| V-270499 | | Oracle Database must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals. | Enterprise environments make account management for applications and databases challenging and complex. A manual process for account management functi... |
| V-270500 | | Oracle Database must enforce approved authorizations for logical access to the system in accordance with applicable policy. | Authentication with a DOD-approved public key infrastructure (PKI) certificate does not necessarily imply authorization to access the database managem... |
| V-270513 | | Oracle Database products must be a version supported by the vendor. | Unsupported commercial and database systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack ... |
| V-270516 | | The Oracle Database software installation account must be restricted to authorized users. | When dealing with change control issues, it should be noted any changes to the hardware, software, and/or firmware components of the information syste... |
| V-270531 | | The Oracle Listener must be configured to require administration authentication. | Oracle listener authentication helps prevent unauthorized administration of the Oracle listener. Unauthorized administration of the listener could lea... |
| V-270544 | | Database administrator (DBA) OS accounts must be granted only those host system privileges necessary for the administration of the Oracle Database. | This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address... |
| V-270545 | | Oracle Database default accounts must be assigned custom passwords. | Password maximum lifetime is the maximum period of time, (typically in days) a user's password may be in effect before the user is forced to change it... |
| V-270564 | | Oracle Database must for password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash. | The DOD standard for authentication is DOD-approved public key infrastructure (PKI) certificates.
Authentication based on user ID and password may be... |
| V-270566 | | Oracle Database, when using public key infrastructure (PKI)-based authentication, must enforce authorized access to the corresponding private key. | The cornerstone of the PKI is the private key used to encrypt or digitally sign information.
If the private key is stolen, this will lead to the comp... |
| V-270568 | | When using command-line tools such as Oracle SQL*Plus, which can accept a plain-text password, users must use an alternative logon method that does not expose the password. | The DOD standard for authentication is DOD-approved public key infrastructure (PKI) certificates.
Normally, with PKI authentication, the interaction ... |
| V-270569 | | Oracle Database must use NIST-validated FIPS 140-2/140-3 compliant cryptography for authentication mechanisms. | Use of weak or not validated cryptographic algorithms undermines the purposes of using encryption and digital signatures to protect data. Weak algorit... |
| V-270571 | | Oracle Database must implement NIST FIPS 140-2/140-3 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owner's requirements. | Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The application must implement cryptographi... |
| V-270574 | | Oracle Database must take needed steps to protect data at rest and ensure confidentiality and integrity of application data. | This control is intended to address the confidentiality and integrity of information at rest in nonmobile devices and covers user information and syst... |
| V-270579 | | Oracle Database must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission unless the transmitted data is otherwise protected by alternative physical measures. | Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism to protec... |
| V-270585 | | Oracle Database software must be evaluated and patched against newly found vulnerabilities. | Security flaws with software applications, including database management systems, are discovered daily. Vendors are constantly updating and patching t... |
| V-270495 | | Oracle Database must limit the number of concurrent sessions for each system account to an organization-defined number of sessions. | Database management includes the ability to control the number of users and user sessions using a database management system (DBMS). Unlimited concurr... |
| V-270496 | | Oracle Database must protect against or limit the effects of organization-defined types of denial-of-service (DoS) attacks. | A variety of technologies exist to limit, or in some cases, eliminate the effects of DoS attacks. For example, boundary protection devices can filter ... |
| V-270497 | | Oracle Database must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect. | This addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with commu... |
| V-270498 | | Oracle Database must associate organization-defined types of security labels having organization-defined security label values with information in storage. | Without the association of security labels to information, there is no basis for the database management system (DBMS) to make security-related access... |
| V-270502 | | Oracle Database must provide audit record generation capability for organization-defined auditable events within the database. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-270503 | | Oracle Database must allow designated organizational personnel to select which auditable events are to be audited by the database. | Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent or i... |
| V-270504 | | Oracle Database must generate audit records for the DOD-selected list of auditable events, when successfully accessed, added, modified, or deleted, to the extent such information is available. | Audit records can be generated from various components within the information system, such as network interfaces, hard disks, modems, etc. From an app... |
| V-270505 | | Oracle Database must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject. | Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requireme... |
| V-270506 | | Oracle Database must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements. | To ensure sufficient storage capacity for the audit logs, Oracle Database must be able to allocate audit record storage capacity. Although another req... |
| V-270507 | | Oracle Database must off-load audit data to a separate log management facility; this must be continuous and in near-real-time for systems with a network connection to the storage facility, and weekly or more often for stand-alone systems. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-270508 | | The Oracle Database, or the logging or alerting mechanism the application uses, must provide a warning when allocated audit record storage volume record storage volume reaches 75 percent of maximum audit record storage capacity. | Organizations are required to use a central log management system, so, under normal conditions, the audit space allocated to the database management s... |
| V-270509 | | Oracle Database must provide an immediate real-time alert to appropriate support staff of all audit log failures. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time aler... |
| V-270510 | | The audit information produced by the Oracle Database must be protected from unauthorized access, modification, or deletion. | If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity i... |
| V-270511 | | The system must protect audit tools from unauthorized access, modification, or deletion. | Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data.
Depending upon the log format and appl... |
| V-270512 | | Oracle Database must support enforcement of logical access restrictions associated with changes to the database management system (DBMS) configuration and to the database itself. | Failure to provide logical access restrictions associated with changes to configuration may have significant effects on the overall security of the sy... |
| V-270514 | | Database software, applications, and configuration files must be monitored to discover unauthorized changes. | If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate... |
| V-270515 | | The OS must limit privileges to change the database management system (DBMS) software resident within software libraries (including privileged programs). | If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate... |
| V-270517 | | Database software directories, including database management system (DBMS) configuration files, must be stored in dedicated directories, or DASD pools, separate from the host OS and other applications. | When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of the information syst... |
| V-270518 | | Database objects must be owned by accounts authorized for ownership. | Within the database, object ownership implies full privileges to the owned object including the privilege to assign access to the owned objects to oth... |
| V-270519 | | The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to the DBMS, etc.) must be restricted to authorized users. | If the database management system (DBMS) were to allow any user to make changes to database structure or logic, then those changes might be implemente... |
| V-270520 | | Oracle Database must be configured in accordance with the security configuration settings based on DOD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, DTMs, and IAVMs. | Configuring the database management system (DBMS) to implement organizationwide security implementation guides and security checklists ensures complia... |
| V-270521 | | Oracle instance names must not contain Oracle version numbers. | Service names may be discovered by unauthenticated users. If the service name includes version numbers or other database product information, a malici... |
| V-270522 | | Fixed user and PUBLIC Database links must be authorized for use. | Database links define connections that may be used by the local Oracle database to access remote Oracle databases (homogenous links) and non-Oracle Da... |
| V-270523 | | The Oracle WITH GRANT OPTION privilege must not be granted to nondatabase administrator (DBA) or nonapplication administrator user accounts. | An account permission to grant privileges within the database is an administrative function. Minimizing the number and privileges of administrative ac... |
| V-270524 | | The Oracle REMOTE_OS_ROLES parameter must be set to FALSE. | Setting REMOTE_OS_ROLES to TRUE allows operating system groups to control Oracle roles. The default value of FALSE causes roles to be identified and m... |
| V-270525 | | The Oracle SQL92_SECURITY parameter must be set to TRUE. | The configuration option SQL92_SECURITY specifies whether table-level SELECT privileges are required to execute an update or delete those references t... |
| V-270526 | | The Oracle password file ownership and permissions should be limited and the REMOTE_LOGIN_PASSWORDFILE parameter must be set to EXCLUSIVE or NONE. | It is critically important to the security of the system to protect the password file and the environment variables that identify the location of the ... |
| V-270527 | | System privileges granted using the WITH ADMIN OPTION must not be granted to unauthorized user accounts. | The WITH ADMIN OPTION allows the grantee to grant a privilege to another database account. Best security practice restricts the privilege of assigning... |
| V-270528 | | System Privileges must not be granted to PUBLIC. | System privileges can be granted to users and roles and to the user group PUBLIC. All privileges granted to PUBLIC are accessible to every user in the... |
| V-270529 | | Oracle roles granted using the WITH ADMIN OPTION must not be granted to unauthorized accounts. | The WITH ADMIN OPTION allows the grantee to grant a role to another database account. Best security practice restricts the privilege of assigning priv... |
| V-270530 | | Object permissions granted to PUBLIC must be restricted. | Permissions on objects may be granted to the user group PUBLIC. Because every database user is a member of the PUBLIC group, granting object permissio... |
| V-270532 | | Application role permissions must not be assigned to the Oracle PUBLIC role. | Permissions granted to PUBLIC are granted to all users of the database. Custom roles must be used to assign application permissions to functional grou... |
| V-270533 | | Oracle application administration roles must be disabled if not required and authorized. | Application administration roles, which are assigned system or elevated application object privileges, must be protected from default activation. Appl... |
| V-270534 | | The directories assigned to the LOG_ARCHIVE_DEST* parameters must be protected from unauthorized access. | The LOG_ARCHIVE_DEST parameter is used to specify the directory to which Oracle archive logs are written. Where the database management system (DBMS) ... |
| V-270535 | | The Oracle _TRACE_FILES_PUBLIC parameter if present must be set to FALSE. | The _TRACE_FILES_PUBLIC parameter is used to make trace files used for debugging database applications and events available to all database users. Use... |
| V-270536 | | Oracle Database production application and data directories must be protected from developers on shared production/development database management system (DBMS) host systems. | Developer roles must not be assigned DBMS administrative privileges to production DBMS application and data directories. The separation of production ... |
| V-270537 | | Use of the Oracle Database installation account must be logged. | The database management system (DBMS) installation account may be used by any authorized user to perform DBMS installation or maintenance. Without log... |
| V-270538 | | The Oracle Database data files, transaction logs and audit files must be stored in dedicated directories or disk partitions separate from software or other application files. | Protection of database management system (DBMS) data, transaction and audit data files stored by the host operating system is dependent on OS controls... |
| V-270539 | | Network access to Oracle Database must be restricted to authorized personnel. | Restricting remote access to specific, trusted systems helps prevent access by unauthorized and potentially malicious users.... |
| V-270540 | | Changes to configuration options must be audited. | When standard auditing is in use, the AUDIT_SYS_OPERATIONS parameter is used to enable auditing of actions taken by the user SYS. The SYS user account... |
| V-270541 | | The /diag subdirectory under the directory assigned to the DIAGNOSTIC_DEST parameter must be protected from unauthorized access. | <DIAGNOSTIC_DEST>/diag indicates the directory where trace, alert, core, and incident directories and files are located. The files may contain sensiti... |
| V-270542 | | Remote administration must be disabled for the Oracle connection manager. | Remote administration provides a potential opportunity for malicious users to make unauthorized changes to the Connection Manager configuration or int... |
| V-270543 | | Network client connections must be restricted to supported versions. | Unsupported Oracle network client installations may introduce vulnerabilities to the database. Restriction to use of supported versions helps to prote... |
| V-270546 | | Oracle Database must provide a mechanism to automatically identify accounts designated as temporary or emergency accounts. | Temporary application accounts could be used in the event of a vendor support visit where a support representative requires a temporary unique account... |
| V-270547 | | Oracle Database must provide a mechanism to automatically remove or disable temporary user accounts after 72 hours. | Temporary application accounts could ostensibly be used in the event of a vendor support visit where a support representative requires a temporary uni... |
| V-270548 | | Oracle Database must be protected from unauthorized access by developers on shared production/development host systems. | Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and se... |
| V-270549 | | Oracle Database must verify account lockouts persist until reset by an administrator. | Anytime an authentication method is exposed, to allow for the use of an application, there is a risk that attempts will be made to obtain unauthorized... |
| V-270550 | | Oracle Database must set the maximum number of consecutive invalid logon attempts to three. | Anytime an authentication method is exposed, to allow for the use of an application, there is a risk that attempts will be made to obtain unauthorized... |
| V-270551 | | Oracle Database must disable user accounts after 35 days of inactivity. | Attackers that are able to exploit an inactive database management system (DBMS) account can potentially obtain and maintain undetected access to the ... |
| V-270552 | | Oracle Database default demonstration and sample databases, database objects, and applications must be removed. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may no... |
| V-270553 | | Unused database components, database management system (DBMS) software, and database objects must be removed. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may no... |
| V-270554 | | Unused database components that are integrated in the database management system (DBMS) and cannot be uninstalled must be disabled. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may no... |
| V-270555 | | OS accounts used to run external procedures called by Oracle Database must have limited privileges. | This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address... |
| V-270556 | | Use of external executables must be authorized. | Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may no... |
| V-270557 | | Access to external executables must be disabled or restricted. | The Oracle external procedure capability provides use of the Oracle process account outside the operation of the database management system (DBMS) pro... |
| V-270558 | | Oracle Database must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL) and vulnerability assessments. | To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within d... |
| V-270559 | | Oracle Database must ensure users are authenticated with an individual authenticator prior to using a shared authenticator. | To assure individual accountability and prevent unauthorized access, application users (and any processes acting on behalf of users) must be individua... |
| V-270560 | | Oracle Database must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). | To ensure accountability and prevent unauthorized access, organizational users must be identified and authenticated.
Organizational users include org... |
| V-270561 | | Oracle Database must enforce the DOD standards for password complexity. | OS/enterprise authentication and identification must be used (SRG-APP-000023-DB-000001). Native database management system (DBMS) authentication may b... |
| V-270562 | | Procedures for establishing temporary passwords that meet DOD password requirements for new accounts must be defined, documented, and implemented. | Password maximum lifetime is the maximum period of time, (typically in days) a user's password may be in effect before the user is forced to change it... |
| V-270563 | | Oracle Database must enforce password maximum lifetime restrictions. | Password maximum lifetime is the maximum period of time, (typically in days) a user's password may be in effect before the user is forced to change it... |
| V-270565 | | If passwords are used for authentication, the Oracle Database must transmit only encrypted representations of passwords. | The DOD standard for authentication is DOD-approved public key infrastructure (PKI) certificates.
Authentication based on user ID and password may be... |
| V-270567 | | Oracle Database must map the authenticated identity to the user account using public key infrastructure (PKI)-based authentication. | The DOD standard for authentication is DOD-approved PKI certificates. Once a PKI certificate has been validated, it must be mapped to a database manag... |
| V-270570 | | Oracle Database must uniquely identify and authenticate nonorganizational users (or processes acting on behalf of nonorganizational users). | Nonorganizational users include all information system users other than organizational users which include organizational employees or individuals the... |
| V-270572 | | Oracle Database must separate user functionality (including user interface services) from database management functionality. | Information system management functionality includes functions necessary to administer databases, network components, workstations, or servers, and ty... |
| V-270573 | | Oracle Database must preserve any organization-defined system state information in the event of a system failure. | Failure in a known state can address safety or security in accordance with the mission/business needs of the organization. Failure in a known secure s... |
| V-270575 | | Oracle Database must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components. | Database management systems (DBMSs) handling data requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disc... |
| V-270576 | | Oracle Database must isolate security functions from nonsecurity functions by means of separate security domains. | An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions.
Se... |
| V-270577 | | Oracle Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy. | Applications, including database management systems (DBMSs), must prevent unauthorized and unintended information transfer via shared system resources... |
| V-270578 | | Access to Oracle Database files must be limited to relevant processes and to authorized, administrative users. | Applications, including database management systems (DBMSs), must prevent unauthorized and unintended information transfer via shared system resources... |
| V-270580 | | Oracle Database must check the validity of data inputs. | Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process ... |
| V-270581 | | The database management system (DBMS) and associated applications must reserve the use of dynamic code execution for situations that require it. | With respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of t... |
| V-270582 | | The database management system (DBMS) and associated applications, when making use of dynamic code execution, must take steps against invalid values that may be used in a SQL injection attack, therefore resulting in steps to prevent a SQL injection attack. | With respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of t... |
| V-270583 | | Oracle Database must only generate error messages that provide information necessary for corrective actions without revealing organization-defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited. | Any database management system (DBMS) or associated application providing too much information in error messages on the screen or printout risks compr... |
| V-270584 | | Oracle Database must restrict error messages so only authorized personnel may view them. | Any database management system (DBMS) or associated application providing too much information in error messages on the screen or printout risks compr... |
| V-270587 | | Oracle Database must, for password-based authentication, verify that when users create or update passwords, the passwords are not found on the list of commonly used, expected, or compromised passwords in IA-5 (1) (a). | Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication (MFA). Long pass... |
| V-270588 | | Oracle Database must, for password-based authentication, require immediate selection of a new password upon account recovery. | Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication (MFA). Long pass... |
| V-270589 | | Oracle Database must include only approved trust anchors in trust stores or certificate stores managed by the organization. | Public key infrastructure (PKI) certificates are certificates with visibility external to organizational systems and certificates related to the inter... |
| V-275999 | | A minimum of three Oracle Control Files must be created and each stored on a separate physical and logical device. | Oracle control files store information critical to Oracle database integrity. Oracle uses these files to maintain time synchronization of database fil... |
| V-276000 | | A minimum of three Oracle redo log groups/files must be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device. In addition, each Oracle redo log group must have a minimum of two Oracle redo log members (files). | The Oracle Database Redo Log files store detailed transactional information on changes made to the database using SQL Data Manipulation Language (DML)... |
| V-270501 | | Oracle Database must protect against an individual who uses a shared account falsely denying having performed a particular action. | Nonrepudiation of actions taken is required to maintain application integrity. Examples of particular actions taken by individuals include creating in... |
