UCF STIG Viewer Logo

Oracle Database 11g Instance STIG


Overview

Date Finding Count (92)
2017-06-29 CAT I (High): 3 CAT II (Med): 78 CAT III (Low): 11
STIG Description
The Oracle Database 11g Instance Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-2555 High The Oracle REMOTE_OS_ROLES parameter should be set to FALSE.
V-2554 High The Oracle REMOTE_OS_AUTHENT parameter should be set to FALSE.
V-15635 High DBMS default accounts should be assigned custom passwords.
V-16035 Medium The Oracle SEC_MAX_FAILED_LOGIN_ATTEMPTS parameter should be set to an ISSO-approved value between 1 and 3.
V-16033 Medium Case sensitivity for passwords should be enabled.
V-3810 Medium DBMS authentication should require use of a DoD PKI certificate.
V-3817 Medium Database accounts should not specify account lock times less than the site-approved minimum.
V-3815 Medium New passwords must be required to differ from old passwords by more than four characters.
V-15130 Medium Unapproved inactive or expired database accounts should not be found on the database.
V-3819 Medium Sensitive information from production database exports must be modified before import to a development database.
V-3818 Medium Unauthorized database links should not be defined and active.
V-15637 Medium DBMS passwords should not be stored in compiled, encoded or encrypted batch jobs or compiled, encoded or encrypted application source code.
V-15647 Medium Audit records should include the reason for blacklisting or disabling DBMS connections or accounts.
V-15644 Medium Attempts to bypass access controls should be audited.
V-15645 Medium Changes to configuration options must be audited.
V-15642 Medium Access grants to sensitive data should be restricted to authorized user roles.
V-2552 Medium The IDLE_TIME profile parameter should be set for Oracle profiles IAW DoD policy.
V-15747 Medium The /diag subdirectory under the directory assigned to the DIAGNOSTIC_DEST parameter must be protected from unauthorized access.
V-2564 Medium System Privileges should not be granted to PUBLIC.
V-15633 Medium Password reuse should be prevented where supported by the DBMS.
V-15632 Medium Use of DBA accounts should be restricted to administrative activities.
V-15631 Medium Access to DBMS system tables and other configuration or metadata should be restricted to DBAs.
V-15630 Medium Access to sensitive data should be restricted to authorized users identified by the Information Owner.
V-2556 Medium The Oracle SQL92_SECURITY parameter should be set to TRUE.
V-2558 Medium The Oracle REMOTE_LOGIN_PASSWORDFILE parameter should be set to EXCLUSIVE or NONE.
V-15639 Medium Unlimited account lock times should be specified for locked accounts.
V-15133 Medium Transaction logs should be periodically reviewed for unauthorized modification of data.
V-15623 Medium DBMS system data files should be stored in dedicated disk directories.
V-15626 Medium Database privileged role assignments should be restricted to IAO-authorized DBMS accounts.
V-15627 Medium Administrative privileges should be assigned to database accounts via database roles.
V-15628 Medium DBMS application users should not be granted administrative privileges to the DBMS.
V-15629 Medium Application users privileges should be restricted to assignment using application user roles.
V-2561 Medium System privileges granted using the WITH ADMIN OPTION should not be granted to unauthorized user accounts.
V-2562 Medium Required object auditing should be configured.
V-2508 Medium Unauthorized user accounts should not exist.
V-2507 Medium Audit trail data should be retained for one year.
V-15634 Medium DBMS account passwords should not be set to easily guessed words or values.
V-5683 Medium Application object owner accounts should be disabled when not performing installation or maintenance actions.
V-5685 Medium Required auditing parameters for database auditing should be set.
V-5686 Medium Audit records should be restricted to authorized individuals.
V-2589 Medium Object permissions granted to PUBLIC should be restricted.
V-3846 Medium Only authorized system accounts should have the SYSTEM tablespace specified as the default tablespace.
V-3849 Medium Application owner accounts should have a dedicated application tablespace.
V-15619 Medium Replication accounts should not be granted DBA privileges.
V-15615 Medium The DBA role should not be assigned excessive or unauthorized privileges.
V-15617 Medium ccess to external objects should be disabled if not required and authorized.
V-15613 Medium Each database user, application or process should have an individually assigned account.
V-2574 Medium Oracle roles granted using the WITH ADMIN OPTION should not be granted to unauthorized accounts.
V-2515 Medium The audit table should be owned by SYS or SYSTEM.
V-2517 Medium Oracle instance names should not contain Oracle version numbers.
V-2516 Medium Access to default accounts used to support replication should be restricted to authorized DBAs.
V-2511 Medium Access to the Oracle SYS and SYSTEM accounts should be restricted to authorized DBAs.
V-2593 Medium The Oracle RESOURCE_LIMIT parameter should be set to TRUE.
V-3857 Medium The Oracle _TRACE_FILES_PUBLIC parameter if present should be set to FALSE.
V-3854 Medium The directories assigned to the LOG_ARCHIVE_DEST* parameters should be protected from unauthorized access.
V-3850 Medium The directory assigned to the AUDIT_FILE_DEST parameter should be protected from unauthorized access.
V-15609 Medium Default demonstration and sample database objects and applications should be removed.
V-15607 Medium Application objects should be owned by accounts authorized for ownership.
V-2520 Medium Fixed user and public database links should be authorized for use.
V-2521 Medium A minimum of two Oracle control files should be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device.
V-2522 Medium A minimum of two Oracle redo log groups/files should be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device.
V-15660 Medium Remote database or other external access should use fully-qualified names.
V-2527 Medium The DBA role should not be granted to unauthorized user accounts.
V-15141 Medium DBMS processes or services should run under custom, dedicated OS accounts.
V-15142 Medium Asymmetric keys should use DoD PKI Certificates and be protected in accordance with NIST (unclassified data) or NSA (classified data) approved key management and processes.
V-3820 Medium Production databases should be protected from unauthorized access by developers on shared production/development host systems.
V-3821 Medium Application user privilege assignment should be reviewed monthly or more frequently to ensure compliance with least privilege and documented policy.
V-3439 Medium Oracle system privileges should not be directly assigned to unauthorized accounts.
V-3438 Medium Oracle application administration roles should be disabled if not required and authorized.
V-3437 Medium Application role permissions should not be assigned to the Oracle PUBLIC role.
V-15654 Medium DBMS symmetric keys should be protected in accordance with NSA or NIST-approved key management technology or processes.
V-15657 Medium Changes to DBMS security labels should be audited.
V-15154 Medium Credentials stored and used by the DBMS to access remote databases or applications should be authorized and restricted to authorized users.
V-15152 Medium DBMS login accounts require passwords to meet complexity requirements.
V-15153 Medium DBMS account passwords should be set to expire every 60 days or more frequently.
V-2424 Medium All database non-interactive, n-tier connection, and shared accounts that exist should be documented and approved by the IAO.
V-15128 Medium DBMS application user roles should not be assigned unauthorized privileges.
V-3808 Medium Database job/batch queues should be reviewed regularly to detect unauthorized database job submissions.
V-16053 Medium The Oracle SEC_PROTOCOL_ERROR_FURTHER_ACTION parameter should be set to a value of DELAY or DROP.
V-2533 Medium The Oracle WITH GRANT OPTION privilege should not be granted to non-DBA or non-Application administrator user accounts.
V-2539 Medium Execute permission should be revoked from PUBLIC for restricted Oracle packages.
V-3865 Low The XDB Protocol server should be uninstalled if not required and authorized for use.
V-15114 Low Developers should not be assigned excessive privileges on production databases.
V-2586 Low The Oracle O7_DICTIONARY_ACCESSIBILITY parameter should be set to FALSE.
V-3847 Low Database application user accounts should be denied storage usage for object creation within the database.
V-3848 Low The Oracle SID should not be the default SID.
V-15616 Low Sensitive data should be labeled.
V-2519 Low The Oracle OS_ROLES parameter should be set to FALSE.
V-3727 Low Database applications should be restricted from using static DDL statements to modify the application schema.
V-15149 Low DBA roles assignments should be assigned and authorized by the IAO.
V-3823 Low Custom and GOTS application source code stored in the database should be protected with encryption or encoding.
V-2531 Low The Oracle OS_AUTHENT_PREFIX parameter should be changed from the default value of OPS$.