potential to consume large amounts of CPU cycles if they are not tuned for o
    SV-76309r2_rule O121-C3-019400 CCI-002394 LOW The DBMS must limit the use of resources by priority and not impede the host from servicing processes designated as a higher-priority. Priority protection helps prevent a lower-priority process from delaying or interfering with the information system servicing any higher-priority process. This control does not apply to components in the information system for which there is only a single
    SV-76333r2_rule O121-N1-015601 CCI-000366 HIGH Applications must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. To prevent the compromise of authentication information, such as passwords, during the authentication process, the feedback from the information system shall not provide any information that would allow an unauthorized user to compromise the authenticatio
    SV-76335r3_rule O121-N1-015602 CCI-000366 HIGH When using command-line tools such as Oracle SQL*Plus, which can accept a plain-text password, users must use an alternative logon method that does not expose the password. The SRG states: "To prevent the compromise of authentication information, such as passwords, during the authentication process, the feedback from the information system shall not provide any information that would allow an unauthorized user to compromise
    SV-76339r1_rule O121-N2-004701 CCI-000366 MEDIUM DBMS default accounts must be protected from misuse. The Security Requirements Guide says, "Default accounts are usually accounts that have special privileges required to administer the database. Well-known DBMS account names are targeted most frequently by attackers and are thus more prone to providing un
    SV-76343r2_rule O121-N2-008601 CCI-000366 MEDIUM The DBMS must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements. In order to ensure sufficient storage capacity for the audit logs, the DBMS must be able to allocate audit record storage capacity. Although another requirement (SRG-APP-000515-DB-000318) mandates audit data be off-loaded to a centralized log management s
    SV-76355r2_rule O121-OS-004600 CCI-000366 HIGH Use of the DBMS software installation account must be restricted. This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address those situations where an access control policy, such as Role Based Access Control (RBAC), is being impl
    SV-76357r2_rule O121-OS-010700 CCI-001499 MEDIUM Database software, applications, and configuration files must be monitored to discover unauthorized changes. Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. If the system were to allow any user to make changes to softwar
    SV-76359r1_rule O121-OS-011200 CCI-001499 MEDIUM The OS must limit privileges to change the DBMS software resident within software libraries (including privileged programs). When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. If
    SV-76361r2_rule O121-P2-008100 CCI-001851 MEDIUM Oracle Database must off-load audit data to a separate log management facility; this must be continuous and in near-real-time for systems with a network connection to the storage facility, and weekly or more often for stand-alone systems. Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. The DBMS may write audit records to database tables, files
    SV-76363r1_rule O121-P2-010800 CCI-001499 HIGH The DBMS software installation account must be restricted to authorized users. When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. If
    SV-76365r1_rule O121-P2-010900 CCI-001499 MEDIUM Database software directories, including DBMS configuration files, must be stored in dedicated directories, or DASD pools, separate from the host OS and other applications. When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. Mu
    SV-76367r1_rule O121-P2-012700 CCI-000537 MEDIUM The DBMS software libraries must be periodically backed up. Information system backup is a critical step in maintaining data assurance and availability. System-level information includes: system-state information, operating system and application software, and licenses. Backups shall be consistent with organiza
    SV-76369r1_rule O121-P2-012800 CCI-000764 MEDIUM The DBMS must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). To assure accountability and prevent unauthorized access, organizational users shall be identified and authenticated. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g.
    SV-76371r1_rule O121-P2-015800 CCI-000804 MEDIUM The DBMS must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). Non-organizational users include all information system users other than organizational users which include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, indivi
    SV-76373r1_rule O121-P2-017300 CCI-001082 MEDIUM The DBMS must separate user functionality (including user interface services) from database management functionality. Information system management functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from information system ma
    SV-76375r1_rule O121-P2-017400 CCI-001083 MEDIUM The DBMS must prevent the presentation of information system management-related functionality at an interface utilized by general (i.e., non-privileged) users. Information system management functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from information system ma
    SV-76377r2_rule O121-P3-006200 CCI-000166 LOW The DBMS must protect against an individual who uses a shared account falsely denying having performed a particular action. Non-repudiation of actions taken is required in order to maintain application integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a
    SV-76453r3_rule O121-BP-025100 CCI-000366 MEDIUM The DBMS data files, transaction logs and audit files must be stored in dedicated directories or disk partitions separate from software or other application files. Protection of DBMS data, transaction and audit data files stored by the host operating system is dependent on OS controls. When different applications share the same database, resource contention and security controls are required to isolate and protect a
    SV-76455r3_rule O121-BP-025101 CCI-000366 MEDIUM The directory assigned to the AUDIT_FILE_DEST parameter must be protected from unauthorized access and must be stored in a dedicated directory or disk partition separate from software or other application files. The AUDIT_FILE_DEST parameter specifies the directory where the database audit trail file is stored (when AUDIT_TRAIL parameter is set to ‘OS’, ‘xml’ or ‘xml, extended’ where supported by the DBMS). Unauthorized access or loss of integrity of
    SV-76457r2_rule O121-C2-000100 CCI-000054 MEDIUM The DBMS must limit the number of concurrent sessions for each system account to an organization-defined number of sessions. Application management includes the ability to control the number of users and user sessions utilizing an application. Limiting the number of allowed users, and sessions per user, is helpful in limiting risks related to Denial of Service attacks. This re
    SV-76459r1_rule O121-C3-008800 CCI-001878 LOW The system must provide a report generation capability for audit reduction data. In support of Audit Review, Analysis, and Reporting requirements, audit reduction is a technique used to reduce the volume of audit records in order to facilitate a manual review. Before a security review is conducted, information systems and/or applicat
    SV-83467r1_rule O121-OS-010710 CCI-001499 MEDIUM Logic modules within the database (to include packages, procedures, functions and triggers) must be monitored to discover unauthorized changes. Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. This includes the logic modules implemented within the database