| V-2555 | High | The Oracle REMOTE_OS_ROLES parameter should be set to FALSE. | Setting REMOTE_OS_ROLES to TRUE allows operating system groups to control Oracle roles. The default value of FALSE causes roles to be identified and managed by the database. If REMOTE_OS_ROLES is... |
| V-2554 | High | The Oracle REMOTE_OS_AUTHENT parameter should be set to FALSE. | Setting this value to TRUE allows operating system authentication over an unsecured connection. Trusting remote operating systems can allow a user to impersonate another operating system user and... |
| V-15635 | High | DBMS default accounts should be assigned custom passwords. | Oracle databases have several well-known default username/password combinations. Default passwords may provide unauthorized access to the server. Default accounts should be locked and expired when... |
| V-16035 | Medium | The Oracle SEC_MAX_FAILED_LOGIN_ATTEMPTS parameter should be set to an ISSO-approved value between 1 and 3. | The SEC_MAX_FAILED_LOGIN_ATTEMPTS prevents multiple failed login attempts by a single connection. The parameter differs from the limit set on user profiles and applied to failed login attempts to... |
| V-16033 | Medium | Case sensitivity for passwords should be enabled. | Enablement of password case sensitivity allows Oracle password complexity to meet DoD password requirements. Password complexity decreases the likelihood of successful password attacks by malicious users. |
| V-3810 | Medium | DBMS authentication should require use of a DoD PKI certificate. | In a properly configured DBMS, access controls defined for data access and DBMS management actions are assigned based on the user identity and job function. Unauthenticated or falsely... |
| V-3817 | Medium | Database accounts should not specify account lock times less than the site-approved minimum. | The FAILED_LOGIN_ATTEMPTS value limits the number of failed login attempts allowed before an account is locked. Setting this value limits the ability of unauthorized users to guess passwords and... |
| V-3815 | Medium | New passwords must be required to differ from old passwords by more than four characters. | Changing passwords frequently can thwart password-guessing attempts or re-establish protection of a compromised DBMS account. Minor changes to passwords may not accomplish this as password... |
| V-15130 | Medium | Unapproved inactive or expired database accounts should not be found on the database. | Unused or expired DBMS accounts provide a means for undetected, unauthorized access to the database. |
| V-3819 | Medium | Sensitive information from production database exports should be modified after import to a development database. | Data export from production databases may include sensitive data. Application developers do not have a need to know to sensitive data. Any access they may have to production data would be... |
| V-3818 | Medium | Unauthorized database links should not be defined and active. | DBMS links provide a communication and data transfer path definition between two databases that may be used by malicious users to discover and obtain unauthorized access to remote systems.... |
| V-15637 | Medium | DBMS passwords should not be stored in compiled, encoded or encrypted batch jobs or compiled, encoded or encrypted application source code. | The storage of passwords in application source or batch job code that is compiled, encoded or encrypted prevents compliance with password expiration and other management requirements as well as... |
| V-15647 | Medium | Audit records should include the reason for blacklisting or disabling DBMS connections or accounts. | Records of any disabling or locking of account actions taken by the DBMS can contain information valuable to decisions to employ additional responsive actions. |
| V-15644 | Medium | Attempts to bypass access controls should be audited. | Configuring proper auditing is critical to recording any malicious events or detecting when attacks on the database occur. Auditing can be turned on for any SQL statement or any use of a system... |
| V-15645 | Medium | Changes to configuration options must be audited. | The AUDIT_SYS_OPERATIONS parameter is used to enable auditing of actions taken by the user SYS. The SYS user account is a shared account by definition and holds all privileges in the Oracle... |
| V-15642 | Medium | Access grants to sensitive data should be restricted to authorized user roles. | Unauthorized access to sensitive data may compromise the confidentiality of personnel privacy, threaten national security or compromise a variety of other sensitive operations. Access controls are... |
| V-2552 | Medium | The IDLE_TIME profile parameter should be set for Oracle profiles IAW DoD policy. | The Idle Time Resource Usage setting limits the maximum idle time allowed in a session. Idle time is a continuous inactive period during a session, expressed in minutes. Long-running queries and... |
| V-15747 | Medium | The /diag subdirectory under the directory assigned to the DIAGNOSTIC_DEST parameter must be protected from unauthorized access. | <DIAGNOSTIC_DEST>/diag indicates the directory where trace, alert, core and incident directories and files are located. The files may contain sensitive data or information that could prove useful... |
| V-2564 | Medium | System Privileges should not be granted to PUBLIC. | System privileges can be granted to users and roles and to the user group PUBLIC. All privileges granted to PUBLIC are accessible to every user in the database. Many of these privileges convey... |
| V-15633 | Medium | Password reuse should be prevented where supported by the DBMS. | Password reuse restrictions protect against bypass of password expiration requirements and help protect accounts from password guessing attempts. The DoDI 8500.2 specifies preventing password... |
| V-15632 | Medium | Use of DBA accounts should be restricted to administrative activities. | Use of privileged accounts for non-administrative purposes puts data at risk of unintended or unauthorized loss, modification or exposure. In particular, DBA accounts if used for... |
| V-15631 | Medium | Access to DBMS system tables and other configuration or metadata should be restricted to DBAs. | System tables and DBA views contain information such as user, system and data that could lead to unauthorized access. Revoke any privileges granted to non-DBA accounts that provide direct access... |
| V-15630 | Medium | Access to sensitive data should be restricted to authorized users identified by the Information Owner. | The Oracle parameter file contains configuration settings that are applied to the database at database and instance startup. Unauthorized changes to these parameters could lead to a compromise of... |
| V-2556 | Medium | The Oracle SQL92_SECURITY parameter should be set to TRUE. | The configuration option SQL92_SECURITY specifies whether table-level SELECT privileges are required to execute an update or delete that references table column values. If this option is disabled... |
| V-2558 | Medium | The Oracle REMOTE_LOGIN_PASSWORDFILE parameter should be set to EXCLUSIVE or NONE. | The REMOTE_LOGIN_PASSWORDFILE setting of "NONE" disallows remote administration of the database. The REMOTE_LOGIN_PASSWORDFILE setting of "EXCLUSIVE" allows for auditing of individual DBA logins... |
| V-15639 | Medium | Unlimited account lock times should be specified for locked accounts. | When no limit is imposed on failed logon attempts and accounts are not disabled after a set number of failed access attempts, then the DBMS account is vulnerable to sustained attack. When access... |
| V-15133 | Medium | Transaction logs should be periodically reviewed for unauthorized modification of data. | Unauthorized or malicious changes to data compromise the integrity and usefulness of the data. Auditing changes to data supports accountability and non-repudiation. Auditing changes to data may be... |
| V-15623 | Medium | DBMS system data files should be stored in dedicated disk directories. | DBMS system data files have different access control requirements than application data and log files. Granting access to system data files beyond those required for system operations could lead... |
| V-15624 | Medium | DBMS data files should be dedicated to support individual applications. | DBMS data files may contain database objects supporting different applications. Shared resources and access to storage locations may lead to one application being vulnerable to the exploit or... |
| V-15626 | Medium | Database privileged role assignments should be restricted to IAO-authorized DBMS accounts. | Roles assigned privileges to perform DDL and/or system configuration actions in the database can lead to compromise of any data in the database as well as operation of the DBMS itself. Restrict... |
| V-15627 | Medium | Administrative privileges should be assigned to database accounts via database roles. | Privileges granted outside the role of the administrative user job function are more likely to go unmanaged or without oversight for authorization. Maintenance of privileges using roles defined... |
| V-15628 | Medium | DBMS application users should not be granted administrative privileges to the DBMS. | Excessive privileges can lead to unauthorized actions on data and database objects. Assigning only the privileges required to perform the job function authorized for the user helps protect against... |
| V-15629 | Medium | Application users privileges should be restricted to assignment using application user roles. | Granting permissions to accounts is error prone and repetitive. Using roles allows for group management of privileges assigned by function and reduces the likelihood of wrongfully assigned... |
| V-2561 | Medium | System privileges granted using the WITH ADMIN OPTION should not be granted to unauthorized user accounts. | The WITH ADMIN OPTION allows the grantee to grant a privilege to another database account. Best security practice restricts the privilege of assigning privileges to authorized personnel.... |
| V-2562 | Medium | Required object auditing should be configured. | Database object definitions and configurations require similar oversight as application libraries to detect unauthorized changes. Unauthorized changes may indicate attempts to compromise data or... |
| V-2508 | Medium | Unauthorized user accounts should not exist. | Unauthorized user accounts provide unauthorized access to the database and may allow access to database objects. Only authorized users should be granted database accounts. |
| V-2507 | Medium | Audit trail data should be retained for one year. | Without preservation, a complete discovery of an attack or suspicious activity may not be determined. DBMS audit data also contributes to the complete investigation of unauthorized activity and... |
| V-15634 | Medium | DBMS account passwords should not be set to easily guessed words or values. | DBMS account passwords set to common dictionary words or values render accounts vulnerable to password guessing attacks and unauthorized access. |
| V-5683 | Medium | Application object owner accounts should be disabled when not performing installation or maintenance actions. | Object ownership provides all database object permissions to the owned object. Access to the application object owner accounts requires special protection to prevent unauthorized access and use of... |
| V-5685 | Medium | Required auditing parameters for database auditing should be set. | Oracle auditing can be set to log audit data to the database or operating system files. Logging events to the database prevents operating system users from viewing the data, while logging events... |
| V-5686 | Medium | Audit records should be restricted to authorized individuals. | Audit data is frequently targeted by malicious users as it can provide a means to detect their activity. The protection of the audit trail data is of special concern and requires restrictions to... |
| V-2589 | Medium | Object permissions granted to PUBLIC should be restricted. | Permissions on objects may be granted to the user group PUBLIC. Because every database user is a member of the PUBLIC group, granting object permissions to PUBLIC gives all users in the database... |
| V-3846 | Medium | Only authorized system accounts should have the SYSTEM tablespace specified as the default tablespace. | The Oracle SYSTEM tablespace is used by the database to store all DBMS system objects. Other use of the system tablespace may compromise system availability and the effectiveness of host system... |
| V-3849 | Medium | Application owner accounts should have a dedicated application tablespace. | Separation of tablespaces by application helps to protect the application from resource contention and unauthorized access that could result from storage space reuses or host system access... |
| V-15619 | Medium | Replication accounts should not be granted DBA privileges. | Replication accounts may be used to access databases defined for the replication architecture. An exploit of a replication on one database could lead to the compromise of any database... |
| V-15615 | Medium | The DBA role should not be assigned excessive or unauthorized privileges. | Oracle SYSDBA privileges include privileges to administer the database outside of database controls (when the database is shut down or open in restricted mode) in addition to all privileges... |
| V-15617 | Medium | ccess to external objects should be disabled if not required and authorized. | The UTL_FILE package allows host file access from within the database using the permissions and privileges assigned to the Oracle database process or service. This package should be used with... |
| V-15613 | Medium | Each database user, application or process should have an individually assigned account. | Use of accounts shared by multiple users, applications, or processes limit the accountability for actions taken in or on the data or database. Individual accounts provide an opportunity to limit... |
| V-2574 | Medium | Oracle roles granted using the WITH ADMIN OPTION should not be granted to unauthorized accounts. | The WITH ADMIN OPTION allows the grantee to grant a role to another database account. Best security practice restricts the privilege of assigning privileges to authorized personnel. Authorized... |
| V-2515 | Medium | The audit table should be owned by SYS or SYSTEM. | Audit data is frequently targeted by malicious users as it can provide a means to detect their activity. The protection of the audit trail data is of special concern and requires restrictions to... |
| V-2517 | Medium | Oracle instance names should not contain Oracle version numbers. | Service names may be discovered by unauthenticated users. If the service name includes version numbers or other database product information, a malicious user may use that information to develop a... |
| V-2516 | Medium | Access to default accounts used to support replication should be restricted to authorized DBAs. | Replication database accounts are used for database connections between databases. Replication requires the configuration of these accounts using the same username and password on all databases... |
| V-2511 | Medium | Access to the Oracle SYS and SYSTEM accounts should be restricted to authorized DBAs. | The Oracle SYS account has all database privileges assigned to it (SYSDBA). This account is used to manage the database availability status (startup and shutdown). The SYS account is used by any... |
| V-2593 | Medium | The Oracle RESOURCE_LIMIT parameter should be set to TRUE. | The Oracle RESOURCE_LIMIT parameter determines whether resource limits are enforced in database profiles. If Oracle resource limits are disabled, any defined profile limits will be ignored.
NOTE:... |
| V-3857 | Medium | The Oracle _TRACE_FILES_PUBLIC parameter if present should be set to FALSE. | The _TRACE_FILES_PUBLIC parameter is used to make trace files used for debugging database applications and events available to all database users. Use of this capability precludes the discrete... |
| V-3854 | Medium | The directories assigned to the LOG_ARCHIVE_DEST* parameters should be protected from unauthorized access. | The LOG_ARCHIVE_DEST parameter is used to specify the directory to which Oracle archive logs are written. Where the DBMS availability and recovery to a specific point in time is critical, the... |
| V-3850 | Medium | The directory assigned to the AUDIT_FILE_DEST parameter should be protected from unauthorized access. | The AUDIT_FILE_DEST parameter specifies the directory where the database audit trail file is stored (when AUDIT_TRAIL parameter is set to ‘OS’, ‘xml’ or ‘xml, extended’ where supported by the... |
| V-15609 | Medium | Default demonstration and sample database objects and applications should be removed. | Demonstration and sample database objects and applications present publicly known attack points for malicious users. These demonstration and sample objects are meant to provide simple examples of... |
| V-15607 | Medium | Application objects should be owned by accounts authorized for ownership. | Database object ownership implies full privileges to the owned object including the privilege to assign access to the owned objects to other subjects. Unmanaged or uncontrolled ownership of... |
| V-2520 | Medium | Fixed user and public database links should be authorized for use. | Database links define connections that may be used by the local database to access remote Oracle databases. These links provide a means for a compromise to the local database to spread to remote... |
| V-2521 | Medium | A minimum of two Oracle control files should be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device. | Oracle control files are used to store information critical to Oracle database integrity. Oracle uses these files to maintain time synchronization of database files as well as at system startup to... |
| V-2522 | Medium | A minimum of two Oracle redo log groups/files should be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device. | The Oracle redo log files store the detailed information on changes made to the database. This information is critical to database recovery in case of a database failure. |
| V-15660 | Medium | Remote database or other external access should use fully-qualified names. | The Oracle GLOBAL_NAMES parameter is used to set the requirement for database link names to be the same name as the remote database whose connection they define. By using the same name for both,... |
| V-2527 | Medium | The DBA role should not be granted to unauthorized user accounts. | The DBA role is very powerful and access to it should be restricted. Verify that any database account granted the DBA role is explicitly authorized by the IAO. In addition to full access to... |
| V-15141 | Medium | DBMS processes or services should run under custom, dedicated OS accounts. | Shared accounts do not provide separation of duties nor allow for assignment of least privileges for use by database processes and services. Without separation and least privilege, the exploit of... |
| V-15142 | Medium | Asymmetric keys should use DoD PKI Certificates and be protected in accordance with NIST (unclassified data) or NSA (classified data) approved key management and processes. | Encryption is only effective if the encryption method is robust and the keys used to provide the encryption are not easily discovered. Without effective encryption, sensitive data is vulnerable to... |
| V-3820 | Medium | Production databases should be protected from unauthorized access by developers on shared production/development host systems. | Developers granted elevated database, operating system privileges on systems that support both development, and production databases can affect the operation and/or security of the production... |
| V-3821 | Medium | Application user privilege assignment should be reviewed monthly or more frequently to ensure compliance with least privilege and documented policy. | Users granted privileges not required to perform their assigned functions are able to make unauthorized modifications to the production data or database. Monthly or more frequent periodic review... |
| V-3439 | Medium | Oracle system privileges should not be directly assigned to unauthorized accounts. | System privileges allow system-wide changes to the database or database objects. Unauthorized use of system privileges may jeopardize production applications, application data, or the database... |
| V-3438 | Medium | Oracle application administration roles should be disabled if not required and authorized. | Application administration roles, which are assigned system or elevated application object privileges, should be protected from default activation. Application administration roles are determined... |
| V-3437 | Medium | Application role permissions should not be assigned to the Oracle PUBLIC role. | Application roles have been granted to PUBLIC. Permissions granted to PUBLIC are granted to all users of the database. Custom roles should be used to assign application permissions to functional... |
| V-15654 | Medium | DBMS symmetric keys should be protected in accordance with NSA or NIST-approved key management technology or processes. | Symmetric keys used for encryption protect data from unauthorized access. However, if not protected in accordance with acceptable standards, the keys themselves may be compromised and used for... |
| V-15657 | Medium | Changes to DBMS security labels should be audited. | Some DBMS systems provide the feature to assign security labels to data elements. The confidentiality and integrity of the data depends upon the security label assignment where this feature is in... |
| V-15154 | Medium | Credentials stored and used by the DBMS to access remote databases or applications should be authorized and restricted to authorized users. | Credentials defined for access to remote databases or applications may provide unauthorized access to additional databases and applications to unauthorized or malicious users. |
| V-15152 | Medium | DBMS login accounts require passwords to meet complexity requirements. | The PASSWORD_VERIFY_FUNCTION value specifies a PL/SQL function to be used for password verification when users assigned this profile log in to a database. This function can be used to validate... |
| V-15153 | Medium | DBMS account passwords should be set to expire every 60 days or more frequently. | The PASSWORD_LIFE_TIME value specifies the length of time the same password may be used to authenticate to a database account. After the time period specified has passed for the assigned password,... |
| V-2424 | Medium | All database non-interactive, n-tier connection, and shared accounts that exist should be documented and approved by the IAO. | Group authentication does not provide individual accountability for actions taken on the DBMS or data. Whenever a single database account is used to connect to the database, a secondary... |
| V-15128 | Medium | DBMS application user roles should not be assigned unauthorized privileges. | Unauthorized access to the data can lead to loss of confidentiality and integrity of the data. |
| V-3808 | Medium | Database job/batch queues should be reviewed regularly to detect unauthorized database job submissions. | Unauthorized users may bypass security mechanisms by submitting jobs to job queues managed by the database to be run under a more privileged security context of the database or host system. These... |
| V-16053 | Medium | The Oracle SEC_PROTOCOL_ERROR_FURTHER_ACTION parameter should be set to a value of DELAY or DROP. | The database is vulnerable to exhaustion of resources that could result in a Denial of Service (DoS) to other clients if not protected from a flood of bad packets submitted by a malicious or... |
| V-2533 | Medium | The Oracle WITH GRANT OPTION privilege should not be granted to non-DBA or non-Application administrator user accounts. | An account permission to grant privileges within the database is an administrative function. Minimizing the number and privileges of administrative accounts reduces the chances of privileged... |
| V-2539 | Medium | Execute permission should be revoked from PUBLIC for restricted Oracle packages. | Access to the following packages should be restricted to authorized accounts only.
UTL_FILE: allows Oracle accounts to read and write files on the host operating system.
UTL_SMTP: allows messages... |
| V-3865 | Low | The XDB Protocol server should be uninstalled if not required and authorized for use. | The XML DB supports storage and retrieval of XML data objects in the Oracle Database. It requires the configuration of an Oracle shared-server dispatcher that is activated / used by the Oracle... |
| V-15114 | Low | Developers should not be assigned excessive privileges on production databases. | Developers play a unique role and represent a specific type of threat to the security of the DBMS. Where restricted resources prevent the required separation of production and development DBMS... |
| V-2586 | Low | The Oracle O7_DICTIONARY_ACCESSIBILITY parameter should be set to FALSE. | The database data dictionary tables contain the data used by the database for database functions including database authentication and authorization as well as database configuration and control.... |
| V-3847 | Low | Database application user accounts should be denied storage usage for object creation within the database. | Tablespace storage quotas allow limits on storage use to be assigned to Oracle database users. Although this does not grant the user the privilege to create objects within the database, it... |
| V-3848 | Low | The Oracle SID should not be the default SID. | Use of the default Oracle System Identifier (SID) leaves the database vulnerable to attacks that target Oracle installations running under default SID. Using a custom name helps protect the... |
| V-15616 | Low | Sensitive data should be labeled. | The sensitivity marking or labeling of data items promotes the correct handling and protection of the data. Without such notification, the user may unwittingly disclose sensitive data to... |
| V-2519 | Low | The Oracle OS_ROLES parameter should be set to FALSE. | The OS_ROLES parameter specifies whether Oracle roles are defined and managed by the DBMS or by the host operating system. To maintain and support the separation of duties between host system... |
| V-3727 | Low | Database applications should be restricted from using static DDL statements to modify the application schema. | Application users by definition and job function require only the permissions to manipulate data within database objects and execute procedures within the database. The statements used to define... |
| V-15149 | Low | DBA roles assignments should be assigned and authorized by the IAO. | The DBA role and associated privileges provide complete control over the DBMS operation and integrity. DBA role assignment without authorization could lead to the assignment of these privileges to... |
| V-3823 | Low | Custom and GOTS application source code stored in the database should be protected with encryption or encoding. | Source code may include information on data relationships, locations of sensitive data that are otherwise obscured, or other processing information that could aid a malicious user. Encoding or... |
| V-2531 | Low | The Oracle OS_AUTHENT_PREFIX parameter should be changed from the default value of OPS$. | The OS_AUTHENT_PREFIX parameter defines the prefix for database account names to be identified EXTERNALLY by the operating system. When set to the special value of OPS$, accounts defined with the... |
