oracle database security checklist v8 r1.3

UNCLASSIFIED

ORACLE DATABASE

SECURITY CHECKLIST

Version 8, Release 1.3

31 March 2009

Developed by DISA for the DoD

UNCLASSIFIED

This page is intentionally left blank.

Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations Defense Information Systems Agency

UNCLASSIFIED

i V8R1.3 Mar 2009

TABLE OF CONTENTS

1. INTRODUCTION ........................................................................................................................... 1-1

1.1 OVERVIEW ................................................................................................................................ 1-1 1.2 ORGANIZATION OF THE CHECKLIST .......................................................................................... 1-1 1.3 SUPPORTED VERSIONS .............................................................................................................. 1-3 1.4 DOCUMENT EFFECTIVE DATE ................................................................................................... 1-3 1.5 REVIEW METHOD...................................................................................................................... 1-3 1.6 REFERENCED DOCUMENTS........................................................................................................ 1-3

2. ORACLE DATABASE SRR RESULTS REPORT ...................................................................... 2-1

2.1 SITE INFORMATION ................................................................................................................... 2-1 2.2 SYSTEM INFORMATION ............................................................................................................. 2-2 2.3 SRR RESULTS ........................................................................................................................... 2-1

3. ORACLE DATABASE SERVER SECURITY REVIEW PROCEDURES ............................... 3-1

3.1 REVIEW PROCESS NOTES .......................................................................................................... 3-1 3.2 IAVM COMPLIANCE ................................................................................................................. 3-2 3.3 REVIEW TOOLS AND INTERFACES ............................................................................................. 3-2 3.4 SYSTEM SECURITY PLAN OVERVIEW ........................................................................................ 3-3 3.5 AUTOMATED INFORMATION SYSTEM (AIS) FUNCTIONAL ARCHITECTURE DOCUMENT............ 3-4 3.6 SENSITIVE DATA PROTECTION AND DEFINITION ....................................................................... 3-4 3.7 PROCESS NOTES........................................................................................................................ 3-5 3.8 CHECK REFERENCE NUMBERING SCHEME ................................................................................ 3-5 3.9 DOCUMENTATION CONVENTIONS ............................................................................................. 3-6 3.10 PROCEDURE TABLE DATA......................................................................................................... 3-6

4. ORACLE DATABASE AUTOMATED CHECK PROCEDURES ............................................ 4-8

4.1 DO0240: ORACLE OS_ROLES PARAMETER ............................................................................ 4-8 4.2 DO0241: ORACLE AUDIT_SYS_OPERATIONS PARAMETER................................................ 4-9 4.3 DO0242: ORACLE GLOBAL_NAMES PARAMETER .............................................................. 4-10 4.4 DO0243: ORACLE _TRACE_FILES_PUBLIC PARAMETER .................................................. 4-11 4.5 DO3413: ORACLE AUDIT_TRAIL PARAMETER .................................................................... 4-12 4.6 DO3447: ORACLE OS_AUTHENT_PREFIX PARAMETER..................................................... 4-13 4.7 DO3538: ORACLE REMOTE_OS_AUTHENT PARAMETER .................................................. 4-14 4.8 DO3539: ORACLE REMOTE_OS_ROLES PARAMETER ........................................................ 4-15 4.9 DO3540: ORACLE SQL92_SECURITY PARAMETER ............................................................. 4-16 4.10 DO3546: ORACLE REMOTE_LOGIN_PASSWORDFILE PARAMETER ............................... 4-17 4.11 DO3547: ORACLE UTL_FILE_DIR PARAMETER ................................................................... 4-18 4.12 DO3685: ORACLE O7_DICTIONARY_ACCESSIBILITY PARAMETER ............................... 4-19 4.13 DO3696: ORACLE RESOURCE_LIMIT PARAMETER ............................................................ 4-20 4.14 DO3698: ORACLE DBLINK_ENCRYPT_LOGIN PARAMETER............................................. 4-21 4.15 DO6748: ORACLE SEC_CASE_SENSITIVE_LOGON PARAMETER..................................... 4-22 4.16 DO6749: ORACLE SEC_MAX_FAILED_LOGIN_ATTEMPTS PARAMETER....................... 4-23 4.17 DO6750: ORACLE SEC_PROTOCOL_ERROR_FURTHER_ACTION PARAMETER ........... 4-24 4.18 DO6752: ORACLE SEC_PROTOCOL_ERROR_TRACE_ACTION PARAMETER................. 4-25 4.19 DG0117: DBMS ADMINISTRATIVE PRIVILEGE ASSIGNMENT .................................................. 4-26 4.20 DO0155: ORACLE DEFAULT TABLESPACE ASSIGNMENT ......................................................... 4-27 4.21 DO3451: WITH GRANT OPTION PRIVILEGES ..................................................................... 4-28 4.22 DO3609: SYSTEM PRIVILEGES GRANTED WITH ADMIN OPTION ....................................... 4-29 4.23 DO3612: ORACLE SYSTEM PRIVILEGE ASSIGNMENT ............................................................... 4-30 4.24 DO3473: APPLICATION USER ROLE PRIVILEGES...................................................................... 4-31 4.25 DO3475: ORACLE PUBLIC ACCESS TO RESTRICTED PACKAGES ............................................ 4-32 4.26 DO3686: ORACLE SYS.LINK$ TABLE ACCESS (10.1 AND EARLIER) ...................................... 4-34 4.27 DO3689: ORACLE OBJECT PERMISSION ASSIGNMENT TO PUBLIC ......................................... 4-35


UNCLASSIFIED

ii V8R1.3 Mar 2009

4.28 DO0170: ORACLE PREDEFINED ROLES.................................................................................... 4-36 4.29 DO0320: ORACLE PUBLIC ROLE PRIVILEGES ........................................................................ 4-38 4.30 DO3709: ORACLE DIRECT PRIVILEGE ASSIGNMENT TO ACCOUNTS ......................................... 4-39 4.31 DG0133: DBMS ACCOUNT LOCK TIME .................................................................................. 4-41 4.32 DO0400: ORACLE DEMO APPLICATIONS AND ACCOUNTS........................................................ 4-42 4.33 DO3445: ORACLE DEFAULT ACCOUNT PASSWORDS................................................................ 4-44 4.34 DO3487: ORACLE PASSWORD REUSE RESTRICTIONS............................................................... 4-52 4.35 DO3504: ORACLE PASSWORD_VERIFY_FUNCTION PROFILE PARAMETER .................... 4-54 4.36 DO3537: ORACLE FAILED_LOGIN_ATTEMPTS PROFILE PARAMETER ............................. 4-60 4.37 DO0270: ORACLE REDO LOG FILE AVAILABILITY ................................................................... 4-62 4.38 DO3610: ORACLE MINIMUM OBJECT AUDITING ...................................................................... 4-63 4.39 DO3692: ORACLE AUDITED EVENTS ....................................................................................... 4-65

5. ORACLE DATABASE INTERVIEW CHECK PROCEDURES ............................................. 5-67

5.1 DG0030: DBMS AUDIT DATA MAINTENANCE ........................................................................ 5-67 5.2 DG0076: SENSITIVE DATA IMPORT TO DEVELOPMENT DBMS................................................ 5-68 5.3 DG0080: APPLICATION USER PRIVILEGE ASSIGNMENT REVIEW .............................................. 5-69 5.4 DG0165: DBMS SYMMETRIC KEY MANAGEMENT .................................................................. 5-70 5.5 DG0138: DBMS ACCESS TO SENSITIVE DATA......................................................................... 5-71 5.6 DG0074: DBMS INACTIVE ACCOUNTS ................................................................................... 5-72 5.7 DO0140: ORACLE DEFAULT ACCOUNT ACCESS....................................................................... 5-73 5.8 DG0031: DBMS AUDIT OF CHANGES TO DATA ....................................................................... 5-74 5.9 DG0135: DBMS CONNECTION ALERT .................................................................................... 5-75

6. ORACLE DATABASE MANUAL CHECK PROCEDURES................................................... 6-76

6.1 DG0060: DBMS SHARED ACCOUNT AUTHORIZATION ............................................................ 6-76 6.2 DG0070: DBMS USER ACCOUNT AUTHORIZATION ................................................................. 6-77 6.3 DG0089: DEVELOPER DBMS PRIVILEGES ON PRODUCTION DATABASES ................................ 6-78 6.4 DG0100: REPLICATION ACCOUNT PRIVILEGES........................................................................ 6-79

7. ORACLE DATABASE VERIFY CHECK PROCEDURES ..................................................... 7-80

7.1 DG0166: PROTECTION OF DBMS ASYMMETRIC ENCRYPTION KEYS ....................................... 7-80 7.2 DO0233: ORACLE DIAGNOSTIC_DEST PARAMETER .......................................................... 7-82 7.3 DO0234: ORACLE AUDIT_FILE_DEST PARAMETER ........................................................... 7-84 7.4 DO0235: ORACLE USER_DUMP_DEST PARAMETER .......................................................... 7-86 7.5 DO0236: ORACLE BACKGROUND_DUMP_DEST PARAMETER......................................... 7-88 7.6 DO0237: ORACLE CORE_DUMP_DEST PARAMETER .......................................................... 7-90 7.7 DO0238: ORACLE LOG_ARCHIVE_DEST PARAMETER ...................................................... 7-92 7.8 DG0112: DBMS DATA FILE PROTECTION ............................................................................... 7-94 7.9 DO0275: ORACLE CRITICAL FILE ACCESS ............................................................................... 7-95 7.10 DG0015: DATA DEFINITION LANGUAGE USE.......................................................................... 7-97 7.11 DO0157: ORACLE STORAGE USE PRIVILEGES.......................................................................... 7-98 7.12 DO0350: ORACLE SYSTEM PRIVILEGE ASSIGNMENT ............................................................... 7-99 7.13 DO3622: ORACLE ROLES GRANTED WITH ADMIN OPTION ............................................. 7-101 7.14 DG0077: PRODUCTION DATA PROTECTION ON A SHARED SYSTEM........................................ 7-102 7.15 DO0150: ORACLE OBJECT OWNERSHIP ................................................................................. 7-104 7.16 DO0190: ORACLE AUDIT TABLE OWNERSHIP ........................................................................ 7-106 7.17 DO0231: ORACLE APPLICATION OBJECT OWNER TABLESPACES............................................ 7-107 7.18 DO0310: ORACLE SYSTEM DATA AND TABLE ACCESS .......................................................... 7-108 7.19 DO3446: ORACLE AUDIT RECORD ACCESS............................................................................ 7-110 7.20 DO0340: ORACLE APPLICATION ADMINISTRATION ROLES ENABLEMENT.............................. 7-111 7.21 DO3440: ORACLE DBA ROLE ASSIGNMENT ......................................................................... 7-112 7.22 DG0071: PASSWORD CHANGE VARIANCE ............................................................................. 7-113 7.23 DG0072: DBMS PASSWORD CHANGE TIME LIMIT................................................................. 7-115 7.24 DG0127: DBMS ACCOUNT PASSWORD EASILY GUESSED ..................................................... 7-117 7.25 DO0160: ORACLE APPLICATION OBJECT OWNER ACCOUNTS ................................................ 7-119


UNCLASSIFIED

iii V8R1.3 Mar 2009

7.26 DO0210: ORACLE SHARED REPLICATION ACCOUNT ACCESS................................................. 7-121 7.27 DO3485: ORACLE PASSWORD_LIFE_TIME PROFILE PARAMETER................................... 7-122 7.28 DO3536: ORACLE IDLE_TIME PROFILE PARAMETER.......................................................... 7-124 7.29 DO0380: ORACLE SYSDBA PASSWORD FILE USERS ............................................................ 7-126 7.30 DG0075: DBMS LINKS TO EXTERNAL DATABASES............................................................... 7-127 7.31 DG0087: DBMS SENSITIVE DATA LABELING........................................................................ 7-129 7.32 DG0091: DBMS SOURCE CODE ENCODING OR ENCRYPTION................................................. 7-130 7.33 DG0172: DBMS CLASSIFICATION LEVEL AUDIT................................................................... 7-132 7.34 DO0220: ORACLE INSTANCE NAMES .................................................................................... 7-133 7.35 DO0221: ORACLE DEFAULT SID NAME ................................................................................ 7-134 7.36 DO0250: ORACLE DATABASE LINK USAGE ........................................................................... 7-135 7.37 DO0260: ORACLE CONTROL FILE AVAILABILITY .................................................................. 7-136 7.38 DO0420: ORACLE XML DB................................................................................................. 7-137

8. ORACLE HOME AUTOMATED CHECK PROCEDURES ................................................. 8-138

8.1 DG0003: DBMS PATCHSET/CPU SECURITY PATCH LEVEL................................................... 8-138 8.2 DO0100: ORACLE VERSION SUPPORT ................................................................................... 8-141

9. ORACLE HOME INTERVIEW CHECK PROCEDURES .................................................... 9-143

9.1 DG0010: DBMS SOFTWARE MONITORING............................................................................ 9-143 9.2 DG0011: DBMS CONFIGURATION MANAGEMENT ............................................................... 9-144 9.3 DG0013: DATABASE BACKUP PROCEDURES ......................................................................... 9-145 9.4 DG0020: DBMS BACKUP AND RECOVERY TESTING.............................................................. 9-147 9.5 DG0050: DBMS SOFTWARE AND CONFIGURATION FILE MONITORING.................................. 9-148 9.6 DG0053: DBMS CLIENT CONNECTION DEFINITION FILE ....................................................... 9-150 9.7 DG0066: TEMPORARY PASSWORD PROCEDURES .................................................................. 9-151 9.8 DG0067: DBMS ACCOUNT PASSWORD EXTERNAL STORAGE................................................ 9-152 9.9 DG0068: DBMS APPLICATION PASSWORD DISPLAY ............................................................. 9-153 9.10 DG0069: PRODUCTION DATA IMPORT TO DEVELOPMENT DBMS ......................................... 9-154 9.11 DG0083: AUDIT RECORD REPORT AUTOMATION................................................................... 9-155 9.12 DG0086: DBA ROLE PRIVILEGE MONITORING ...................................................................... 9-156 9.13 DG0088: DBMS VULNERABILITY MGMT AND IA COMPLIANCE TESTING.............................. 9-157 9.14 DG0095: DBMS AUDIT TRAIL DATA REVIEW ....................................................................... 9-158 9.15 DG0096: DBMS IA POLICY AND PROCEDURE REVIEW ......................................................... 9-159 9.16 DG0097: DBMS TESTING PLANS AND PROCEDURES ........................................................... 9-160 9.17 DG0107: SENSITIVE DATA IDENTIFICATION IN THE DBMS................................................... 9-161 9.18 DG0108: DBMS RESTORATION PRIORITY............................................................................. 9-162 9.19 DG0110: DBMS HOST SHARED WITH A SECURITY SERVICE.................................................. 9-163 9.20 DG0154: DBMS SYSTEM SECURITY PLAN........................................................................... 9-164 9.21 DG0159: REVIEW OF DBMS REMOTE ADMINISTRATIVE ACCESS.......................................... 9-165 9.22 DG0161: DBMS AUDIT TOOL ............................................................................................... 9-166 9.23 DG0186: DBMS NETWORK PERIMETER PROTECTION ........................................................... 9-167 9.24 DG0187: DBMS SOFTWARE FILE BACKUPS .......................................................................... 9-168 9.25 DG0194: DBMS DEVELOPER PRIVILEGE MONITORING ON SHARED DBMS .......................... 9-169 9.26 DG0064: DBMS BACKUP AND RESTORATION FILE PROTECTION........................................... 9-170 9.27 DG0118: IAM REVIEW OF CHANGE IN DBA ASSIGNMENTS .................................................. 9-171 9.28 DG0040: DBMS SOFTWARE OWNER ACCOUNT ACCESS........................................................ 9-172 9.29 DG0041: DBMS INSTALLATION ACCOUNT USE LOGGING..................................................... 9-173 9.30 DG0042: DBMS SOFTWARE INSTALLATION ACCOUNT USE .................................................. 9-174

10. ORACLE HOME MANUAL CHECK PROCEDURES........................................................ 10-175

10.1 DG0017: DBMS SHARED PRODUCTION/DEVELOPMENT USE............................................... 10-175 10.2 DG0021: DBMS SOFTWARE AND CONFIGURATION BASELINE ............................................ 10-177 10.3 DG0052: DBMS SOFTWARE ACCESS AUDIT ....................................................................... 10-178 10.4 DG0054: DBMS SOFTWARE ACCESS AUDIT REVIEW .......................................................... 10-179 10.5 DG0109: DBMS DEDICATED HOST.................................................................................... 10-180


UNCLASSIFIED

iv V8R1.3 Mar 2009

10.6 DG0175: DBMS HOST AND COMPONENT STIG COMPLIANCY ............................................ 10-182 10.7 DG0176: DBMS AUDIT LOG BACKUPS ............................................................................... 10-183 10.8 DG0012: DBMS SOFTWARE STORAGE LOCATION .............................................................. 10-184 10.9 DG0019: DBMS SOFTWARE OWNERSHIP............................................................................ 10-185 10.10 DG0092: DBMS DATA FILE ENCRYPTION........................................................................... 10-187 10.11 DG0195: DBMS HOST FILE PRIVILEGES ASSIGNED TO DEVELOPERS................................... 10-188 10.12 DO0133: ORACLE CONNECTION CREDENTIAL PROTECTION ................................................ 10-189 10.13 DO3847: ORACLE SPOOLMAIN.LOG FILE (ORACLE 9I) ........................................................ 10-191 10.14 DO5037: ORACLE SQLNET AND LISTENER LOG FILES PROTECTION ................................... 10-192 10.15 DG0140: DBMS SECURITY DATA ACCESS AUDIT ............................................................... 10-195 10.16 DO0145: ORACLE SYSDBA OS GROUP MEMBERSHIP ....................................................... 10-196 10.17 DG0025: DBMS ENCRYPTION COMPLIANCE ...................................................................... 10-197 10.18 DG0093: REMOTE ADMINISTRATION ENCRYPTION FOR CONFIDENTIALITY ......................... 10-199 10.19 DG0103: DBMS LISTENER NETWORK RESTRICTIONS ......................................................... 10-201 10.20 DG0167: ENCRYPTION OF DBMS SENSITIVE DATA IN TRANSIT.......................................... 10-203 10.21 DG0198: DBMS REMOTE ADMINISTRATION ENCRYPTION.................................................. 10-204 10.22 DO0285: ORACLE LISTENER NETWORK PORT ASSIGNMENT ................................................ 10-205 10.23 DO0286: ORACLE CONNECTION TIMEOUT PARAMETER ...................................................... 10-206 10.24 DO0287: ORACLE SQLNET.EXPIRE_TIME PARAMETER ................................................ 10-208 10.25 DO3630: ORACLE LISTENER AUTHENTICATION .................................................................. 10-209 10.26 DO6740: ORACLE LISTENER ADMIN_RESTRICTIONS PARAMETER............................... 10-213 10.27 DO6746: ORACLE LISTENER HOST REFERENCES................................................................. 10-214 10.28 DO6747: CONNECTION MANAGER REMOTE ADMINISTRATION ........................................... 10-215 10.29 DO6751: SQLNET.ALLOWED_LOGON_VERSION ..................................................... 10-216 10.30 DG0005: DBMS ADMINISTRATION OS ACCOUNTS............................................................. 10-217 10.31 DO0120: ORACLE PROCESS ACCOUNT HOST SYSTEM PRIVILEGES....................................... 10-219 10.32 DO0121: ORACLE SERVICE AND PROCESS DEDICATED ACCOUNTS...................................... 10-221 10.33 DO0279: ORACLE SOFTWARE OWNER UMASK SETTING ...................................................... 10-223 10.34 DG0016: DBMS UNUSED COMPONENTS ............................................................................. 10-225 10.35 DO6754: ORACLE CONFIGURATION MANAGER .................................................................. 10-227 10.36 DG0104: DBMS SERVICE IDENTIFICATION......................................................................... 10-228 10.37 DG0106: DATABASE DATA ENCRYPTION CONFIGURATION ................................................. 10-230 10.38 DO0280: ORACLE EXTERNAL PROCEDURE ACCESS............................................................. 10-231 10.39 DO5036: ORACLE NET TRACE_LEVEL........................................................................... 10-236

11. ORACLE HOME VERIFY CHECK PROCEDURES........................................................... 11-238

11.1 DG0051: DATABASE JOB/BATCH QUEUE MONITORING ....................................................... 11-238 11.2 DG0090: SENSITIVE DATA IDENTIFICATION AND ENCRYPTION ........................................... 11-240 11.3 DO0360: DBMS MID-TIER APPLICATION ACCOUNT ACCESS ............................................... 11-242 11.4 DG0002: DBMS VERSION UPGRADE PLAN ......................................................................... 11-244 11.5 DO6753: ORACLE APPLICATION EXPRESS.......................................................................... 11-246 11.6 DG0179: DBMS WARNING BANNER ................................................................................... 11-247 11.7 DO0430: ORACLE MANAGEMENT AGENT USE..................................................................... 11-250

12. APPENDIX A – IAVM BULLETIN COMPLIANCE............................................................ 12-252

13. APPENDIX B – RECORD OF CHANGES............................................................................. 13-253

14. APPENDIX C – VMS SRR PROCESS GUIDE FOR ORACLE DB SERVER................... 14-254

14.1 VMS TERMINOLOGY .......................................................................................................... 14-254 14.2 DATABASE VMS MAINTENANCE ........................................................................................ 14-255

15. APPENDIX D – VMS KEY AND STIGID CROSS REFERENCE AND INDEX............... 15-259

16. APPENDIX E – STIG STIGID / CHECKLIST DISCREPANCY LIST .............................. 16-263


UNCLASSIFIED

1-1 V8R1.3 Mar 2009

1. Introduction

1.1 Overview

The Oracle Database Security Readiness Review (SRR) targets conditions that undermine the integrity of security, contribute to inefficient security operations and administration, or may lead to interruption of production operations specific to databases. Additionally, the review ensures the site has properly installed and implemented the database environment and that it is being managed in a way that is secure. The items reviewed are derived from the general requirements listed in the Database Security Technical Implementation Guide (STIG) as they apply to an Oracle Database Server installation. The Database STIG requirements are in turn derived from DoD policy documents, most notably, Department of Defense (DoD) Directive 8500.1 and DoD Instruction 8500.2 and the Information Assurance (IA) Controls defined therein. This document and the security check procedures it provides are intended to be used to measure compliance with the security requirements listed in the Database STIG. Please see the Database STIG for additional security explanation and discussion to assist in understanding the nature of the security requirements. Each security item to review is listed in this document with a procedure for measuring compliance with the security requirement. The result of the procedure is a status of compliance with the requirement. Results are assigned as one of the following: O = Open finding or non-compliance; NF = not a Finding or compliance; NA = Not Applicable or the item is not applicable to the database version, database use or host platform being reviewed; and, NR = Not Reviewed or the procedure was not completed so compliance is not determined. DISA Field Security Operations (FSO) has assigned a level of urgency to each finding based on Chief Information Officer (CIO) established criteria for certification and accreditation. All findings are based on regulations and guidelines. All findings require correction by the host organization. Category I findings are any vulnerabilities that provide an attacker immediate access into a machine, super user access, or access that bypasses a firewall. Category II findings are any vulnerabilities that provide information that has a high potential of giving access to an intruder. Category III findings are any vulnerabilities that provide information that potentially could lead to compromise. NOTE: Security patches required by the DoD IAVM process are reviewed during an operating system security review.

1.2 Organization of the Checklist

The Database Security Checklist is composed of five major sections and three appendices. The organizational breakdown proceeds as follows:


UNCLASSIFIED

1-2 V8R1.3 Mar 2009

Section 1 Introduction

This section contains summary information about the sections and appendices that comprise the Oracle Database Security Checklist

V8, and defines its scope. Supporting documents consulted are listed in this section.

Section 2 SRR Result Report

This section is the matrix that provides a table list for the reviewer manually to document review results of the generic (not product-specific) SRR process for databases.

Section 3 Checklist Procedures

This section includes instruction to the reviewer on how to proceed with the conduct of the Oracle Database security review. It includes a list of interfaces and tools required to complete the review.

Sections 4-7 Oracle Database Check Procedures

These sections include the procedures to determine the final finding result for each check against the Oracle Database.

Sections 8-11 Oracle Home Check Procedures

These sections include the procedures to determine the final finding result for each check against the Oracle Home or software installation.

Appendix A Information Assurance Vulnerability Management (IAVM) Bulletin Compliance

IAVM’s issued against the Oracle Database Server are assigned to the host platform. This section provides this information.

Appendix B Record of Changes

This appendix summarizes the changes made to this document.

Appendix C VMS Oracle SRR Process Guide for Databases

This appendix provides instructions for entering SRR results into VMS.

Appendix D STIGID/VMS Key cross reference and index

This appendix provides a cross reference of VMS key and STIGID check ref numbers with page references.


UNCLASSIFIED

1-3 V8R1.3 Mar 2009

Appendix E STIG STIGID / CHECKLIST DISCREPANCY LIST

This appendix contains a list of general requirements listed in the Database STIG that are not directly addressed in this checklist.

1.3 Supported Versions

This checklist provides instructions for review of Oracle Database Server versions 9.2 through version 11.1.

1.4 Document Effective Date

This document is current as of the release date. Updates are made to update underlying DoD policy or to correct errors, omissions, or to clarify guidance.

1.5 Review Method

The goal is to perform a successful Security Readiness Review (SRR) of an Oracle database. An SRR evaluation script that measures compliance for some check items listed in this document is available. These checks show Check Type: Auto in the informational table supplied for the check. Checks may also be marked as Check Type: Interview, Manual or Verify. In these cases, the script cannot determine the outcome of the script results and manual procedures are required to complete the check.

1.6 Referenced Documents

The following table enumerates the documents and resources consulted:

Date Document Description 19 Sep 2007 Database Security Technical Implementation Guide, Version 8.1

Release 1


UNCLASSIFIED

2-1 V8R1.3 Mar 2009

2. Oracle Database SRR Results Report

Unclassified UNTIL FILLED IN CIRCLE ONE

FOR OFFICIAL USE ONLY (mark each page) CONFIDENTIAL and SECRET (mark each page and each finding)

Classification is based on classification of system reviewed:

Unclassified System = FOUO Checklist Confidential System = CONFIDENTIAL Checklist Secret System = SECRET Checklist Top Secret System = SECRET Checklist

This checklist will become effective on 15 Jun 2008.

Reviewer:

Date:

System:

Type of Review (Remote, Sample, Full):_____________

Finding Totals: Comments:

Category I:

Category II:

Category III:

Total:

2.1 Site Information

Site:

System Administrator Information: Name:

E-mail Address:

Phone # (Commercial): ( ) DSN:

IAO Information: Name:

E-Mail Address

Phone # (Commercial) ( ) DSN:

DBA Information: Name:

E-mail Address:

Phone # (Commercial): ( ) DSN:


UNCLASSIFIED

2-2 V8R1.3 Mar 2009

2.2 System Information

System Detail

System ID or Host Name

Hardware Platform

Operating System

Operating System Version

Relational Database Management System

Relational Database Management System Version

RDBMS Software OS Owner Account Name

Database Instance Identifier

COTS/GOTS Application / Schema Name(s)

Application Software OS Owner Account Name

Instance IP Port Listening on

Number/Name of Other Instances/RDBMS on this Host

Summary of Database SRR Findings By Category

Actual

Category

Total Possible Findings Findings

Category I 10

Category II 134

Category III 24

Total Findings 168


UNCLASSIFIED

2-1 V8R1.3 Mar 2009

2.3 SRR Results

Method: Auto = Automated by script Verify = Script returns information to complete review Manual = Script does not provide data. Results determined by following technical procedure Interview = Results determined by examining documentation and interviewing responsible personnel (usually IAO or DBA)

Listed in order of STIGID / VMSKEY

Page Method Result Finding Details STIGID/

VMSKEY

Short Description CAT

4-8 Auto o Open Finding o Not a Finding o Not Applicable o Not Reviewed

The OS_ROLES configuration parameter is not set to FALSE

DO0240 / V0002519

Oracle OS_ROLES parameter

CAT 3


The AUDIT_SYS_OPERATIONS parameter is not set to TRUE

DO0241 / V0003855

Oracle AUDIT_SYS_OPERATIONS parameter

CAT 2


The GLOBAL_NAMES parameter is not set to TRUE

DO0242 / V0003856

Oracle GLOBAL_NAMES parameter

CAT 3


The _TRACE_FILES_PUBLIC parameter is present and set to TRUE

DO0243 / V0003857

Oracle _TRACE_FILES_PUBLIC parameter

CAT 2


UNCLASSIFIED

2-2 V8R1.3 Mar 2009


VMSKEY



The AUDIT_TRAIL parameter is set to NONE

DO3413 / V0002523

Oracle AUDIT_TRAIL parameter

CAT 2


The OS_AUTHENT_PREFIX has not been set to a value other than OPS$.

DO3447 / V0002531

Oracle OS_AUTHENT_PREFIX parameter

CAT 3


The REMOTE_OS_AUTHENT configuration parameter is set to TRUE.

DO3538 / V0002554

Oracle REMOTE_OS_AUTHENT parameter

CAT 1


The REMOTE_OS_ROLES configuration parameter is set to TRUE.

DO3539 / V0002555

Oracle REMOTE_OS_ROLES parameter

CAT 1


The SQL92_SECURITY configuration parameter is not set to TRUE.

DO3540 / V0002556

Oracle SQL92_SECURITY parameter

CAT 2


The REMOTE_LOGIN_PASSWORDFILE is set to SHARED.

DO3546 / V0002558

Oracle REMOTE_LOGIN_PASSWORDFILE parameter

CAT 2


The UTL_FILE_DIR configuration parameter is set to *.

DO3547 / V0002559

Oracle UTL_FILE_DIR parameter

CAT 1


UNCLASSIFIED

2-3 V8R1.3 Mar 2009


VMSKEY



The O7_DICTIONARY_ACCESSIBILITY configuration parameter is set to TRUE.

DO3685 / V0002586

Oracle O7_DICTIONARY_ACCESSIBILITY parameter

CAT 3


The RESOURCE_LIMIT configuration parameter is set to FALSE.

DO3696 / V0002593

Oracle RESOURCE_LIMIT parameter

CAT 2


The DBLINK_ENCRYPT_LOGIN configuration parameter is set to FALSE.

DO3698 / V0002595

Oracle DBLINK_ENCRYPT_LOGIN parameter

CAT 1


Case sensitivity for passwords is disabled.

DO6748 / V0016033

Oracle SEC_CASE_SENSITIVE_LOGON parameter

CAT 2


The Oracle SEC_MAX_FAILED_LOGIN_ATTEMPTS parameter is set to 0 or greater than 10.

DO6749 / V0016035

Oracle SEC_MAX_FAILED_LOGIN_ATTEMPTS parameter

CAT 2


The Oracle SEC_PROTOCOL_ERROR_FURTHER_ACTION parameter is not set to DELAY or DROP.

DO6750 / V0016053

Oracle SEC_PROTOCOL_ERROR_FURTHER_ACTION parameter

CAT 2


The Oracle SEC_PROTOCOL_ERROR_TRACE_ACTION parameter is set to NONE.

DO6752 / V0016054

Oracle SEC_PROTOCOL_ERROR_TRACE_ACTION parameter

CAT 2


UNCLASSIFIED

2-4 V8R1.3 Mar 2009


VMSKEY



Administrative privileges have been directly assigned to database accounts and not assigned via roles.

DG0117 / V0015627

DBMS administrative privilege assignment

CAT 2


The following user accounts have the SYSTEM tablespace specified as the default tablespace:

DO0155 / V0003846

Oracle default tablespace assignment

CAT 2


Users have been granted object permissions with the WITH GRANT OPTION.

DO3451 / V0002533

WITH GRANT OPTION privileges

CAT 2


Unauthorized users have been granted system privileges with the WITH ADMIN OPTION.

DO3609 / V0002561

System privileges granted WITH ADMIN OPTION

CAT 2


System privileges have been granted to PUBLIC.

DO3612 / V0002564

Oracle system privilege assignment

CAT 2


Alter, index, and/or reference object privileges have been granted to unauthorized database user accounts.

DO3473 / V0002537

Application user role privileges

CAT 2


PUBLIC has been granted execute permissions on one or more of the restricted packages: UTL_FILE, UTL_SMTP, UTL_TCP, UTL_HTTP, DBMS_RANDOM, DBMS_LOB, DBMS_SQL, DBMS_SYS_SQL, DBMS_JOB,

DO3475 / V0002539

Oracle PUBLIC access to restricted packages

CAT 2


UNCLASSIFIED

2-5 V8R1.3 Mar 2009


VMSKEY


DBMS_BACKUP_RESTORE, DBMS_OBFUSCATION_TOOLKIT


Oracle accounts have permission to view the table SYS.LINK$.

DO3686 / V0002587

Oracle SYS.LINK$ table access (10.1 and earlier)

CAT 1


Permissions to application objects found granted to PUBLIC.

DO3689 / V0002589

Oracle object permission assignment to PUBLIC

CAT 2


Oracle predefined roles are granted to application roles, application users, or application administrators.

DO0170 / V0002514

Oracle predefined roles CAT 2


Application roles have been granted to PUBLIC.

DO0320 / V0003437

Oracle PUBLIC role privileges

CAT 2


Permissions are assigned directly to user accounts and not via roles.

DO3709 / V0002596

Oracle direct privilege assignment to accounts

CAT 2


Unlimited account lock times are not specified for locked accounts.

DG0133 / V0015639

DBMS Account lock time CAT 2


UNCLASSIFIED

2-6 V8R1.3 Mar 2009


VMSKEY



Demonstration accounts and applications exist in the database.

DO0400 / V0003444

Oracle demo applications and accounts

CAT 2


Passwords for default accounts have not been changed from their default values.

DO3445 / V0002529

Oracle default account passwords

CAT 1


Profiles have been found that exceed either the maximum PASSWORD_REUSE_MAX number or the maximum PASSWORD_REUSE_TIME.

DO3487 / V0002541

Oracle password reuse restrictions

CAT 2


Profiles have been found without a password verification function specified.

DO3504 / V0002543

Oracle PASSWORD_VERIFY_FUNCTION profile parameter

CAT 2


The failed login attempts have not been set to a maximum of 3 for interactive accounts.

DO3537 / V0002553

Oracle FAILED_LOGIN_ATTEMPTS profile parameter

CAT 2


Two or more redo log file groups located on separate physical disks and with two members each have not been configured.

DO0270 / V0002522

Oracle redo log file availability

CAT 2


Application objects are not being audited for RENAME. Default object auditing for RENAME actions by access has not been enabled. The AUD$ table is not being audited for update and delete actions.

DO3610 / V0002562

Oracle minimum object auditing

CAT 2


UNCLASSIFIED

2-7 V8R1.3 Mar 2009


VMSKEY



Oracle auditing is not configured to audit all required events.

DO3692 / V0002592

Oracle audited events CAT 2

5-67 Interview o Open Finding o Not a Finding o Not Applicable o Not Reviewed

Audit trail data is not maintained for one year.

DG0030 / V0002507

DBMS audit data maintenance

CAT 2


Sensitive information from production database exports remains unmodified after import to a development database.

DG0076 / V0003819

Sensitive data import to development DBMS

CAT 2


Application user privilege assignment is not reviewed monthly or more frequently to ensure compliance with least privilege and documented policy.

DG0080 / V0003821

Application user privilege assignment review

CAT 2


DBMS symmetric keys are not protected in accordance with NSA or NIST-approved key management technology or processes.

DG0165 / V0015654

DBMS symmetric key management

CAT 2


Configured access controls do not match those found in the System Security Plan.

DG0138 / V0015642

DBMS access to sensitive data

CAT 2


Insufficient documentation and implemented procedures exists for monitoring DBMS accounts.

DG0074 / V0015130

DBMS inactive accounts CAT 2


UNCLASSIFIED

2-8 V8R1.3 Mar 2009


VMSKEY



Access to the Oracle Internal account is not restricted to authorized DBAs.

DO0140 / V0002511

Oracle default account access

CAT 2


Transaction logs are not being reviewed for unauthorized modification of classified data. Users are not notified of the last time and date of modification to classified data.

DG0031 / V0015133

DBMS audit of changes to data

CAT 2


Users are not alerted upon login of previous successful connections or unsuccessful attempts to access their account.

DG0135 / V0015641

DBMS connection alert CAT 2

6-76 Manual o Open Finding o Not a Finding o Not Applicable o Not Reviewed

Unauthorized non-interactive, n-tier connection, or shared database accounts exist.

DG0060 / V0002424

DBMS shared account authorization

CAT 2


Unauthorized database accounts have been found.

DG0070 / V0002508

DBMS user account authorization

CAT 2


Privileges assigned to developers on a production system are not restricted to development objects and configurations.

DG0089 / V0015114

Developer DBMS privileges on production databases

CAT 3


Replication accounts are granted DBA privileges.

DG0100 / V0015619

Replication account privileges

CAT 2


UNCLASSIFIED

2-9 V8R1.3 Mar 2009


VMSKEY


7-80 Verify o Open Finding o Not a Finding o Not Applicable o Not Reviewed

Asymmetric keys used by the DBMS for encryption of sensitive data do not use DoD PKI Certificates. Private keys used by the DBMS are not protected in accordance with NIST (unclassified data) or NSA (classified data) approved key management and processes.

DG0166 / V0015142

Protection of DBMS asymmetric encryption keys

CAT 2


The diagnostic destination files and directories are not protected from unauthorized access.

DO0233 / V0015747

Oracle DIAGNOSTIC_DEST parameter

CAT 2


The audit file destination directory is not protected from unauthorized access.

DO0234 / V0003850

Oracle AUDIT_FILE_DEST parameter

CAT 2


The user dump file destination directory is not protected from unauthorized access.

DO0235 / V0003851

Oracle USER_DUMP_DEST parameter

CAT 2


The background dump file destination directory is not protected from unauthorized access.

DO0236 / V0003852

Oracle BACKGROUND_DUMP_DEST parameter

CAT 2


The core dump file destination directory is not protected from unauthorized access.

DO0237 / V0003853

Oracle CORE_DUMP_DEST parameter

CAT 2


UNCLASSIFIED

2-10 V8R1.3 Mar 2009


VMSKEY



The archive log file destination directory is not protected from unauthorized access.

DO0238 / V0003854

Oracle LOG_ARCHIVE_DEST parameter

CAT 2


DBMS system data files are not stored in dedicated disk partitions or directories.

DG0112 / V0015623

DBMS system data file protection

CAT 2


The spfileSID.ora and/or initSID.ora file are not protected from unauthorized access.

DO0275 / V0003858

Oracle critical file access CAT 2


Database applications have not been restricted from using static DDL statements to modify the application schema.

DG0015 / V0003727

Data Definition Language use

CAT 3


The following application user accounts have been granted storage quotas on the listed tablespace:

DO0157 / V0003847

Oracle storage use privileges

CAT 3


Unauthorized users have been granted system privileges.

DO0350 / V0003439

Oracle system privilege assignment

CAT 2


Roles have been granted using the WITH ADMIN OPTION to non-DBA or non-Application administrator accounts.

DO3622 / V0002574

Oracle roles granted WITH ADMIN OPTION

CAT 2


UNCLASSIFIED

2-11 V8R1.3 Mar 2009


VMSKEY



Production databases are not protected from unauthorized access by developers on shared production/development host systems.

DG0077 / V0003820

Production data protection on a shared system

CAT 2


Oracle object ownership is not restricted to Oracle default accounts, DBAs, or Application Owner accounts. The following unauthorized database accounts own database objects:

DO0150 / V0002512

Oracle object ownership CAT 2


The audit table is not owned by SYS or SYSTEM.

DO0190 / V0002515

Oracle audit table ownership

CAT 2


The following application owner accounts do not have a dedicated application tablespace:

DO0231 / V0003849

Oracle application object owner tablespaces

CAT 2


Unauthorized user accounts have been granted access to system tables and/or DBA views.

DO0310 / V0003436

Oracle system data and table access

CAT 2


Accounts were found with unauthorized permissions on the audit table.

DO3446 / V0002530

Oracle audit record access

CAT 2


Application administration roles are enabled by default.

DO0340 / V0003438

Oracle Application administration roles enablement

CAT 2


UNCLASSIFIED

2-12 V8R1.3 Mar 2009


VMSKEY



The DBA role has been granted to unauthorized users.

DO3440 / V0002527

Oracle DBA role assignment

CAT 2


New passwords are not required to differ from old passwords by more than four characters.

DG0071 / V0003815

Password change variance

CAT 2


Users can change passwords within 24 hours of the last password change.

DG0072 / V0015612

DBMS password change time limit

CAT 2


Password-verify function is not in place to prevent the use of easily guessed passwords.

DG0127 / V0015634

DBMS account password easily guessed

CAT 2


Application object owner accounts are not disabled.

DO0160 / V0002513

Oracle application object owner accounts

CAT 2


Access to default replication accounts is not restricted to authorized DBAs.

DO0210 / V0002516

Oracle shared replication account access

CAT 2


Profiles have been found with PASSWORD_LIFE_TIME not set, set to more than 60 days for interactive accounts and set to more than 365 days for non-interactive accounts.

DO3485 / V0002609

Oracle PASSWORD_LIFE_TIME profile parameter

CAT 2


UNCLASSIFIED

2-13 V8R1.3 Mar 2009


VMSKEY



Database DEFAULT profile has idle time settings that exceed the maximum of 15 minutes. Database user profiles have an idle time setting greater than 60 minutes and/or are undocumented in the System Security Plan.

DO3536 / V0002552

Oracle IDLE_TIME profile parameter

CAT 2


SYSDBA privileges are granted to unauthorized DBAs. SYSDBA connections are used for daily DBA operations and not restricted to required use.

DO0380 / V0003442

Oracle SYSDBA password file users

CAT 2


Unauthorized database links are defined. The following database links define connections between production and development databases:

DG0075 / V0003818

DBMS links to external databases

CAT 2


Sensitive data is not labeled. DG0087 / V0015616

DBMS sensitive data labeling

CAT 3


Custom and GOTS application source code stored in the database has not been protected with encryption or encoding.

DG0091 / V0003823

DBMS source code encoding or encryption

CAT 3


Changes to DBMS security labels are not audited.

DG0172 / V0015657

DBMS classification level audit

CAT 2


The Oracle instance names contain the Oracle version number.

DO0220 / V0002517

Oracle instance names CAT 2


UNCLASSIFIED

2-14 V8R1.3 Mar 2009


VMSKEY



The Oracle SID is a default database SID.

DO0221 / V0003848

Oracle default SID name CAT 3


Fixed User/Public database links are in use without replication or authorization.

DO0250 / V0002520

Oracle database link usage

CAT 2


A minimum of two Oracle control files are not configured and stored on separate physical disks.

DO0260 / V0002521

Oracle control file availability

CAT 2


The XDB Protocol server is not disabled and is not required.

DO0420 / V0003865

Oracle XML DB CAT 3


The latest patchset and CPU security patches have not been installed.

DG0003 / V0005659

DBMS patchset/CPU security patch level

CAT 2


The Oracle version is not a supported version.

DO0100 / V0002509

Oracle version support CAT 1


Database executable and configuration files are not being monitored for unauthorized modifications.

DG0010 / V0002420

DBMS software monitoring

CAT 3


UNCLASSIFIED

2-15 V8R1.3 Mar 2009


VMSKEY



Configuration management procedures are not defined and implemented for database software modifications.

DG0011 / V0003726

DBMS Configuration Management

CAT 3


Database backup procedures are not defined and implemented.

DG0013 / V0015126

Database backup procedures

CAT 2


Backup and recover procedures have not been implemented/tested.

DG0020 / V0015129

DBMS backup and recovery testing

CAT 2


Database software, applications and configuration files are not monitored to discover unauthorized changes.

DG0050 / V0002423

DBMS software and configuration file monitoring

CAT 2


A single database connection configuration file is used to configure all database clients regardless of differing client access requirements.

DG0053 / V0003809

DBMS client connection definition file

CAT 2


Procedures for establishing temporary passwords that meet DoD password requirements for new accounts are not defined and implemented.

DG0066 / V0003811

Temporary password procedures

CAT 2


Database passwords used by batch and/or job processes are not stored in encrypted format.

DG0067 / V0003812

DBMS account password external storage

CAT 1


UNCLASSIFIED

2-16 V8R1.3 Mar 2009


VMSKEY



Applications that access the database that echo or use the password entry in clear text are not protected from password display.

DG0068 / V0003813

DBMS application password display

CAT 2


Procedures and restrictions for import of production data to development databases are not implemented or followed.

DG0069 / V0015140

Production data import to development DBMS

CAT 2


Automated tools are not used to provide audit trail reports.

DG0083 / V0015102

Audit record report automation

CAT 2


Privileges assigned to DBA roles are not monitored to detect assignment of unauthorized or excess privileges.

DG0086 / V0015106

DBA role privilege monitoring

CAT 2


Procedures and evidence of implementation do not exist for periodic reviews of DBMS IA and vulnerability management compliance.

DG0088 / V0015112

DBMS vulnerability mgmt and IA compliance testing

CAT 3


Audit trail data is not reviewed daily or more frequently.

DG0095 / V0003827

DBMS Audit trail data review

CAT 2


The DBMS IA policies and procedures are not viewed annually or more frequently.

DG0096 / V0015138

DBMS IA policy and procedure review

CAT 3


UNCLASSIFIED

2-17 V8R1.3 Mar 2009


VMSKEY



Plans and procedures for testing DBMS installations, upgrades and patches are not defined and followed prior to production implementation.

DG0097 / V0015139

DBMS Testing Plans and Procedures

CAT 2


Sensitive data is stored in the database, but is not identified in the AIS Functional Architecture.

DG0107 / V0015144

Sensitive data identification in the DBMS

CAT 2


The DBMS restoration priority is not assigned.

DG0108 / V0015145

DBMS Restoration Priority

CAT 3


The DBMS host system is not prevented from also supporting an independent security service.

DG0110 / V0015179

DBMS Host Shared with a Security Service

CAT 2


The DBMS is not included in nor does it have defined for it a System Security Plan.

DG0154 / V0015150

DBMS System Security Plan

CAT 3


Remote administrative access to the database is not monitored by the IAO or IAM.

DG0159 / V0015118

Review of DBMS remote administrative access

CAT 2


An automated tool that monitors audit data and immediately reports suspicious activity has not been employed for the DBMS.

DG0161 / V0015103

DBMS audit tool CAT 2


UNCLASSIFIED

2-18 V8R1.3 Mar 2009


VMSKEY



The database is accessible to internet users and is not located in a DMZ.

DG0186 / V0015122

DBMS network perimeter protection

CAT 2


DBMS software libraries are not backed up.

DG0187 / V0015121

DBMS software file backups

CAT 2


Privileges assigned to developers on shared production and development DBMS hosts and the DBMS are not monitored every three months or more frequently for unauthorized changes.

DG0194 / V0015108

DBMS developer privilege monitoring on shared DBMS

CAT 2


DBMS backup and restoration files are not protected from unauthorized access.

DG0064 / V0015120

DBMS Backup and Restoration File Protection

CAT 2


The IAM does not review changes to DBA role assignments.

DG0118 / V0015127

IAM review of change in DBA assignments

CAT 2


The DBMS software installation account is not restricted to authorized users.

DG0040 / V0002422

DBMS software owner account access

CAT 2


Use of the DBMS installation account is not logged.

DG0041 / V0015110

DBMS Installation account use logging

CAT 2


UNCLASSIFIED

2-19 V8R1.3 Mar 2009


VMSKEY



Use of the DBMS software installation account is not restricted to DBMS software installation, upgrade and maintenance.

DG0042 / V0015111

DBMS software installation account use

CAT 2


System resources and database identifiers are not clearly separated and/or defined.

DG0017 / V0003803

DBMS shared production/development use

CAT 2


A baseline of database application software is not maintained.

DG0021 / V0003806

DBMS software and configuration baseline

CAT 2


Applications used to access the database are not logged in the DBMS audit trail.

DG0052 / V0003807

DBMS software access audit

CAT 2


The audit logs are not monitored to discover DBMS access using unauthorized applications.

DG0054 / V0015611

DBMS software access audit review

CAT 3


The DBMS is operated without authorization on a host system supporting other application services.

DG0109 / V0015146

DBMS Dedicated Host CAT 2


The DBMS host platform and other dependent applications are not configured in compliance with applicable STIG requirements.

DG0175 / V0015116

DBMS host and component STIG compliancy

CAT 2


UNCLASSIFIED

2-20 V8R1.3 Mar 2009


VMSKEY



The DBMS audit logs are not included in backup operations.

DG0176 / V0015117

DBMS audit log backups CAT 2


Database data files are stored in the same logical storage partition as database application software.

DG0012 / V0004754

DBMS software storage location

CAT 2


Application software is not owned by the Software Application account.

DG0019 / V0003805

DBMS software ownership

CAT 3


Database data files are not encrypted. DG0092 / V0015132

DBMS data file encryption CAT 2


DBMS production application and data directories are not protected from developers on shared production/development DBMS host systems.

DG0195 / V0015109

DBMS host file privileges assigned to developers

CAT 2


Files containing passwords or cryptographic keys have not been protected from unauthorized access.

DO0133 / V0003844

Oracle connection credential protection

CAT 2


The passwords have been stored unencrypted in the spoolmain.log file.

DO3847 / V0002607

Oracle spoolmain.log file (9i and earlier)

CAT 2


UNCLASSIFIED

2-21 V8R1.3 Mar 2009


VMSKEY



Unauthorized permissions have been defined for the SQLNet and Listener log files.

DO5037 / V0002612

Oracle SQLNet and listener log files protection

CAT 2


Access to DBMS security data is not audited.

DG0140 / V0015643

DBMS security data access audit

CAT 2


The OS DBA group contains unauthorized members.

DO0145 / V0003845

Oracle SYSDBA OS group membership

CAT 3


Cryptography is not configured to comply with FIPS 140-2 requirements.

DG0025 / V0015610

DBMS encryption compliance

CAT 2


Remote administrative connections to the database are not encrypted.

DG0093 / V0003825

Remote administration encryption for confidentiality

CAT 2


The DBMS listener does not restrict database access by network address.

DG0103 / V0015621

DBMS Listener network restrictions

CAT 2


Sensitive data served by the DBMS is not protected by encryption when transmitted across the network.

DG0167 / V0015104

Encryption of DBMS sensitive data in transit

CAT 1


UNCLASSIFIED

2-22 V8R1.3 Mar 2009


VMSKEY



Remote administration of the DBMS is not restricted to dedicated and encrypted network addresses and ports.

DG0198 / V0015662

DBMS remote administration encryption

CAT 2


The Oracle network listener is not configured to use a standard, default port.

DO0285 / V0003861

Oracle listener network port assignment

CAT 2


The INBOUND_CONNECT_TIMEOUT or CONNECT_TIMEOUT parameter is not set to a value greater than 0.

DO0286 / V0003862

Oracle connection timeout parameter

CAT 2


The SQLNET.EXPIRE_TIME has not been set to a value greater than 0.

DO0287 / V0003863

Oracle SQLNET.EXPIRE_TIME parameter

CAT 2


The Oracle listener is not protected by authentication.

DO3630 / V0002608

Oracle listener authentication

CAT 1


The Listener ADMIN_RESTRICTIONS is not set to ON in the listener.ora file.

DO6740 / V0003497

Oracle listener ADMIN_RESTRICTIONS parameter

CAT 2


The listener.ora file specifies host names rather than IP addresses to identify hosts.

DO6746 / V0016031

Oracle Listener host references

CAT 3


UNCLASSIFIED

2-23 V8R1.3 Mar 2009


VMSKEY



Remote administration is not disabled on the connection manager.

DO6747 / V0016032

Connection Manager remote administration

CAT 2


The SQLNET.ORA parameter SQLNET-ALLOWED_LOGON_VERSION Is not set to 10 or higher.

DO6751 / V0016057

SQLNET.ALLOWED_LOGON_VERSION

CAT 2


Unnecessary privileges to the host system have been granted to DBA OS accounts.

DG0005 / V0006756

DBMS administration OS accounts

CAT 2


The Oracle software installation account has been granted excessive host system privileges.

DO0120 / V0003842

Oracle process account host system privileges

CAT 2


Oracle processes are not owned by separate Unix accounts.

DO0121 / V0003843

Oracle service and process dedicated accounts

CAT 2


The Oracle software owner umask setting is not set to 022 or more restrictive.

DO0279 / V0003860

Oracle software owner umask settings

CAT 2


Unused database components, database application software and database objects have not been removed.

DG0016 / V0003728

DBMS unused components

CAT 3


UNCLASSIFIED

2-24 V8R1.3 Mar 2009


VMSKEY



Oracle Configuration Manager is not set to disconnected mode for all database instances.

DO6754 / V0016056

Oracle Configuration Manager

CAT 2


DBMS service identification is not unique or does not clearly identify the service.

DG0104 / V0015622

DBMS Service Identification

CAT 3


Database data encryption controls are not configured in accordance with application requirements.

DG0106 / V0015143

Database data encryption configuration

CAT 2


The EXTPROC module exists on the host system and is not in use. The EXTPROC is in use and has not been protected from unauthorized access.

DO0280 / V0002841

Oracle external procedure access

CAT 2


Oracle Net trace file generation is not enabled.

DO5036 / V0016049

Oracle Net TRACE_LEVEL

CAT 2


Database job/batch queues are not reviewed regularly to detect unauthorized database job submissions.

DG0051 / V0003808

Database job/batch queue monitoring

CAT 2


Sensitive information stored in the database has not been identified and protected by encryption.

DG0090 / V0015131

Sensitive data identification and encryption

CAT 2


UNCLASSIFIED

2-25 V8R1.3 Mar 2009


VMSKEY



The mid-tier database connection account is not encrypted, restricted and authenticated in compliance with the policy.

DO0360 / V0003440

DBMS mid-tier application account access

CAT 2


An upgrade/migration plan has not been developed to address an unsupported DBMS software version.

DG0002 / V0004758

DBMS version upgrade plan

CAT 2


Oracle Application Express is installed on a production database.

DO6753 / V0016055

Oracle Application Express

CAT 2


The DBMS warning banner does not meet DoD policy requirements.

DG0179 / V0015658

DBMS warning banner CAT 2


The Intelligent Agent is not disabled and is not required or is enabled on a database accessible from the Internet.

DO0430 / V0003866

Oracle management agent use

CAT 3


UNCLASSIFIED

3-1 V8R1.3 Mar 2009

3. Oracle Database Server Security Review Procedures

3.1 Review Process Notes

A security review of an Oracle Database Server may be completed by following the procedures in this section. Each security compliance item of interest is listed with procedures for determining whether the Oracle Database Server is configured to be compliant with the requirement or not. Each security item procedure is referred to as a “check”. A security item is also referred to as “vulnerability”. There may be more than one installation of the Oracle DBMS software on a single host platform. There may be multiple Oracle Database Instances (SIDs) defined for a single Oracle DBMS software installation. The checks are categorized into the following two categories and four types: Categories:

− Oracle Home Checks – These checks are applicable once per each Oracle DBMS software installation. Oracle refers to each installation as an Oracle Home and assigns an identifier to each. Some of these checks refer to the Oracle network communication configuration which in some cases occur only once per database host server.

− Oracle Database Checks – These checks are applicable once per each Oracle Database Instance (SID). Each Oracle Database Instance (SID) must be checked, as there are significant security configurations that can be exploited per instance.

Types:

− Manual checks – The reviewer must complete a technical procedure using SQL*Plus or a similar SQL interface to the Oracle database or another tool to determine the compliance status.

− Interview checks – The procedure requires a review of available documentation and interviews of the IAO, DBA or other database points-of-contact to determine the compliance status.

− Verify checks – If the SRR evaluation script is used, it may or may not be able to determine a final finding result without action by the reviewer. If it is unable to provide a final finding result, it may provide information to help complete the manual procedures provided.

− Automated checks – If the SRR evaluation script is used, it is able to determine the final finding result without action by the reviewer. Manual procedures are provided for manual review of compliance if desired.

The checks are listed in the following order:

- Check Category (Database, Installation) - Check Type (Automated, Interview, Manual, Verify) - Vulnerability type:


UNCLASSIFIED

3-2 V8R1.3 Mar 2009

o policy/procedure o initialization parameter o file/dir permission o registry permission o windows user right o database administration privilege o database object privilege o database role o database account o database client configuration o database network communication o database Operating System account privilege/configuration o database software maintenance o other database configuration o audit o privilege o encryption o account o monitor / report o manage / authorize

- STIGID The purpose of this separation of checks by Oracle Home and Oracle Database is to ensure that all multiple occurrences of security controls are reviewed individually and to avoid duplication of control reviews that affect multiple other security levels. The additional separations are meant to assist the reviewer to complete the review more efficiently by grouping checks together that are completed using the same method or tool such as referring to the documentation in the System Security Plan or using SQL*Plus to review settings.

3.2 IAVM Compliance

Security patches required by the DoD IAVM process are reviewed during an operating system security review. Information for security patch compliance for Oracle Database Server is available in Appendix A of this Oracle Database Security Checklist.

3.3 Review Tools and Interfaces

You should run the review procedures and utilities listed below from the Oracle Database Server host system. In addition to the operating system tools listed below, some checks also refer to SQL commands that may be submitted to the database using Oracle’s SQL*Plus command line utility. Other tools with the same capability as SQL*Plus may be used. An SRR evaluation script is also available for use to complete the Oracle Database security review. The script provides results for all checks designated as being “automated”. It also provides results for SQL commands specified to complete a manual review. These checks are indicated as “verify” checks. Checks for which the script


UNCLASSIFIED

3-3 V8R1.3 Mar 2009

provides no results are marked “Interview” or “Manual”. The SRR script is run locally from the host prompt. The script is not tested for access to remote databases. Windows platform tools:

− Windows explorer – review file directory permissions and disk partition information

− Windows registry editor – review registry values and permissions

− Windows Microsoft Management Console (MMC) – review various Windows items including users, groups, and services

UNIX platform shell commands and tools:

− vi, gedit or other text editor In addition to familiarity with operating system tools and commands, the procedures also assume a familiarity with the Structured Query Language (SQL).

3.4 System Security Plan Overview

Some procedures within this checklist refer to the System Security Plan (SSP). The System Security Plan is referenced in the DoD Instruction 8500.2 in the following IA control as: DCSD-1 IA Documentation

All appointments to required IA roles (e.g., DAA and IAM/IAO) are established in writing, to include assigned duties and appointment criteria such as training, security clearance and IT-designation. A System Security Plan is established that describes the technical, administrative and procedural IA program and policies that govern the DoD information system, and identifies all IA personnel and specific IA requirements and objectives (e.g., requirements for data handling or dissemination, system redundancy and backup or emergency response).

A template for creating an SSP may be found on the DIACAP Knowledge Service (https://diacap.iaportal.navy.mil/), DIACAP Resources, DIACAP Reference Library, Sample Documents, ISP_Sample.doc (zipped) or the National Institute of Standards and Technology (NIST), Special Publication (SP) 800-18, Guide for

Developing Security Plans for Federal Information Systems. This document may be found at http://csrc.nist.gov/publications/PubsSPs.html. The DIACAP Knowledge Service also provides a matrix of documentation requirements for the IA Controls to those required under the previous DITSCAP System Security Authorization Agreement (SSAA). The matrix may be found under IA Controls, Information on the IA Controls Matrix of IA Controls to Documentation. Information required and verified by the procedures in this checklist should be contained in the SSP under the IA control referenced. However, this document concerns itself only with the specific controls referenced in it and does not review and verify the entirety of the SSP.


UNCLASSIFIED

3-4 V8R1.3 Mar 2009

3.5 Automated Information System (AIS) Functional Architecture Document

The DoDI 8500.2 defines an AIS functional architecture document under IA control DCFA as: DCFA-1 Functional Architecture for AIS Applications

For AIS applications, a functional architecture that identifies the following has been developed and is maintained:

− All external interfaces, the information being exchanged, and the protection mechanisms associated with each interface - user roles required for access control and the access privileges assigned to each role (See ECAN)

− Unique security requirements (e.g., encryption of key data elements at rest)

− Categories of sensitive information processed or stored by the AIS application, and their specific protection plans (e.g., Privacy Act, HIPAA)

− Restoration priority of subsystems, processes, or information (See COEF) Additional information may be obtained for this IA control from the DIACAP Knowledge Service.

3.6 Sensitive Data Protection and Definition

Databases, as frequent repositories for sensitive data, are often relied upon for providing an additional layer of protection for such data. The responsibility for determining what protections should be employed for sensitive data falls to the Information Owner as the person that best understands the purpose, function, and the possible impact of unauthorized release of the data. Most commonly, authentication and authorizations are sufficient to protect data against unauthorized release. However, in some cases encryption may be used to assist in protecting against disclosure where authorizations do not provide needed restrictions. For example, the access provided to DBAs to administer the DBMS provides them with access to all data stored within the database. The DoDD 8500.1 provides the following definition for sensitive data: Information, the loss, misuse, or unauthorized access to or modification of, could adversely affect

the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under Section 552a of title 5, United States Code, "The Privacy Act", but which has not been specifically authorized under criteria established by Executive order or an Act of Congress to be kept secret in the interest of national defense or foreign policy (Section 278g-3 of title 15, United States Code, "The Computer Security Act of 1987"). Examples of sensitive information include, but are not limited to information in DoD payroll, finance, logistics and personnel management systems. Sensitive information sub-categories include, but are not limited to, the following:

For Official Use Only (FOUO) - In accordance with DoD 5400.7-R (reference (ab)), DoD information exempted from mandatory public disclosure under the Freedom of Information Act (FOIA) Privacy Data. Any record that is contained in a system of records as defined in the Privacy Act of 1974 (5 U.S.C. 552a) (reference (z)) and information the disclosure of which would

constitute an unwarranted invasion of personal privacy.

DoD Unclassified Controlled Nuclear Information (DoD UCNI) - Unclassified Information on security measures (including security plans, procedures, and equipment) for the physical protection of DoD Special Nuclear Material (SNM), equipment, or facilities in accordance with DoD Directive 5210.83. Information is Designated DoD UCNI only when it is determined that its unauthorized disclosure could reasonably be expected to have a significant adverse effect on the


UNCLASSIFIED

3-5 V8R1.3 Mar 2009

health and safety of the public or the common defense and security by increasing significantly the likelihood of the illegal production of nuclear weapons or the theft, diversion, or sabotage of DoD SNM, equipment, or facilities. Unclassified Technical Data - Data that is not classified but is subject to export control and is withheld from public disclosure according to DoD Directive 5230.25.

Proprietary Information - Information that is provided by a source or sources under the condition that it not be released to other sources. Foreign Government Information - Information that originated from a foreign government and that is not classified CONFIDENTIAL or higher, but must be protected in accordance with DoD 5200.1-R. Department of State Sensitive But Unclassified (DoS SBU) - Information that originated from the Department of State (DoS) that has been determined to be SBU under appropriate DoS information security polices.

Drug Enforcement Administration (DEA) Sensitive Information - Information that is originated by the Drug Enforcement Administration and requires protection against unauthorized disclosure to protect sources and methods of investigative activity, evidence, and the integrity of pretrial investigative reports.

3.7 Process Notes

The SRR evaluation script and many manual procedures require Oracle DBA privileges to the database and host platform. Some operating system commands require Root or Administrator privileges to the host operating system. This will vary based on the permissions assigned to the OS account used. It is recommended the account used for installation of the Oracle software be used to process the security review as this account is expected to have the access required. An authorized DBA or the IAO should log and monitor the use of this account. The SRR script also creates temporary tables in the Oracle Database. Definitions for the tables are included in the script file “dbsrr-oracle-tables.sql”. The tables are created in the USERS tablespace by default, however, if existing tables exist, the script will use those tables. This allows the DBA to control which tablespace and storage is used by the SRR script. This should be reviewed and considered as part of configuration management especially on production systems. Please see the readme and release notes of the script for additional information.

3.8 Check Reference Numbering Scheme

The checks use two different reference numbers: the STIGID and VMSKEY. The STIGID is a manually assigned reference number. The database STIGID assignments including those for Oracle are prefixed with two letters that indicate the following:

− DG – Identifies a general database check and the fundamental requirement is specified for any DBMS product where available. The Oracle-specific checks and fixes are listed in the subvul STIGID for these DG checks

− DO – Identifies an Oracle specific check and does not apply as written to any other DBMS product.


UNCLASSIFIED

3-6 V8R1.3 Mar 2009

Only checks of type “DG” and “DO” are included in this checklist. All checks provide a mapping to the security requirement listed in the Database STIG. Note that some CAT findings may be higher for the DO checks than their mapped Database STIG checks due to the potential ability to be exploited and

3.9 Documentation Conventions

The “[ ]” characters are used to indicate that a replacement value provided by the reviewer is required. For example, the [partial] SQL query command, “alter user [username]” where [username] should be replaced by the reviewer with the appropriate user name, e.g. “alter user SYS”. The “[]” characters should not be included in the command.

3.10 Procedure Table Data

Information Assurance (IA) Control Each check is derived and associated with an IA Control from the DoD Instruction 8500.2. These are listed in the enclosures for the instruction and are applicable to the DBMS based on the Mission Assurance Category (MAC) determined for the system. Where the IA breakdown based on MAC is not listed in the table in this document, the check requirement applies to all level systems or the IA control does not have breakdowns. Where a check applies to only one IA control and MAC level, the level is specified in the table. Policy:

Each check is assigned a Gold, Platinum or All Policies (both) designation based on implementation difficulty. Gold requirements are those whose implementation is unlikely to interrupt system operation. Platinum requirements require consideration that is more careful and testing prior to implementation. Please note that no changes to the DBMS should be made without a careful review or test of potential impact. Also, note that the Vulnerability Maintenance System (VMS) lists each “check” as being Gold, Platinum or both. In most cases where Policy = All Policies in this document, in VMS would be identified as both Gold and Platinum, with Platinum considerations to be taken into account.

Mission Assurance Category (MAC)/Confidentiality:

This field shows the applicability of the check based on the mission criticality and confidentiality of the system under review. The DoDI 8500.2 defines three levels of mission criticality where a MAC level of 1 requires the highest level of integrity and availability protection and a level three requires the lowest. The confidentiality levels are Public, Sensitive and Classified. Please see DoDI 8500.2 for more information on determining the MAC and Confidentiality for the system.

Check Type:


UNCLASSIFIED

3-7 V8R1.3 Mar 2009

This indicates the method available for determining the compliance to the check. Auto indicates that the available SRR evaluation script can be used to determine compliance. Verify means that the SRR script provides information to assist in a manual determination of check compliance and, in some cases, may be able to determine some level of compliance such as applicability. Interview means that the check does not require any technical or system hands-on actions. Rather it requires a review of documentation and in some cases verbal confirmation by the DBA or IAO. A check type of manual indicates the check procedure requires hands-on technical review of the security configuration item that the script is unable to complete. In VMS, the checks listed as (Script) are equivalent to Check Type: Auto.

Database Level:

This indicates whether the check is performed once per defined database instance (TRUE) or once per installation of the DBMS (FALSE).

Documentable:

This field is used to indicate whether the check script result may be verified for pre-determined compliance automatically in the Vulnerability Management System (VMS).

VKEY:

This is the check reference number for VMS. STIG Requirement:

This is the policy requirement as mapped from the Database STIG document. The policy requirement is a general requirement for all databases. Some configuration items specific to a particular DBMS product are more loosely associated with the general statement.

Severity:

This is the severity code assignment for this check. The severity code may sometimes differ from the severity assigned to the STIG requirement because it is has a more or less severe implication. Severity code definitions are documented in Section 1.1 – Overview in this document.


UNCLASSIFIED

4-8 V8R1.3 Mar 2009

4. Oracle Database Automated Check Procedures

4.1 DO0240: Oracle OS_ROLES parameter

Description: The OS_ROLES parameter specifies whether Oracle roles are defined and managed by the DBMS or by the host operating system. To maintain and support the separation of duties between host system administration and DBMS administration, the DBMS must be configured to use only roles defined and managed by the DBA. Separation of duties supports assignment of privileges by job function and supports accountability. Check:

From SQL*Plus: select value from v$parameter where name='os_roles'; If the value returned is not FALSE, this is a Finding.

Fix: From SQL*Plus: alter system set os_roles=FALSE scope=spfile; The above SQL*Plus command will set the parameter to take effect at next system startup.

VKEY: V0002519 Severity: CAT 3 Policy: All Policies

MAC/CONF: 1-CSP;2-CSP;3-CSP

IA Control: DCSD Check Type: Auto

Database level: True

Responsibility: DBA

Documentable: False

Reference: Database STIG 3.1.9

STIG Requirement: (DG0153: CAT III) The IAO will assign and authorize DBA responsibilities for the DBMS.


UNCLASSIFIED

4-9 V8R1.3 Mar 2009

4.2 DO0241: Oracle AUDIT_SYS_OPERATIONS parameter

Description: The AUDIT_SYS_OPERATIONS parameter is used to enable auditing of actions taken by the user SYS. The SYS user account is a shared account by definition and holds all privileges in the Oracle database. It is the account accessed by users connecting to the database with SYSDBA or SYSOPER privileges. NOTE: The location of the audit data is determined by the audit_trail parameter in DO3413. Check:

From SQL*Plus: select value from v$parameter where name='audit_sys_operations'; If the value returned is FALSE, this is a Finding.

Fix: From SQL*Plus: alter system set audit_sys_operations=TRUE scope=spfile; The above SQL*Plus command will set the parameter to take effect at next system startup.



IA Control: ECAR Check Type: Auto


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0142: CAT II) The DBA will ensure privileged DBMS actions and changes to security labels or sensitivity markings of data in the DBMS are audited.


UNCLASSIFIED

4-10 V8R1.3 Mar 2009

4.3 DO0242: Oracle GLOBAL_NAMES parameter

Description: The Oracle GLOBAL_NAMES parameter is used to set the requirement for database link names to be the same name as the remote database whose connection they define. By using the same name for both, ambiguity is avoided and unauthorized or unintended connections to remote databases are less likely. Check:

From SQL*Plus: select value from v$parameter where name='global_names'; If the value returned is FALSE, this is a Finding.

Fix: From SQL*Plus: alter system set global_names=TRUE scope=spfile; NOTE: This parameter, if changed, will affect all currently defined Oracle database links. The above SQL*Plus command will set the parameter to take effect at next system startup.



IA Control: DCFA Check Type: Auto


Responsibility: DBA

Documentable: False

Reference: Database STIG 3.1.4.1

STIG Requirement: (DG0192: CAT II) The DBA will ensure credentials used to access remote databases or other applications use fully qualified names, i.e., globally unique names that specify all hierarchical classification names, in the connection specification.


UNCLASSIFIED

4-11 V8R1.3 Mar 2009

4.4 DO0243: Oracle _TRACE_FILES_PUBLIC parameter

Description: The _TRACE_FILES_PUBLIC parameter is used to make trace files used for debugging database applications and events available to all database users. Use of this capability precludes the discrete assignment of privileges based on job function. Additionally, its use may provide access to external files and data to unauthorized users. Check:

From SQL*Plus: select value from v$parameter where name='_trace_files_public'; If the value returned is TRUE, this is a Finding. If the parameter does not exist, this is NA.

Fix: From SQL*Plus (shutdown database instance): shutdown immediate

From SQL*Plus (create a pfile from spfile): create pfile='[PATH]init[SID].ora' from spfile; Edit the init[SID].ora file and remove the following line: *._trace_files_public=TRUE From SQL*Plus (update the spfile using the pfile): create spfile from pfile='[PATH]init[SID].ora'; From SQL*Plus (start the database instance): startup NOTE: [PATH] depends on the platform (Windows or UNIX). Ensure the file is directed to a writable location. [SID] is equal to the oracle SID or database instance ID.



IA Control: ECAN Check Type: Auto


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0123: CAT II) The DBA will ensure all access to sensitive application data stored inside the database, and in external host files, is granted only to database accounts and OS accounts in accordance with user functions as specified by the Information Owner.


UNCLASSIFIED

4-12 V8R1.3 Mar 2009

4.5 DO3413: Oracle AUDIT_TRAIL parameter

Description: Oracle auditing can be set to log audit data to the database or operating system files. Logging events to the database prevents operating system users from viewing the data, while logging events to operating system files prevents malicious database users from accessing the data. The value NONE disables auditing and is, therefore, not in compliance with policy. Check:

From SQL*Plus: select value from v$parameter where name='audit_trail'; If the value returned is NONE, this is a Finding.

Fix: Enable database auditing. Select the desired audit trail format (external file or internal database table). From SQL*Plus: alter system set audit_trail= [audit trail format] scope=spfile; Compliant selections for [audit trail format] are (per MetaLink Note 30690.1): Oracle 8.1.6 – 11.1 = 'true', 'os' & 'db' (true = os for backward compatibility) Oracle 10.1 = 'db_extended' Oracle 10.2 = 'db, extended', 'xml' & 'xml, extended' Oracle 11.1 = 'db_extended', 'xml' & 'xml, extended' The above SQL*Plus command will set the parameter to take effect at next system startup.





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0029: CAT II) The DBA will ensure the DBMS auditing function is enabled.


UNCLASSIFIED

4-13 V8R1.3 Mar 2009

4.6 DO3447: Oracle OS_AUTHENT_PREFIX parameter

Description: The OS_AUTHENT_PREFIX parameter defines the prefix for database account names to be identified EXTERNALLY by the operating system. When set to the special value of OPS$, accounts defined with the prefix of OPS$ may authenticate either with a password or with OS authentication. Use of more than one authentication method to access a single account results in a loss of accountability, that is, it is similar to a shared account. Setting this parameter to a value other than OPS$ prevents a shared usage of a single account. Check:

From SQL*Plus: select value from v$parameter where name='os_authent_prefix'; If the value returned is OPS$ or ops$, this is a Finding.

Fix: Specify an operating system authenticated username prefix other than OPS$. From SQL*Plus: alter system set os_authent_prefix=[prefix value] scope=spfile; Compliant selections for [prefix value] are: a null string ('') a text value other than 'OPS$' The above SQL*Plus command will set the parameter to take effect at next system startup.



IA Control: IAGA Check Type: Auto


Responsibility: IAO

Documentable: False


STIG Requirement: (DG0060: CAT II) The IAO/DBA will ensure actions by a single database account that is accessed by multiple interactive users are attributable to an individual identifier.


UNCLASSIFIED

4-14 V8R1.3 Mar 2009

4.7 DO3538: Oracle REMOTE_OS_AUTHENT parameter

Description: Setting this value to TRUE allows operating system authentication over an unsecured connection. Trusting remote operating systems can allow a user to impersonate another operating system user and connect to the database without having to supply a password. If REMOTE_OS_AUTHENT is set to true, the only information a remote user needs to connect to the database is the name of any user whose account is setup to be authenticated by the operating system. Check:

From SQL*Plus: select value from v$parameter where name='remote_os_authent'; If the value returned does not equal FALSE, this is a Finding. NOTE: This finding may be downgraded to a Category II severity code if the following mitigations have been implemented: - A logon trigger verifies that any connections to accounts identified externally

come from a single, specific IP address and kills the connection if determined otherwise

- To help prevent access by a spoofed IP address, the single connecting system and the database host are isolated behind a firewall with either Network Address Translation (NAT) implemented and/or the firewall is configured to reject connections from the single source IP address originating outside the isolated segment

Fix:

Disable remote OS authentication. From SQL*Plus: alter system set remote_os_authent=FALSE scope=spfile; The above SQL*Plus command will set the parameter to take effect at next system startup.



IA Control: IAIA Check Type: Auto


Responsibility: IAO

Documentable: False


STIG Requirement: (DG0078: CAT II) The DBA will ensure database user accounts are configured to require individual authentication in order to connect to the DBMS.


UNCLASSIFIED

4-15 V8R1.3 Mar 2009

4.8 DO3539: Oracle REMOTE_OS_ROLES parameter

Description: Setting REMOTE_OS_ROLES to TRUE allows operating system groups to control Oracle roles. The default value of FALSE causes roles to be identified and managed by the database. If REMOTE_OS_ROLES is set to TRUE, a remote user could impersonate another operating system user over a network connection. Check:

From SQL*Plus: select value from v$parameter where name='remote_os_roles'; If the returned value is not FALSE, this is a Finding.

Fix: Disable use of remote OS roles. From SQL*Plus: alter system set remote_os_roles=FALSE scope=spfile; The above SQL*Plus command will set the parameter to take effect at next system startup.



IA Control: ECLP Check Type: Auto


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0116: CAT II) The IAO will ensure database privileged role assignments are restricted to IAO-authorized accounts.


UNCLASSIFIED

4-16 V8R1.3 Mar 2009

4.9 DO3540: Oracle SQL92_SECURITY parameter

Description: The parameter SQL92_SECURITY is not enabled. The configuration option SQL92_SECURITY specifies whether table-level SELECT privileges are required to execute an update or delete that references table column values. If this option is not enabled (set to TRUE), the UPDATE privilege can be used to determine values that should require SELECT privileges. Check:

From SQL*Plus: select value from v$parameter where name='sql92_security'; If the value returned is not set to TRUE, this is a Finding. If the parameter does not exist, this is a Finding.

Fix: Enable SQL92 security. From SQL*Plus: alter system set sql92_security=TRUE scope=spfile; The above SQL*Plus command will set the parameter to take effect at next system startup.





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0105: CAT II) The DBA will ensure all database application user roles and the privileges assigned to them are authorized by the Information Owner in the AIS functional architecture documentation.


UNCLASSIFIED

4-17 V8R1.3 Mar 2009

4.10 DO3546: Oracle REMOTE_LOGIN_PASSWORDFILE parameter

Description: The REMOTE_LOGIN_PASSWORDFILE setting of "NONE" disallows remote administration of the database. The REMOTE_LOGIN_PASSWORDFILE setting of "EXCLUSIVE" allows for auditing of individual DBA logins to the SYS account. If not set to "EXCLUSIVE" then remote connections to the database as "internal" or "as SYSDBA" are not logged to an individual DBA. Check:

From SQL*Plus: select value from v$parameter where name='remote_login_passwordfile'; If the value returned does not equal 'EXCLUSIVE' or 'NONE', this is a Finding.

Fix: Disable use of the remote_login_passwordfile where remote administration is not authorized by specifying a value of NONE. If authorized, restrict use of a password file to exclusive use by each database by specifying a value of EXCLUSIVE. . From SQL*Plus: alter system set remote_login_passwordfile='EXCLUSIVE' scope=spfile; OR alter system set remote_login_passwordfile='NONE' scope=spfile; The above SQL*Plus command will set the parameter to take effect at next system startup.



IA Control: IAGA Check Type: Auto


Responsibility: DBA

Documentable: False




UNCLASSIFIED

4-18 V8R1.3 Mar 2009

4.11 DO3547: Oracle UTL_FILE_DIR parameter

Description: The UTL_FILE package allows host file access from within the database using the permissions and privileges assigned to the Oracle database process or service. This package should be used with caution. All files accessible to using this package is equally accessible to any database user with execute permissions to the UTL_FILE package. When UTL_FILE_DIR is set to “*”, all directories accessible to the Oracle database process, typically the Oracle installation account, are accessible via the UTL_FILE package. This setting effectively turns off directory access checking, and makes any directory accessible to the UTL_FILE functions. The UTL_FILE_DIR list should specify only authorized and protected directories and should include only fully specified path names. Check:

From SQL*Plus: select value from v$parameter where name='utl_file_dir'; If the returned value is '*', this is a Finding.

Fix: Where its use is authorized, restrict access by a database session to external host files. From SQL*Plus: alter system set utl_file_dir=[authorized directory] scope=spfile; Replace [authorized directory] with the directory path where file access and storage is authorized Review Oracle MetaLink Note 39037.1 if you need to define multiple authorized directories. The above SQL*Plus command will set the parameter to take effect at next system startup.





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0098: CAT II) The DBA will configure the database to disable access from the database to objects stored externally to the database on the local host unless mission and/or operationally required and documented in the AIS functional architecture documentation.


UNCLASSIFIED

4-19 V8R1.3 Mar 2009

4.12 DO3685: Oracle O7_DICTIONARY_ACCESSIBILITY parameter

Description: The database data dictionary tables contain the data used by the database for database functions including database authentication and authorization as well as database configuration and control. By default, the parameter O7_DICTIONARY_ACCESSIBILITY is set to FALSE to prevent accounts with the privilege SELECT ANY TABLE from selecting the data dictionary tables. This setting protects the data dictionary from unintended access authorization by requiring full system privileges or direct table access permissions. Check:

From SQL*Plus: select value from v$parameter where name='O7_dictionary_accessibility'; If the value returned is TRUE, this is a Finding. If the parameter does not exist, this is not a Finding.

Fix: Disable O7_dictionary_accessibility to restrict access to system tables to users granted privileges to access objects owned by all users. From SQL*Plus: alter system set O7_dictionary_accessibility=FALSE scope=spfile; The above SQL*Plus command will set the parameter to take effect at next system startup.





Responsibility: DBA

Documentable: False




UNCLASSIFIED

4-20 V8R1.3 Mar 2009

4.13 DO3696: Oracle RESOURCE_LIMIT parameter

Description: RESOURCE_LIMIT determines whether resource limits are enforced in database profiles. If Oracle resource limits are disabled, any defined profile limits will be ignored. NOTE: This does not apply to password resources. Check:

From SQL*Plus: select value from v$parameter where name='resource_limit'; If the value returned is not set to TRUE, this is a Finding.

Fix: Enable resource limit checking on the database. From SQL*Plus: alter system set resource_limit=TRUE scope=both; The above SQL*Plus command will set the parameter to take effect immediately and at next system startup.



IA Control: ECLO Check Type: Auto


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0134: CAT II) The DBA will configure where supported by the DBMS a limit of concurrent connections by a single database account to the limit specified in the System Security Plan, a number determined by testing or review of logs to be appropriate for the application. The limit will not be set to unlimited except where operationally required and documented in the System Security Plan.


UNCLASSIFIED

4-21 V8R1.3 Mar 2009

4.14 DO3698: Oracle DBLINK_ENCRYPT_LOGIN parameter

Description: The Oracle configuration parameter DBLINK_ENCRYPT_LOGIN specifies whether attempts to connect to remote Oracle databases through database links should use encrypted passwords. Prior to Oracle 7.2, passwords were not encrypted before being sent over the network. In order to connect to older servers, Oracle included this parameter to retry failed connections using the unencrypted format. If the DBLINK_ENCRYPT_LOGIN parameter is TRUE, and the connection fails, Oracle does not reattempt the connection. If this parameter is FALSE, Oracle reattempts the connection using an unencrypted version of the password. Servers with DBLINK_ENCRYPT_LOGIN set to FALSE can be coerced into sending unencrypted passwords by machines between linked servers. Check:

If the Oracle version is 10.1 or later, this check is NA. From SQL*Plus: select value from v$parameter where name='dblink_encrypt_login'; If the returned value is not equal to TRUE, this is a Finding.

Fix: Force encryption of logins used by database links to remote databases. From SQL*Plus: alter system set dblink_encrypt_login=TRUE scope=spfile; The above SQL*Plus command will set the parameter to take effect at next system startup.



IA Control: ECNK Check Type: Auto


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0129: CAT I) The DBA will ensure all database account passwords are encrypted when transmitted across the network.


UNCLASSIFIED

4-22 V8R1.3 Mar 2009

4.15 DO6748: Oracle SEC_CASE_SENSITIVE_LOGON parameter

Description: Enablement of password case sensitivity allows Oracle password complexity to meet DoD password requirements. Password complexity decreases the likelihood of successful password attacks by malicious users. Check:

If the Oracle version is not 11.1 or later, this check is NA. From SQL*Plus: select value from v$parameter where name='sec_case_sensitive_logon'; If the value returned is not TRUE, this is a Finding.

Fix: Enable case sensitive passwords. From SQL*Plus: alter system set sec_case_sensitive_logon=TRUE scope=both; The above SQL*Plus command will set the parameter to take effect immediately and at next system startup.





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0079: CAT II) The DBA will ensure database password complexity standards meet current minimum requirements for length (9 characters or more for database application user accounts and 15 characters or more for privileged database accounts) and composition (at least two uppercase characters, two lowercase characters, two special characters, two digits ) where supported by the DBMS.


UNCLASSIFIED

4-23 V8R1.3 Mar 2009

4.16 DO6749: Oracle SEC_MAX_FAILED_LOGIN_ATTEMPTS parameter

Description: The SEC_MAX_FAILED_LOGIN_ATTEMPTS prevents multiple failed login attempts by a single connection. The parameter differs from the limit set on user profiles and applied to failed login attempts to a single user account. Limiting failed authentication attempts by a single connection helps protect against Denial of Service (DoS) attacks and authentication attempts against multiple user accounts. Check:

If the Oracle version is not 11.1 or later, this check is NA. From SQL*Plus: select value from v$parameter where name='sec_max_failed_login_attempts'; If the value returned is equal to 0 or greater than 10, this is a Finding.

Fix: Limit the number of failed login attempts for the database. The number can be 3 or an IAO approved value between 1 and 10. From SQL*Plus: alter system set sec_max_failed_login_attempts=3 scope=both; The above SQL*Plus command will set the parameter to take effect immediately and at next system startup.





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0133: CAT II) The DBA will configure the DBMS to set the duration of database account lockouts due to three consecutive unsuccessful logon attempts to an unlimited time that requires the DBA to manually unlock the account.


UNCLASSIFIED

4-24 V8R1.3 Mar 2009

4.17 DO6750: Oracle SEC_PROTOCOL_ERROR_FURTHER_ACTION parameter

Description: The database is vulnerable to exhaustion of resources that could result in a Denial of Service (DoS) to other clients if not protected from a flood of bad packets submitted by a malicious or errant client connection. The sec_protocol_error_further_action initialization parameter can be set to delay or drop acceptance of bad packets from a client in order to support the continued function of other non-problematic connections. Check:

If the Oracle version is not 11.1 or later, this check is NA. From SQL*Plus: select value from v$parameter where name='sec_protocol_error_further_action'; If the value returned is not DROP or DELAY, this is a Finding.

Fix: Set the value for the sec_protocol_error_further_action initialization parameter to DROP or DELAY. DROP provides better protection and is recommended. From SQL*Plus: alter system set sec_protocol_error_further_action='drop' scope=spfile; OR alter system set sec_protocol_error_further_action='drop,3' scope=spfile; NOTE: The addition of the ‘,3’ above further limits the number of ‘bad packets’ to the specified number before forcefully terminating the connection. The above SQL*Plus command will set the parameter to take effect at next system startup.





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0080: CAT II) The DBA will ensure privileges granted to application user database accounts are restricted to those required to perform the specific application functions.


UNCLASSIFIED

4-25 V8R1.3 Mar 2009

4.18 DO6752: Oracle SEC_PROTOCOL_ERROR_TRACE_ACTION parameter

Description: Undetected attacks using bad packets can lead to a successful Denial of Service (DoS) to database clients. Notification of attacks based on a flood of bad packets sent to the database can assist in discovery and response to this type of attack. Check:

If the Oracle version is not 11.1 or later, this check is NA. From SQL*Plus: select value from v$parameter where name='sec_protocol_error_trace_action'; If the value returned is NONE, this is a Finding. If the value returned is TRACE, LOG or ALERT, this is not a Finding.

Fix: Set the value for the sec_protocol_error_trace_action initialization parameter to ALERT or LOG. TRACE may be appropriate for testing or development, but provides more detail than may be useful. Consider using ALERT for MAC 1 systems. From SQL*Plus: alter system set sec_protocol_error_trace_action='ALERT' scope=spfile; OR alter system set sec_protocol_error_trace_action='LOG' scope=spfile; The above SQL*Plus command will set the parameter to take effect at next system startup.



IA Control: ECAT Check Type: Auto


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0161: CAT II) The IAO will ensure an automated monitoring tool or capability is employed to review DBMS audit data and immediately report suspicious or unauthorized activity.


UNCLASSIFIED

4-26 V8R1.3 Mar 2009

4.19 DG0117: DBMS administrative privilege assignment

Description: Privileges granted outside the role of the administrative user job function are more likely to go unmanaged or without oversight for authorization. Maintenance of privileges using roles defined for discrete job functions offers improved oversight of administrative user privilege assignments and helps to protect against unauthorized privilege assignment. Check:

From SQL*Plus: select grantee||': '||granted_role from dba_role_privs where grantee in (select grantee from dba_role_privs where granted_role='DBA' and grantee not in ('SYS','SYSTEM','SYSMAN')) order by grantee; (Disregard any default database component account privilege assignments that may be returned.) also: select grantee||':'||privilege from dba_sys_privs where grantee in (select grantee from dba_role_privs where granted_role='DBA') and privilege<>'UNLIMITED TABLESPACE' order by grantee; If any administrative privileges have been assigned directly to a custom DBA account, this is a Finding.

Fix: Restrict DBA roles to use for DBA functions. Revoke any privileges outside of the DBA role and the UNLIMITED TABLESPACE privilege from custom DBA users.



IA Control: ECPA Check Type: Auto


Responsibility: IAO

Documentable: False


STIG Requirement: (DG0117: CAT II) The IAO will ensure all database administrative privileges defined within the DBMS and externally to the database are assigned using DBMS or OS roles.


UNCLASSIFIED

4-27 V8R1.3 Mar 2009

4.20 DO0155: Oracle default tablespace assignment

Description: The Oracle SYSTEM tablespace is used by the database to store all DBMS system objects. Other use of the system tablespace may compromise system availability and the effectiveness of host system access controls to the tablespace files. Check:

From SQL*Plus: select username from dba_users where (default_tablespace= 'SYSTEM' or temporary_tablespace= 'SYSTEM') and username not in ('AURORA$JIS$UTILITY$','AURORA$ORB$UNAUTHENTICATED', 'DBSNMP','MDSYS','ORDPLUGINS','ORDSYS','OSE$HTTP$ADMIN', 'OUTLN','REPADMIN','SYS','SYSTEM','TRACESVR','MTSSYS','DIP'); If any non-default account records are returned, this is a Finding.

Fix: Create and dedicate tablespaces to support only one application. Do not share tablespaces between applications. Do not grant quotas to application object owners on tablespaces not dedicated to their associated application. From SQL*Plus: alter user [username] default tablespace [tablespace_name]; Replace [username] with the named user account. Replace [tablespace_name] with the new default tablespace name.





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0113: CAT II) The DBA will ensure database data files used by third-party applications are defined and dedicated for each application.


UNCLASSIFIED

4-28 V8R1.3 Mar 2009

4.21 DO3451: WITH GRANT OPTION privileges

Description: An account permission to grant privileges within the database is an administrative function. Minimizing the number and privileges of administrative accounts reduces the chances of privileged account exploitation. Application user accounts should never require WITH GRANT OPTION privileges since, by definition, they require only privileges to execute procedures or view / edit data. Check:

From SQL*Plus: select grantee||': '||owner||'.'||table_name from dba_tab_privs where grantable='YES' and owner not in (select distinct owner from dba_objects) and grantee not in (select grantee from dba_role_privs where granted_role='DBA') order by grantee; If any accounts are listed, this is a Finding.

Fix: Revoke privileges granted the WITH GRANT OPTION from non-DBA and accounts that do not own application objects. Re-grant privileges without specifying WITH GRANT OPTION.





Responsibility: IAO

Documentable: False




UNCLASSIFIED

4-29 V8R1.3 Mar 2009

4.22 DO3609: System privileges granted WITH ADMIN OPTION

Description: The WITH ADMIN OPTION allows the grantee to grant a privilege to another database account. Best security practice restricts the privilege of assigning privileges to authorized personnel. Authorized personnel include DBA's, object owners, and, where designed and included in the application's functions, application administrators. Restricting privilege-granting functions to authorized accounts can help decrease mismanagement of privileges and wrongful assignments to unauthorized accounts. Check:

From SQL*Plus: select grantee, privilege from dba_sys_privs where grantee not in ('SYS','SYSTEM','AQ_ADMINISTRATOR_ROLE','DBA','MDSYS', 'LBACSYS', 'SCHEDULER_ADMIN','WMSYS') and admin_option='YES' and grantee not in (select grantee from dba_role_privs where granted_role='DBA'); If any accounts are listed, this is a Finding.

Fix: Revoke assignment of privileges with the WITH ADMIN OPTION from unauthorized users and re-grant them without the option. Restrict use of the WITH ADMIN OPTION to authorized administrators. Document authorized privilege assignments with the WITH ADMIN OPTION in the System Security Plan. From SQL*Plus: revoke [privilege name] from user [username]; Replace [privilege name] with the named privilege and [username] with the named user.





Responsibility: DBA

Documentable: False




UNCLASSIFIED

4-30 V8R1.3 Mar 2009

4.23 DO3612: Oracle system privilege assignment

Description: System privileges can be granted to users and roles and to the user group PUBLIC. All privileges granted to PUBLIC are accessible to every user in the database. Many of these privileges convey considerable authority over the database and should only be granted to those persons responsible for administering the database. In general, these privileges should be granted to roles and then the appropriate roles should be granted to users. System privileges should never be granted to PUBLIC as this could allow users to compromise the database. Check:

From SQL*Plus: select privilege from dba_sys_privs where grantee='PUBLIC'; If any records are returned, this is a Finding.

Fix: Revoke any system privileges assigned to PUBLIC: From SQL*Plus: revoke [system privilege] from PUBLIC; Replace [system privilege] with the named system privilege. NOTE: System privileges are not granted to PUBLIC by default and would indicate a custom action.





Responsibility: DBA

Documentable: False




UNCLASSIFIED

4-31 V8R1.3 Mar 2009

4.24 DO3473: Application user role privileges

Description: Excessive privileges can lead to unauthorized actions on data and database objects. Assigning only the privileges required to perform the job function authorized for the user helps protect against exploits against application vulnerabilities such as SQL injection attacks. The recommended method is to grant access only to stored procedures that perform only static actions on the data authorized for the user. Where this is not feasible, consider using data views or other methods to restrict users to only the data suitable for their job function. Check:

From SQL*Plus: select grantee,owner,table_name,privilege from dba_tab_privs where privilege in ('ALTER','REFERENCES','INDEX') and grantee not in ('DBA','SYSTEM','LBACSYS','XDBADMIN') and table_name not in ('SDO_IDX_TAB_SEQUENCE','XDB$ACL','XDB_ADMIN') and grantee not in (select grantee from dba_role_privs where granted_role='DBA') and grantee not in (select distinct owner from dba_objects); If any records are returned, this is a Finding.

Fix: Revoke ALTER, REFERENCES, and INDEX privileges from application user roles. From SQL*Plus: revoke [privilege] from [application user role]; Replace [privilege] with the identified ALTER, REFERENCES or INDEX privilege and [application user role] with the identified application role.





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0119: CAT II) The DBA will ensure database application user roles are restricted to select, insert, update, delete and execute privileges.


UNCLASSIFIED

4-32 V8R1.3 Mar 2009

4.25 DO3475: Oracle PUBLIC access to restricted packages

Description: Access to the following packages should be restricted to authorized accounts only.

UTL_FILE: allows Oracle accounts to read and write files on the host operating system. UTL_SMTP: allows messages to be sent from an arbitrary user. UTL_TCP: allows arbitrary data to be sent from the database server. UTL_HTTP: allows the database server to send and receive data via HTTP. DBMS_RANDOM: allows encrypting of data without requiring safe management of encryption keys. DBMS_LOB: allows users access to files stored outside the database. DBMS_SQL: allows users to write dynamic SQL procedures. DBMS_SYS_SQL: allows users to execute SQL with DBA privileges. DBMS_JOB: allows users to submit jobs to the database job queue. DBMS_BACKUP_RESTORE: allows users to backup and restore database data. DBMS_OBFUSCATION_TOOLKIT: allows users access to encryption and decryption functions.

Check:

From SQL*Plus: select table_name from dba_tab_privs where grantee='PUBLIC' and privilege ='EXECUTE' and table_name in ('UTL_FILE','UTL_SMTP','UTL_TCP','UTL_HTTP','DBMS_RANDOM', 'DBMS_LOB','DBMS_SQL','DBMS_SYS_SQL','DBMS_JOB', 'DBMS_BACKUP_RESTORE','DBMS_OBFUSCATION_TOOLKIT'); If any records are returned, this is a Finding.

Fix: NOTE: Revoking all default installation privilege assignments from PUBLIC is not required at this time. However, execute permissions to the specified packages is required to be revoked from PUBLIC. Removal of these privileges from PUBLIC may result in invalid packages in version 10.1 and later of Oracle and an inability to execute default Oracle applications and utilities. To correct this problem, grant execute privileges on these packages directly to the SYSMAN, WKSYS, MDSYS and SYSTEM accounts as well as any other default Oracle database accounts as necessary to support execution of applications/utilities installed with an Oracle Database Server. At a minimum, revoke the following:


UNCLASSIFIED

4-33 V8R1.3 Mar 2009

From SQL*Plus: revoke execute on UTL_FILE from PUBLIC; revoke execute on UTL_SMTP from PUBLIC; revoke execute on UTL_TCP from PUBLIC; revoke execute on UTL_HTTP from PUBLIC; revoke execute on DBMS_RANDOM from PUBLIC; revoke execute on DBMS_LOB from PUBLIC; revoke execute on DBMS_SQL from PUBLIC; revoke execute on DBMS_SYS_SQL from PUBLIC; revoke execute on DBMS_JOB from PUBLIC; revoke execute on DBMS_BACKUP_RESTORE from PUBLIC; revoke execute on DBMS_OBFUSCATION_TOOLKIT from PUBLIC;





Responsibility: DBA

Documentable: False




UNCLASSIFIED

4-34 V8R1.3 Mar 2009

4.26 DO3686: Oracle SYS.LINK$ table access (10.1 and earlier)

Description: The SYS.LINK$ table contains unencrypted passwords to enable transparent connections to remote databases. In addition, remote database connections themselves can provide information to unauthorized users about remote databases that may assist them in furthering unauthorized access. Check:

If the database version is 10.2 or later, this check is NA. From SQL*Plus: select grantee||': '||privilege from dba_tab_privs where grantee <> 'DELETE_CATALOG_ROLE' and table_name='LINK$' and grantee not in (select grantee from dba_role_privs where granted_role='DBA'); If any records are returned, this is a Finding.

Fix: There are no workarounds to protect against this potential vulnerability but it is possible to reduce the potential impact by performing the steps below:

1. Drop the database link and create a link without specifying an account and password. To drop and recreate a database link without hard coding the password, execute the commands:

From SQL*Plus: drop database link [link name]; create database link [link name] using [connection string];

2. Revoke permissions from accounts and roles:

From SQL*Plus: revoke select on SYS.LINK$ from [account or role];





Responsibility: DBA

Documentable: False




UNCLASSIFIED

4-35 V8R1.3 Mar 2009

4.27 DO3689: Oracle object permission assignment to PUBLIC

Description: Permissions on objects may be granted to the user group PUBLIC. Because every database user is a member of the PUBLIC group, granting object permissions to PUBLIC gives all users in the database access to that object. In a secure environment, granting object permissions to PUBLIC should be restricted to those objects that all users are allowed to access. The policy does not require object permissions assigned to PUBLIC by the installation of Oracle Database server components be revoked (with exception of the packages listed in DO3475). Check:

From SQL*Plus: select owner||'.'||table_name||': '||privilege from dba_tab_privs where grantee='PUBLIC' and owner not in ('SYS','CTXSYS','MDSYS','ODM','OLAPSYS','MTSSYS','ORDPLUGINS', 'ORDSYS','SYSTEM','WKSYS','WMSYS','XDB','LBACSYS','PERFSTAT', 'SYSMAN','DMSYS','EXFSYS'); If any records that are not Oracle product accounts are returned, this is a Finding. NOTE: This check may return false positives where other Oracle product accounts are not included in the exclusion list.

Fix: Revoke any privileges granted to PUBLIC for objects that are not owned by Oracle product accounts. From SQL*Plus: revoke [privilege name] from [user name] on [object name]; Assign permissions to custom application user roles based on job functions: From SQL*Plus: grant [privilege name] to [user role] on [object name];





Responsibility: DBA

Documentable: False




UNCLASSIFIED

4-36 V8R1.3 Mar 2009

4.28 DO0170: Oracle predefined roles

Description: Default roles are maintained by Oracle and may be changed by Oracle during product updates. Default roles other than DBA roles may be assigned privileges in excess of those required for job functions as defined for the specific implementation. This may lead to unauthorized access to the database configuration or database application objects. Check:

From SQL*Plus: select grantee||': '||granted_role from dba_role_privs where grantee not in ('ANONYMOUS','AURORA$JIS$UTILITY$', 'AURORA$ORB$UNAUTHENTICATED','CTXSYS','DBSNMP','DIP', 'DMSYS','DVF','DVSYS','EXFSYS','LBACSYS','MDDATA','MDSYS', 'MGMT_VIEW','ODM','ODM_MTR','OLAPSYS','ORDPLUGINS','ORDSYS', 'OSE$HTTP$ADMIN','OUTLN','PERFSTAT','REPADMIN','RMAN', 'SI_INFORMTN_SCHEMA','SYS','SYSMAN','SYSTEM','TRACESVR', 'TSMSYS','WK_TEST','WKPROXY','WKSYS','WKUSER','WMSYS','XDB') and grantee not in (select role from dba_roles) and grantee not in (select grantee from dba_role_privs where granted_role='DBA') and grantee not in (select distinct owner from dba_objects) and granted_role in ('AQ_ADMINISTRATOR_ROLE','AQ_USER_ROLE', 'AUTHENTICATEDUSER','CONNECT','CTXAPP', 'DELETE_CATALOG_ROLE','EJBCLIENT','EXECUTE_CATALOG_ROLE', 'EXP_FULL_DATABASE','GATHER_SYSTEM_STATISTICS', 'GLOBAL_AQ_USER_ROLE','HS_ADMIN_ROLE', 'IMP_FULL_DATABASE','JAVADEBUGPRIV','JAVAIDPRIV', 'JAVASYSPRIV','JAVAUSERPRIV','JAVA_ADMIN','JAVA_DEPLOY', 'LOGSTDBY_ADMINISTRATOR','OEM_MONITOR','OLAP_DBA', 'RECOVERY_CATALOG_OWNER','RESOURCE', 'SALES_HISTORY_ROLE','SELECT_CATALOG_ROLE','WKUSER', 'WM_ADMIN_ROLE','XDBADMIN') order by grantee; If any records are returned, this is a Finding.

Fix: Revoke predefined roles and use custom defined roles to assign privileges. Create custom-defined roles for each discrete application user/administrator function required for your database and assign the minimum privileges necessary to perform the function.

VKEY: V0002514 Severity: CAT 2 Policy: All MAC/CONF: 1-


UNCLASSIFIED

4-37 V8R1.3 Mar 2009

Policies CSP;2-CSP;3-CSP



Responsibility: IAO

Documentable: False




UNCLASSIFIED

4-38 V8R1.3 Mar 2009

4.29 DO0320: Oracle PUBLIC role privileges

Description: Application roles have been granted to PUBLIC. Permissions granted to PUBLIC are granted to all users of the database. Custom roles should be used to assign application permissions to functional groups of application users. The installation of Oracle does not assign role permissions to PUBLIC. Check:

From SQL*Plus: select granted_role from dba_role_privs where grantee='PUBLIC'; If any roles are listed, this is a Finding.

Fix: Revoke role grants from PUBLIC. Do not assign role privileges to PUBLIC. From SQL*Plus: revoke [role name] from PUBLIC;





Responsibility: DBA

Documentable: False




UNCLASSIFIED

4-39 V8R1.3 Mar 2009

4.30 DO3709: Oracle direct privilege assignment to accounts

Description: Granting permissions to accounts is error prone and repetitive. Using roles allows for group management of privileges assigned by function and reduces the likelihood of wrongfully assigned privileges. Assign permissions to roles and then grant the roles to accounts. Check:

From SQL*Plus: select grantee||': '||privilege||': '||owner||'.'||table_name from dba_tab_privs where grantee not in (select role from dba_roles) and grantee not in ('APEX_PUBLIC_USER','AURORA$JIS$UTILITY$','CTXSYS', 'DBSNMP', 'EXFSYS','FLOWS_030000','FLOWS_FILES','LBACSYS','MDSYS', 'MGMT_VIEW','ODM','OLAPSYS','ORACLE_OCM','ORDPLUGINS', 'ORDSYS','OSE$HTTP$ADMIN','OUTLN','OWBSYS','PERFSTAT', 'PUBLIC','REPADMIN','SYS','SYSMAN','SYSTEM','WKSYS','WMSYS', 'XDB') and table_name<>'DBMS_REPCAT_INTERNAL_PACKAGE' and table_name not like '%RP' and grantee not in (select grantee from dba_tab_privs where table_name in ('DBMS_DEFER','DEFLOB')); If any records are returned, this is a Finding. NOTE: This check may report false positives where other ORACLE products have been installed. Accounts installed with other Oracle products are exempt from this requirement.

Fix: Revoke privileges assigned directly to database accounts and assign them to roles based on job functions. Assign users who are assigned responsibility for the job function to the defined role. From SQL*Plus: revoke [privilege] on [object name] from [user name]; grant [privilege] on [object name] to [role name];


UNCLASSIFIED

4-40 V8R1.3 Mar 2009





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0121: CAT II) The DBA will ensure database privileges are assigned via roles and not directly assigned to database accounts. Privileges may be assigned directly to application owner accounts where the DBMS does not otherwise support access via roles.


UNCLASSIFIED

4-41 V8R1.3 Mar 2009

4.31 DG0133: DBMS Account lock time

Description: When no limit is imposed on failed logon attempts and accounts are not disabled after a set number of failed access attempts, then the DBMS account is vulnerable to sustained attack. When access attempts continue unrestricted, the likelihood of success is increased. A successful attempt results in unauthorized access to the database. Check:

From SQL*Plus: select profile from dba_profiles where resource_name='PASSWORD_LOCK_TIME' and limit not in ('UNLIMITED',’DEFAULT’); If any profiles are listed, this is a Finding. A value of UNLIMITED means that the account is locked until it is manually unlocked.

Fix: Set the password_lock_time on all defined profiles to unlimited. This will require the DBA to re-enable manually every account after the failed login limit has been reached. From SQL*Plus: alter profile default limit password_lock_time unlimited; alter profile [profile name] limit password_lock_time default; Replace [profile name] with an existing, non-default profile name.





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0133: CAT II) The DBA will configure the DBMS to set the duration of database account lockouts to an unlimited time that requires the DBA to unlock manually the account.


UNCLASSIFIED

4-42 V8R1.3 Mar 2009

4.32 DO0400: Oracle demo applications and accounts

Description: Demonstration accounts and objects should be removed from the database. Database demonstration accounts and applications are not required for production operation and contain documented vulnerabilities. Check:

From SQL*Plus: select username from dba_users where username in ('SCOTT','HR','IX','OE','PM','SH','COMPANY','MFG','FINANCE', 'ANYDATA_USER','ANYDSET_USER','ANYTYPE_USER','AQJAVA', 'AQUSER','AQXMLUSER','GPFD','GPLD','MMO2','XMLGEN1','BLAKE', 'ADAMS','CLARK','JONES') or username like 'QS%' or username like 'USER%' or username like '%DEMO%' or username like 'SERVICECONSUMER%'; If any usernames are listed, this is a Finding. NOTE: This check can report false positives. If the DBA reports that any account names listed belong to individual users and are NOT a product of demonstration software installation, then they can be removed from the findings list. See MetaLink note 160861.1 for a list of Oracle database users and usages.

Fix: For the sample applications and schemas with the Oracle database installation, use the provided SQL scripts (if present) to remove the application objects and drop the demo users and schemas: From SQL*Plus: -- Human Resources application: @?/demo/schema/human_resources.hr_drop.sql -- Order Entry application: @?/demo/schema/order_entry/oe_drop.sql and oc_drop.sql -- Product Media application: @?/demo/schema/product_media/pm_drop.sql -- Information Exchange application: @?/demo/schema/information_exchange/ix_drop.sql -- Sales History application: @?/demo/schema/sales_history/sh_drop.sql For other demo applications, deinstall using the SQL command: drop user [demo username] cascade;


UNCLASSIFIED

4-43 V8R1.3 Mar 2009

Remove any application directories where sample applications are installed.





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0014: CAT II) The DBA will ensure database applications, user accounts, and objects installed for demonstration of database features, experimentation, or other non-production support purposes have been removed from the database and host system.


UNCLASSIFIED

4-44 V8R1.3 Mar 2009

4.33 DO3445: Oracle default account passwords

Description: Oracle databases have several well-known default username/password combinations. Default passwords may provide unauthorized access to the server. Default accounts should be locked and expired when they are not required for daily operations. This finding is a Category I severity because the fully privileged Database Administrator accounts SYS and SYSTEM have well known default passwords and these accounts provide full access to the database. Check:

From SQL*Plus: select decode(type#,0,'ROLE',1,'USER') type, name, decode(astatus, 0,'OPEN', 1,'EXPIRED', 2,'EXPIRED(GRACE)', 4,'LOCKED(TIMED)', 8,'LOCKED', 5,'EXPIRED and LOCKED(TIMED)', 6,'EXPIRED(GRACE) and LOCKED(TIMED)', 9,'EXPIRED and LOCKED', 10,'EXPIRED(GRACE) and LOCKED') account_status from sys.user$ where password = decode(name, 'AASH','9B52488370BB3D77','ABA1','30FD307004F350DE','ABM','D0F2982F121C7840','AD_MONITOR','54F0C83F51B03F49','ADAMS','72CDEF4A3483F60D','ADS','D23F0F5D871EB69F','ADSEUL_US','4953B2EB6FCB4339','AHL','7910AE63C9F7EEEE','AHM','33C2E27CF5E401A4','AK','8FCB78BBA8A59515','AL','384B2C568DE4C2B5','ALA1','90AAC5BD7981A3BA','ALLUSERS','42F7CD03B7D2CA0F','ALR','BE89B24F9F8231A9','AMA1','585565C23AB68F71','AMA2','37E458EE1688E463','AMA3','81A66D026DC5E2ED','AMA4','194CCC94A481DCDE','AMF','EC9419F55CDC666B','AMS','BD821F59270E5F34','AMS1','DB8573759A76394B','AMS2','EF611999C6AD1FD7','AMS3','41D1084F3F966440','AMS4','5F5903367FFFB3A3','AMSYS','4C1EF14ECE13B5DE','AMV','38BC87EB334A1AC4','AMW','0E123471AACA2A62','ANNE','1EEA3E6F588599A6','ANONYMOUS','94C33111FD9C66F3','AOLDEMO','D04BBDD5E643C436','AP','EED09A552944B6AD','APA1','D00197BF551B2A79','APA2','121C6F5BD4674A33','APA3','5F843C0692560518','APA4','BF21227532D2794A','APPLEAD','5331DB9C240E093B','APPLSYS','0F886772980B8C79','APPLSYS','E153FFF4DAE6C9F7','APPLSYSPUB','D2EEF40EE87221E','APPS','D728438E8A5925E0','APS1','F65751C55EA079E6','APS2','5CACE7B928382C8B','APS3','C786695324D7FB3B','APS4','F86074C4F4F82D2C','AQDEMO','5140E342712061DD','AQJAVA','8765D2543274B42E','AQUSER','4CF13BDAC1D7511C','AR','BBBFE175688DED7E','ARA1','4B9F4E0667857EB8','ARA2','F4E52BFBED4652CD','ARA3','E3D8D73AE399F7FE','ARA4','758FD31D826E9143','ARS1','4332


UNCLASSIFIED

4-45 V8R1.3 Mar 2009

63ED08C7A4FD','ARS2','F3AF9F26D0213538','ARS3','F6755F08CC1E7831','ARS4','452B5A381CABB241','ART','665168849666C4F3','ASF','B6FD427D08619EEE','ASG','1EF8D8BD87CF16BE','ASL','03B20D2C323D0BFE','ASN','1EE6AEBD9A23D4E0','ASO','F712D80109E3C9D8','ASP','CF95D2C6C85FF513','AST','F13FF949563EAB3C','AUC_GUEST','8A59D349DAEC26F7','AURORA$ORB$UNAUTHENTICATED','80C099F0EADF877E','AUTHORIA','CC78120E79B57093','AX','0A8303530E86FCDD','AZ','AAA18B5D51B0D5AC','B2B','CC387B24E013C616','BAM','031091A1D1A30061','BCA1','398A69209360BD9D','BCA2','801D9C90EBC89371','BEN','9671866348E03616','BIC','E84CC95CBBAC1B67','BIL','BF24BCE2409BE1F7','BIM','6026F9A8A54B9468','BIS'','7E9901882E5F3565','BIV','2564B34BE50C2524','BIX','3DD36935EAEDE2E3','BLAKE','9435F2E60569158E','BMEADOWS','2882BA3D3EE1F65A','BNE','080B5C7EE819BF78','BOM','56DB3E89EAE5788E','BP01','612D669D2833FACD','BP02','FCE0C089A3ECECEE','BP03','0723FFEEFBA61545','BP04','E5797698E0F8934E','BP05','58FFC821F778D7E9','BP06','2F358909A4AA6059','BSC','EC481FD7DCE6366A','BUYACCT','D6B388366ECF2F61','BUYAPPR1','CB04931693309228','BUYAPPR2','3F98A3ADC037F49C','BUYAPPR3','E65D8AD3ACC23DA3','BUYER','547BDA4286A2ECAE','BUYMTCH','0DA5E3B504CC7497','CAMRON','4384E3F9C9C9B8F1','CANDICE','CF458B3230215199','CARL','99ECCC664FFDFEA2','CARLY','F7D90C099F9097F1','CARMEN','46E23E1FD86A4277','CARRIECONYERS','9BA83B1E43A5885B','CATADMIN','AF9AB905347E004F','CE','E7FDFE26A524FE39','CEASAR','E69833B8205D5DD7','CENTRA','63BF5FFE5E3EA16D','CFD','667B018D4703C739','CHANDRA','184503FA7786C82D','CHARLEY','E500DAA705382E8D','CHRISBAKER','52AFB6B3BE485F81','CHRISTIE','C08B79CCEC43E798','CINDY','3AB2C717D1BD0887','CLARK','74DF527800B6D713','CLARK','7AAFE7D01511D73F','CLAUDE','C6082BCBD0B69D20','CLINT','163FF8CCB7F11691','CLN','A18899D42066BFCA','CN','73F284637A54777D','CNCADMIN','C7C8933C678F7BF9','CONNIE','982F4C420DD38307','CONNOR','52875AEB74008D78','CORY','93CE4CCE632ADCD2','CRM1','6966EA64B0DFC44E','CRM2','B041F3BEEDA87F72','CRP','F165BDE5462AD557','CRPB733','2C9AB93FF2999125','CRPCTL','4C7A200FB33A531D','CRPDTA','6665270166D613BC','CS','DB78866145D4E1C3','CSADMIN','94327195EF560924','CSAPPR1','47D841B5A01168FF','CSC','EDECA9762A8C79CD','CSD','144441CEBAFC91CF','CSDUMMY','7A587C459B93ACE4','CSE','D8CC61E8F42537DA','CSF','684E28B3C899D42C','CSI','71C2B12C28B79294','CSL','C4D7FE062EFB85AB','CSM','94C24FC0BE22F77F','CSMIG','09B4BB013FBD0D65','CSP','5746C5E077719DB4','CSR','0E0F7C1B1FE3FA32','CSS','3C6B8C73DDC6B04F','CTXDEMO','CB6B5E9D9672FE89','CTXSYS','24ABAB8B06281B4C','CTXSYS','71E687F036AD56E5','CTXTEST','064717C317B551B6','CUA','CB7B2E6FFDD7976F','CUE','A219FE4CA25023AA','CUF','82959A9BD2D51297','CUG','21FBCADAEAFCC489','CUI','AD7862E01FA80912','CUN','41C2D31F3C85A79D','CUP','C03082CD3B13EC42','CUS','00A12CC6EBF8EDB8','CZ','9B667E9C5A0D21A6','DAVIDMORGAN','B717BAB262B7A070','DBSNMP','E066D214D5421CCC','DCM','45CCF86E1058D3A5','DD7333','44886308CF32B5D4','DD7334','D7511E19D9BD0F90','DD810','0F9473D8D8105590','DD811','D8084AE609C9A2FD','DD812','AB71915CF21E849E','DD9','E81821D0307


UNCLASSIFIED

4-46 V8R1.3 Mar 2009

0818C','DDB733','7D11619CEE99DE12','DDD','6CB03AF4F6DD133D','DEMO8','0E7260738FDFD678','DES','ABFEC5AC2274E54D','DES2K','611E7A73EC4B425A','DEV2000_DEMOS','18A0C8BD6B13BEE2','DEVB733','7500DF89DC99C057','DEVUSER','C10B4A80D00CA7A5','DGRAY','5B76A1EB8F212B85','DIP','CE4A36B8E06CA59C','DISCOVERER5','AF0EDB66D914B731','DKING','255C2B0E1F0912EA','DLD','4454B932A1E0E320','DMADMIN','E6681A8926B40826','DMATS','8C692701A4531286','DMS','1351DC7ED400BD59','DMSYS','BFBA5A553FD9E28A','DOM','51C9F2BECA78AE0E','DPOND','79D6A52960EEC216','DSGATEWAY','6869F3CFD027983A','DV7333','36AFA5CD674BA841','DV7334','473B568021BDB428','DV810','52C38F48C99A0352','DV811','B6DC5AAB55ECB66C','DV812','7359E6E060B945BA','DV9','07A1D03FD26E5820','DVP1','0559A0D3DE0759A6','EAA','A410B2C5A0958CDF','EAM','CE8234D92FCFB563','EC','6A066C462B62DD46','ECX','0A30645183812087','EDR','5FEC29516474BB3A','EDWEUL_US','5922BA2E72C49787','EDWREP','79372B4AB748501F','EGC1','D78E0F2BE306450D','EGD1','DA6D6F2089885BA6','EGM1','FB949D5E4B5255C0','EGO','B9D919E5F5A9DA71','EGR1','BB636336ADC5824A','END1','688499930C210B75','ENG','4553A3B443FB3207','ENI','05A92C0958AFBCBC','ENM1','3BDABFD1246BFEA2','ENS1','F68A5D0D6D2BB25B','ENTMGR_CUST','45812601EAA2B8BD','ENTMGR_PRO','20002682991470B3','ENTMGR_TRAIN','BE40A3BE306DD857','EOPP_PORTALADM','B60557FD8C45005A','EOPP_PORTALMGR','9BB3CF93F7DE25F1','EOPP_USER','13709991FC4800A1','EUL_US','28AEC22561414B29','EVM','137CEDC20DE69F71','EXA1','091BCD95EE112EE3','EXA2','E4C0A21DBD06B890','EXA3','40DC4FA801A73560','EXA4','953885D52BDF5C86','EXFSYS','66F4EF5650C20355','EXS1','C5572BAB195817F0','EXS2','8FAA3AC645793562','EXS3','E3050174EE1844BA','EXS4','E963BFE157475F7D','FA','21A837D0AED8F8E5','FEM','BD63D79ADF5262E7','FIA1','2EB76E07D3E094EC','FII','CF39DE29C08F71B9','FLM','CEE2C4B59E7567A3','FNI1','308839029D04F80C','FNI2','05C69C8FEAB4F0B9','FPA','9FD6074B9FD3754C','FPT','73E3EC9C0D1FAECF','FRM','9A2A7E2EBE6E4F71','FTA1','65FF9AB3A49E8A13','FTE','2FB4D2C9BAE2CCCA','FUN','8A7055CA462DB219','FV','907D70C0891A85B1','FVP1','6CC7825EADF994E8','GALLEN','F8E8ED9F15842428','GCA1','47DA9864E018539B','GCA2','FD6E06F7DD50E868','GCA3','4A4B9C2E9624C410','GCA9','48A7205A4C52D6B5','GCMGR1','14A1C1A08EA915D6','GCMGR2','F4F11339A4221A4D','GCMGR3','320F0D4258B9D190','GCS','7AE34CA7F597EBF7','GCS1','2AE8E84D2400E61D','GCS2','C242D2B83162FF3D','GCS3','DCCB4B49C68D77E2','GEORGIAWINE','F05B1C50A1C926DE','GL','CD6E99DACE4EA3A6','GLA1','86C88007729EB36F','GLA2','807622529F170C02','GLA3','863A20A4EFF7386B','GLA4','DB882CF89A758377','GLS1','7485C6BD564E75D1','GLS2','319E08C55B04C672','GLS3','A7699C43BB136229','GLS4','7C171E6980BE2DB9','GM_AWDA','4A06A107E7A3BB10','GM_COPI','03929AE296BAAFF2','GM_DPHD','0519252EDF68FA86','GM_MLCT','24E8B569E8D1E93E','GM_PLADMA','2946218A27B554D8','GM_PLADMH','2F6EDE96313AF1B7','GM_PLCCA','7A99244B545A038D','GM_PLCCH','770D9045741499E6','GM_PLCOMA','91524D7DE2B789A8','GM_PLCOMH','FC1C6E0864BF0AF2','GM_PLCONA','1F531397B19B1E05','GM_PLCONH','C5FE216EB8FCD023','GM_PLNSCA','DB9DD236


UNCLASSIFIED

4-47 V8R1.3 Mar 2009

1D011A30','GM_PLNSCH','C80D557351110D51','GM_PLSCTA','3A778986229BA20C','GM_PLSCTH','9E50865473B63347','GM_PLVET','674885FDB93D34B9','GM_SPO','E57D4BD77DAF92F0','GM_STKH','C498A86BE2663899','GMA','DC7948E807DFE242','GMD','E269165256F22F01','GME','B2F0E221F45A228F','GMF','A07F1956E3E468E1','GMI','82542940B0CF9C16','GML','5F1869AD455BBA73','GMP','450793ACFCC7B58E','GMS','E654261035504804','GR','F5AB0AA3197AEE42','GUEST','1C0A090E404CECD0','HCC','25A25A7FEFAC17B6','HHCFO','62DF37933FB35E9F','HR','4C6D73C3E8B0F0DA','HRI','49A3A09B8FC291D0','HXC','4CEA0BF02214DA55','HXT','169018EB8E2C4A77','IA','42C7EAFBCEEC09CC','IBA','0BD475D5BF449C63','IBC','9FB08604A30A4951','IBE','9D41D2B3DD095227','IBP','840267B7BD30C82E','IBU','0AD9ABABC74B3057','IBY','F483A48F6A8C51EC','ICX','7766E887AF4DCC46','IEB','A695699F0F71C300','IEC','CA39F929AF0A2DEC','IEM','37EF7B2DD17279B5','IEO','E93196E9196653F1','IES','30802533ADACFE14','IEU','5D0E790B9E882230','IEX','6CC978F56D21258D','IGC','D33CEB8277F25346','IGF','1740079EFF46AB81','IGI','8C69D50E9D92B9D0','IGS','DAF602231281B5AC','IGW','B39565F4E3CF744B','IMC','C7D0B9CDE0B42C73','IMT','E4AAF998653C9A72','INS1','2ADC32A0B154F897','INS2','EA372A684B790E2A','INTERNET_APPSERVER_REGISTRY','A1F98A977FFD73CD','INV','ACEAB015589CF4BC','IP','D29012C144B58A40','IPA','EB265A08759A15B4','IPD','066A2E3072C1F2F3','ISC','373F527DC0CFAE98','ISTEWARD','8735CA4085DE3EEA','ITG','D90F98746B68E6CA','JA','9AC2B58153C23F3D','JD7333','FB5B8A12AE623D52','JD7334','322810FCE43285D9','JD9','9BFAEC92526D027B','JDE','7566DC952E73E869','JDEDBA','B239DD5313303B1D','JE','FBB3209FD6280E69','JG','37A99698752A1CF1','JL','489B61E488094A8D','JOHNINARI','B3AD4DA00F9120CE','JONES','B9E99443032F059D','JTF','5C5F6FC2EBB94124','JTI','B8F03D3E72C96F7','JTM','6D79A2259D5B4B5A','JTR','B4E2BE38B556048F','JTS','4087EE6EB7F9CD7C','JUNK_PS','BBC38DB05D2D3A7A','JUSTOSHUM','53369CD63902FAAA','KELLYJONES','DD4A3FF809D2A6CF','KEVINDONS','7C6D9540B45BBC39','KPN','DF0AED05DE318728','LADAMS','AE542B99505CDCD2','LBA','18E5E15A436E7157','LBACSYS','AC9700FD3F1410EB','LDQUAL','1274872AB40D4FCD','LHILL','E70CA2CA0ED555F5','LNS','F8D2BC61C10941B2','LQUINCY','13F9B9C1372A41B6','LSA','2D5E6036E3127B7E','MDDATA','DF02A496267DEE66','MDSYS','72979A94BAD2AF80','MDSYS','9AAEB2214DCC9A31','ME','E5436F7169B29E4D','MFG','FC1B0DD35E790847','MGR1','E013305AB0185A97','MGR2','5ADE358F8ACE73E8','MGR3','05C365C883F1251A','MGR4','E229E942E8542565','MIKEIKEGAMI','AAF7A168C83D5C47','MJONES','EE7BB3FEA50A21C5','MLAKE','7EC40274AC1609CA','MM1','4418294570E152E7','MM2','C06B5B28222E1E62','MM3','A975B1BD0C093DA3','MM4','88256901EB03A012','MM5','4CEA62CBE776DCEC','MMARTIN','D52F60115FE87AA4','MOBILEADMIN','253922686A4A45CC','MRP','B45D4DF02D4E0C85','MSC','89A8C104725367B2','MSD','6A29482069E23675','MSO','3BAA3289DB35813C','MSR','C9D53D00FE77D813','MST','A96D2408F62BE1BC','MWA','1E2F06BE2A1D41A6','NEILKATSU','1F625BB9FEBC7617','OBJ7333','D7BDC9748AFEDB52','OBJ7334','EB6C5E9DB4643CAC','OBJB733','61737A9F7D54EF5F','OCA','9BC450E4C6569492','ODM','C252E8FA117AF049','ODM_MTR','A7A32CD03


UNCLASSIFIED

4-48 V8R1.3 Mar 2009

D3CE8D5','ODS','89804494ADFC71BC','ODSCOMMON','59BBED977430C1A8','OE','D1A2DFC623FDA40A','OKB','A01A5F0698FC9E31','OKC','31C1DDF4D5D63FE6','OKE','B7C1BB95646C16FE','OKI','991C817E5FD0F35A','OKL','DE058868E3D2B966','OKO','6E204632EC7CA65D','OKR','BB0E28666845FCDC','OKS','C2B4C76AB8257DF5','OKX','F9FDEB0DE52F5D6B','OL810','E2DA59561CBD0296','OL811','B3E88767A01403F8','OL812','AE8C7989346785BA','OL9','17EC83E44FB7DB5B','OLAPSYS','3FB8EF9DB538647C','ONT','9E3C81574654100A','OPI','1BF23812A0AEEDA0','ORABAM','D0A4EA93EF21CE25','ORABAMSAMPLES','507F11063496F222','ORABPEL','26EFDE0C9C051988','ORAESB','CC7FCCB3A1719EDA','ORAOCA_PUBLIC','FA99021634DDC111','ORASAGENT','234B6F4505AD8F25','ORASSO','F3701A008AA578CF','ORASSO_DS','17DC8E02BC75C141','ORASSO_PA','133F8D161296CB8F','ORASSO_PS','63BB534256053305','ORASSO_PUBLIC','C6EED68A8F75F5D3','ORDPLUGINS','88A2B2C183431F00','ORDSYS','7EFA02EC7EA6B86F','OSM','106AE118841A5D8C','OTA','F5E498AC7009A217','OUTLN','4A3BA55E08595C81','OWAPUB','6696361B64F9E0A9','OWF_MGR','3CBED37697EB01D1','OZF','970B962D942D0C75','OZP','B650B1BB35E86863','OZS','0DABFF67E0D33623','PA','8CE2703752DB36D8','PABLO','5E309CB43FE2C2FF','PAIGE','02B6B704DFDCE620','PAM','1383324A0068757C','PARRISH','79193FDACFCE46F6','PARSON','AE28B2BD64720CD7','PAT','DD20769D59F4F7BF','PATORILY','46B7664BD15859F9','PATRICKSANCHEZ','47F74BD3AD4B5F0A','PATSY','4A63F91FEC7980B7','PAUL','35EC0362643ADD3F','PAULA','BB0DC58A94C17805','PAXTON','4EB5D8FAD3434CCC','PCA1','8B2E303DEEEEA0C0','PCA2','7AD6CE22462A5781','PCA3','B8194D12FD4F537D','PCA4','83AD05F1D0B0C603','PCS1','2BE6DD3D1DEA4A16','PCS2','78117145145592B1','PCS3','F48449F028A065B1','PCS4','E1385509C0B16BED','PD7333','5FFAD8604D9DC00F','PD7334','CDCF262B5EE254E1','PD810','EB04A177A74C6BCB','PD811','3B3C0EFA4F20AC37','PD812','E73A81DB32776026','PD9','CACEB3F9EA16B9B7','PDA1','C7703B70B573D20F','PEARL','E0AFD95B9EBD0261','PEG','20577ED9A8DB8D22','PENNY','BB6103E073D7B811','PEOPLE','613459773123B38A','PERCY','EB9E8B33A2DDFD11','PERRY','D62B14B93EE176B6','PETE','4040619819A9C76E','PEYTON','B7127140004677FC','PHIL','181446AE258EE2F6','PJI','5024B1B412CD4AB9','PJM','021B05DBB892D11F','PMI','A7F7978B21A6F65E','PN','D40D0FEF9C8DC624','PO','355CBEC355C10FEF','POA','2AB40F104D8517A0','POLLY','ABC770C112D23DBE','POM','123CF56E05D4EF3C','PON','582090FD3CC44DA3','PORTAL','A96255A27EC33614','PORTAL_APP','831A79AFB0BD29EC','PORTAL_DEMO','A0A3A6A577A931A3','PORTAL_PUBLIC','70A9169655669CE8','PORTAL30','969F9C3839672C6D','PORTAL30_DEMO','CFD1302A7F832068','PORTAL30_PUBLIC','42068201613CA6E2','PORTAL30_SSO','882B80B587FCDBC8','PORTAL30_SSO_PS','F2C3DC8003BC90F8','PORTAL30_SSO_PUBLIC','98741BDA2AC7FFB2','POS','6F6675F272217CF7','PPM1','AA4AE24987D0E84B','PPM2','4023F995FF78077C','PPM3','12F56FADDA87BBF9','PPM4''84E17CB7A3B0E769','PPM5','804C159C660F902C','PRISTB733','1D1BCF8E03151EF5','PRISTCTL','78562A983A2F78FB','PRISTDTA','3FCBC379C8FE079C','PRODB733','9CCD49EB30CB80C4','PRODCTL','E5DE2F01529AE93C','PRODDTA','2A97CD2281B256BA','PRODUSER','752E503EFBF2C


UNCLASSIFIED

4-49 V8R1.3 Mar 2009

2CA','PROJMFG','34D61E5C9BC7147E','PRP','C1C4328F8862BC16','PS','0AE52ADF439D30BD','PS810','90C0BEC7CA10777E','PS810CTL','D32CCE5BDCD8B9F9','PS810DTA','AC0B7353A58FC778','PS811','B5A174184403822F','PS811CTL','18EDE0C5CCAE4C5A','PS811DTA','7961547C7FB96920','PS812','39F0304F007D92C8','PS812CTL','E39B1CE3456ECBE5','PS812DTA','3780281C933FE164','PSA','FF4B266F9E61F911','PSB','28EE1E024FC55E66','PSBASS','F739804B718D4406','PSEM','40ACD8C0F1466A57','PSFT','7B07F6F3EC08E30D','PSFTDBA','E1ECD83073C4E134','PSP','4FE07360D435E2F0','PTADMIN','4C35813E45705EBA','PTCNE','463AEFECBA55BEE8','PTDMO','251D71390034576A','PTE','380FDDB696F0F266','PTESP','5553404C13601916','PTFRA','A360DAD317F583E3','PTG','7AB0D62E485C9A3D','PTGER','C8D1296B4DF96518','PTJPN','2159C2EAF20011BF','PTUKE,'D0EF510BCB2992A3','PTUPG','2C27080C7CC57D06','PTWEB','8F7F509D4DC01DF6','PTWEBSERVER','3C8050536003278B','PV','76224BCC80895D3D','PY7333','2A9C53FE066B852F','PY7334','F3BBFAE0DDC5F7AC','PY810','95082D35E94B88C2','PY811','DC548D6438E4D6B7','PY812','99C575A55E9FDA63','PY9','B8D4E503D0C4FCFD','QA','C7AEAA2D59EB1EAE','QOT','B27D0E5BA4DC8DEA','QP','10A40A72991DCA15','QRM','098286E4200B22DE','QS','4603BCD2744BDE4F','QS_ADM','3990FB418162F2A0','QS_CB','870C36D8E6CD7CF5','QS_CBADM','20E788F9D4F1D92C','QS_CS','2CA6D0FC25128CF3','QS_ES','9A5F2D9F5D1A9EF4','QS_OS','0EF5997DC2638A61','QS_WS','0447F2F756B4F460','RENE','9AAD141AB0954CF0','REPADMIN','915C93F34954F5F8','REPORTS','0D9D14FE6653CF69','REPORTS_USER','635074B4416CD3AC','RESTRICTED_US','E7E67B60CFAFBB2D','RG','0FAA06DA0F42F21F','RHX','FFDF6A0C8C96E676','RLA','C1959B03F36C9BB2','RLM','4B16ACDA351B557D','RM1','CD43500DAB99F447','RM2','2D8EE7F8857D477E','RM3','1A95960A95AC2E1D','RM4','651BFD4E1DE4B040','RM5','FDCC34D74A22517C','RMAN','E7B5D92911C831E1','ROB','94405F516486CA24','RPARKER','CEBFE4C41BBCC306','RWA1','B07E53895E37DBBB','SALLYH','21457C94616F5716','SAM','4B95138CB6A4DB94','SARAHMANDY','60BE21D8711EE7D9','SCM1','507306749131B393','SCM2','CBE8D6FAC7821E85','SCM3','2B311B9CDC70F056','SCM4','1FDF372790D5A016','SCOTT','F894844C34402B67','SDAVIS','A9A3B88C6A550559','SECDEMO','009BBE8142502E10','SEDWARDS','00A2EDFD7835BC43','SELLCM','8318F67F72276445','SELLER','B7F439E172D5C3D0','SELLTREAS','6EE7BA85E9F84560','SERVICES','B2BE254B514118A5','SETUP','9EA55682C163B9A3','SH','54B253CBBAAA8C48','SI_INFORMTN_SCHEMA','84B8CBCA4D477FA3','SID','CFA11E6EBA79D33E','SKAYE','ED671B63BDDB6B50','SKYTETSUKA','EB5DA777D1F756EC','SLSAA','99064FC6A2E4BBE8','SLSMGR','0ED44093917BE294','SLSREP','847B6AAB9471B0A5','SRABBITT','85F734E71E391DF5','SRALPHS','975601AA57CBD61A','SRAY','C233B26CFC5DC643','SRIVERS','95FE94ADC2B39E08','SSA1','DEE6E1BEB962AA8B','SSA2','96CA278B20579E34','SSA3','C3E8C3B002690CD4','SSC1','4F7AC652CC728980','SSC2','A1350B328E74AE87','SSC3','EE3906EC2DA586D8','SSOSDK','7C48B6FF3D54D006','SSP','87470D6CE203FB4D','SSS1','E78C515C31E83848','SUPPLIER','2B45928C2FE77279','SVM7333','04B731B0EE953972','SVM7334','62E2A2E886945CC8','SVM810','0A3DCD8CA3B6ABD9','SVM811','2B0CD57B1091C936','SVM812','778632974


UNCLASSIFIED

4-50 V8R1.3 Mar 2009

E3947C9','SVM9','552A60D8F84441F1','SVMB733','DD2BFB14346146FE','SVP1','F7BF1FFECE27A834','SY810','D56934CED7019318','SY811','2FDC83B401477628','SY812','812B8D7211E7DEF1','SY9','3991E64C4BC2EC5D','SYS','43CA255A7916ECFE','SYS','5638228DAF52805F','SYS','D4C5016086B2DC6A','SYS7333','D7CDB3124F91351E','SYS7334','06959F7C9850F1E3','SYSADMIN','DC86E8DEAA619C1A','SYSB733','7A7F5C90BEC02F0E','SYSMAN','EB258E708132DD2D','SYSTEM','4D27CA6E3E3066E6','SYSTEM','D4DF7931AB130E37','TDEMARCO','CAB71A14FA426FAE','TDOS_ICSAP','7C0900F751723768','TESTCTL','205FA8DF03A1B0A6','TESTDTA','EEAF97B5F20A3FA3','TRA1','BE8EDAE6464BA413','TRACESVR','F9DA8977092B7B81','TRBM1','B10ED16CD76DBB60','TRCM1','530E1F53715105D0','TRDM1','FB1B8EF14CF3DEE7','TRRM1','4F29D85290E62EBE','TWILLIAMS','6BF819CE663B8499','UDDISYS','BF5E56915C3E1C64','VEA','D38D161C22345902','VEH','72A90A786AAE2914','VIDEO31','2FA72981199F9B97','VIDEO4','9E9B1524C454EEDE','VIDEO5','748481CFF7BE98BB','VP1','3CE03CD65316DBC7','VP2','FCCEFD28824DFEC5','VP3','DEA4D8290AA247B2','VP4','F4730B0FA4F701DC','VP5','7DD67A696734AE29','VP6','45660DEE49534ADB','WAA1','CF013DC80A9CBEE3','WAA2','6160E7A17091741A','WCRSYS','090263F40B744BD8','WEBDB','D4C4DCDD41B05A5D','WEBSYS','54BA0A1CB5994D64','WENDYCHO','7E628CDDF051633A','WH','91792EFFCB2464F9','WIP','D326D25AE0A0355C','WIRELESS','1495D279640E6C3A','WIRELESS','EB9615631433603E','WK_TEST','29802572EB547DBF','WKPROXY','AA3CB2A4D9188DDB','WKSYS','545E13456B7DDEA0','WMS','D7837F182995E381','WMSYS','7C9BA362F8314299','WPS','50D22B9D18547CF7','WSH','D4D76D217B02BD7A','WSM','750F2B109F49CC13','XDB','88D8364765FCE6AF','XDO','E9DDE8ACFA7FE8E4','XDP','F05E53C662835FA2','XLA','2A8ED59E27D86D41','XLE','CEEBE966CC6A3E39','XNB','03935918FA35C993','XNC','BD8EA41168F6C664','XNI','F55561567EF71890','XNM','92776EA17B8B5555','XNP','3D1FB783F96D1F5E','XNS','FABA49C38150455E','XTR','A43EE9629FA90CAE','YCAMPOS','C3BBC657F099A10F','YSANCHEZ','E0C033C4C8CC9D84','ZFA','742E092A27DDFB77','ZPB','CAF58375B6D06513','ZSA','AFD3BD3C7987CBB6','ZX','7B06550956254585','FLOWS_030000','B5C7B17C2C983E8F','FLOWS_FILES','5CDD1E40E516FE6A','PUBLIC','TSMSYS','3DF26A8B17D0F29F','ORACLE_OCM','6D17CF1EB1611F94','OWBSYS','610A3C38F301776F','SPATIAL_CSW_ADMIN','093913703800E437','SPATIAL_WFS_ADMIN','32FA36DC781579AA','SPATIAL_CSW_ADMIN_USR','1B290858DD14107E','SPATIAL_WFS_ADMIN_USR','7117215D6BEE6E82','GLOBL_USER','GLOBAL','MGMT_VIEW','17028530E6D346B4','APEX_PUBLIC_USER','C8E264D926F001D8','XS$NULL’,’DC4FCC8CB69A6733',name); If any accounts listed show an account status of OPEN, this is a Finding. If all of the accounts listed show an account status of LOCKED & EXPIRED or LOCKED this is a Finding, but downgrade the severity Category Code to II.

Fix:


UNCLASSIFIED

4-51 V8R1.3 Mar 2009

Change passwords from the default. Ensure passwords meet complexity standards outlined in STIG Requirement DG0079. From SQL*Plus: alter user [username] identified by [password]; Lock and expire any accounts not required for interactive access. From SQL*Plus: alter user [username] account lock; alter user [username] password expire; NOTE: Follow Oracle documentation for changing any default passwords. Some accounts require coordinated actions in order to maintain operational status.





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0128: CAT I) The DBA will assign custom passwords to all default database accounts whether created by the installation of the database software or database components or by third-party applications.


UNCLASSIFIED

4-52 V8R1.3 Mar 2009

4.34 DO3487: Oracle password reuse restrictions

Description: The PASSWORD_REUSE_MAX value specifies the number of password changes before a password can be reused. PASSWORD_REUSE_TIME specifies the length of time before a password can be reused. Prior to version 9.2, only one of these limits could be set to a value and the other had to be set to UNLIMITED. Version 9.2 and later allows the setting of a value for both limits. Check:

From SQL*Plus (must do first SQL statement first!): -- Check for both reuse max and reuse time not set: select profile from DBA_PROFILES where (resource_name='PASSWORD_REUSE_MAX' and limit in ('UNLIMITED','NULL')) or profile in (select profile from DBA_PROFILES where resource_name='PASSWORD_REUSE_TIME') and limit in ('UNLIMITED','NULL'); -- Check for reuse max with value that is less than allowed minimum select profile from DBA_PROFILES where resource_name='PASSWORD_REUSE_MAX' and limit not in ('UNLIMITED','NULL') and limit < '10'; -- Check for reuse time that is less than allowed minimum select profile from DBA_PROFILES where resource_name='PASSWORD_REUSE_TIME' and limit not in ('UNLIMITED','NULL') and limit < '365'; If any records are returned, this is a Finding. NOTE: If the value DEFAULT is returned, then the profile limit is set to the corresponding value in the DEFAULT profile. If the DEFAULT profile is in violation for this limit, then so is the profile that references it.

Fix: Modify profiles to meet reuse number and reuse time requirements. From SQL*Plus: alter profile default limit password_reuse_time 365 password_reuse_max 10;


UNCLASSIFIED

4-53 V8R1.3 Mar 2009

alter profile [profile name] limit password_reuse_time default password_reuse_max default; Replace [profile name] with any existing, non-default profile names. NOTE: Password and account requirements have changed for DoD since the STIG requirement listed in the table for this check was published.





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0126: CAT II) The DBA will configure database account passwords to be prevented from reuse for a minimum of five changes or one year where supported by the DBMS.


UNCLASSIFIED

4-54 V8R1.3 Mar 2009

4.35 DO3504: Oracle PASSWORD_VERIFY_FUNCTION profile parameter

Description: The PASSWORD_VERIFY_FUNCTION value specifies a PL/SQL function to be used for password verification when users assigned this profile log in to a database. This function can be used to validate password strength by requiring passwords to pass a strength test written in PL/SQL. The function must be locally available for execution on the database to which this profile applies. Oracle provides a default script (utlpwdmg.sql), as a template to develop your own function. The password verification function must be owned by SYS. The default setting for this profile parameter is NULL, meaning no password verification is performed. Check:

From SQL*Plus: select profile, limit from dba_profiles, (select limit as def_pwd_verify_func from dba_profiles where resource_name='PASSWORD_VERIFY_FUNCTION' and profile='DEFAULT') where resource_name='PASSWORD_VERIFY_FUNCTION' and replace(limit,'DEFAULT',def_pwd_verify_func) in ('UNLIMITED','NULL'); If any records are returned, this is a Finding.

Fix: Create or uses a password verify function that enforces password complexity. See a sample below that meets DoD requirements. Modify profiles to specify the password verify function created. From SQL*Plus:

Rem This script was modified from the Oracle utlpwdmg.sql default script. Rem -- This script sets the default password resource parameters. -- This script needs to be run to enable the password features. -- However, the default resource parameters can be changed based on the need. -- A default password complexity function is also provided. -- This function makes the minimum complexity checks like the minimum -- length of the password, password not same as the username, etc. The user may -- enhance this function according to the need. -- This function must be created in SYS schema: -- connect sys/<password> as sysdba before running the script CREATE OR REPLACE FUNCTION verify_password_dod (username varchar2, password varchar2,


UNCLASSIFIED

4-55 V8R1.3 Mar 2009

old_password varchar2) RETURN boolean IS n boolean; m integer; differ integer; isdigit boolean; numdigit integer; ispunct boolean; numpunct integer; islowchar boolean; numlowchar integer; isupchar boolean; numupchar integer; digitarray varchar2(10); punctarray varchar2(25); lowchararray varchar2(26); upchararray varchar2(26); pw_change_time date; BEGIN digitarray:='0123456789'; lowchararray:='abcdefghijklmnopqrstuvwxyz'; upchararray:='ABCDEFGHIJKLMNOPQRSTUVWXYZ'; punctarray:='!"#$%&()``*+,-/:;<=>?_'; -- Check if the password is same as the username if nls_lower(password)=nls_lower(username) then raise_application_error(-20001, 'Password same as or similar to user'); end if; -- Check for the minimum length of the password if length(password) < 15 then raise_application_error(-20002, 'Password length less than 15'); end if; -- Check if the password is too simple. A dictionary of words may be maintained -- and a check may be made so as not to allow the words that are too simple for -- the password. if nls_lower(password) in ('welcome','database','account','user','password','oracle','computer','abcdefgh', '12345') then raise_application_error(-20002, 'Password too simple'); end if; -- Check if the password contains at least two each of the following: -- uppercase characters, lowercase characters, digits and special characters.


UNCLASSIFIED

4-56 V8R1.3 Mar 2009

-- 1. Check for the digits isdigit:=FALSE; numdigit:=0; m:=length(password); for i in 1..10 loop for j in 1..m loop if substr(password,j,1)=substr(digitarray,i,1) then numdigit:=numdigit + 1; end if; if numdigit > 1 then isdigit:=TRUE; goto findlowchar; end if; end loop; end loop; if isdigit=FALSE then raise_application_error(-20003, 'Password should contain at least two digits'); end if; -- 2. Check for the lowercase characters <<findlowchar>> islowchar:=FALSE; numlowchar:=0; m:=length(password); for i in 1..length(lowchararray) loop for j in 1..m loop if substr(password,j,1)=substr(lowchararray,i,1) then numlowchar:=numlowchar + 1; end if; if numlowchar > 1 then islowchar:=TRUE; goto findupchar; end if; end loop; end loop; if islowchar=FALSE then raise_application_error(-20003, 'Password should contain at least two lowercase characters'); end if; -- 3. Check for the UPPERCASE characters <<findupchar>>


UNCLASSIFIED

4-57 V8R1.3 Mar 2009

isupchar:=FALSE; numupchar:=0; m:=length(password); for i in 1..length(upchararray) loop for j in 1..m loop if substr(password,j,1)=substr(upchararray,i,1) then numupchar:=numupchar + 1; end if; if numupchar > 1 then isupchar:=TRUE; goto findpunct; end if; end loop; end loop; if isupchar=FALSE then raise_application_error(-20003, 'Password should contain at least two lowercase characters'); end if; -- 4. Check for the punctuation <<findpunct>> ispunct:=FALSE; numpunct:=0; m:=length(password); for i in 1..length(punctarray) loop for j in 1..m loop if substr(password,j,1)=substr(punctarray,i,1) then numpunct:=numpunct + 1; end if; if numpunct > 1 then ispunct:=TRUE; goto endsearch; end if; end loop; end loop; if ispunct=FALSE then raise_application_error(-20003, 'Password should contain at least two punctuation characters'); end if; -- Check if the password differs from the previous password -- by more than 4 characters


UNCLASSIFIED

4-58 V8R1.3 Mar 2009

<<endsearch>> if old_password is not null then differ:=length(old_password) - length(password); if abs(differ) < 4 then if length(password) < length(old_password) then m:=length(password); else m:=length(old_password); end if; differ:=abs(differ); for i in 1..m loop if substr(password,i,1) != substr(old_password,i,1) then differ:=differ + 1; end if; end loop; if differ < 4 then raise_application_error(-20004, 'Password should differ by more than 4 characters'); end if; end if; end if; -- Check if the password has been changed within the last 24 hours select ctime into pw_change_time from user$ where name = username; if sysdate - pw_change_time < 1 then raise_application_error(-20001, 'Password was changed too recently',FALSE); end if; -- Everything is fine. return TRUE RETURN(TRUE); EXCEPTION WHEN OTHERS THEN raise_application_error(-20000,'verify_password_dod: Unexpected error: '||SQLERRM,TRUE); END; / alter profile default limit password_verify_function verify_password_dod;


UNCLASSIFIED

4-59 V8R1.3 Mar 2009





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0079: CAT II) The DBA will ensure database password complexity standards meet current minimum requirements for length (9 characters or more for database application user accounts and 15 characters or more for privileged database accounts) and composition (at least two uppercase characters, two lowercase characters, two special characters, two digits ) where supported by the DBMS.


UNCLASSIFIED

4-60 V8R1.3 Mar 2009

4.36 DO3537: Oracle FAILED_LOGIN_ATTEMPTS profile parameter

Description: The FAILED_LOGIN_ATTEMPTS value limits the number of failed login attempts allowed before an account is locked. Setting this value limits the ability of unauthorized users to guess passwords and alerts the DBA when password guessing has occurred (accounts display as locked). For non-interactive accounts, the number of failed logins should be set to one. Check:

From SQL*Plus: select profile||': '||limit from dba_profiles, (select limit as def_login_attempts from dba_profiles where profile='DEFAULT' and resource_name='FAILED_LOGIN_ATTEMPTS') where resource_name='FAILED_LOGIN_ATTEMPTS' and ((replace(limit,'DEFAULT',def_login_attempts) in ('UNLIMITED',NULL)) or (lpad(replace(limit,'DEFAULT',def_login_attempts),40,'0') > lpad('3',40,'0'))); If any records are returned, this is a Finding.

Fix: Modify profiles to meet the failed login attempt requirement limit. From SQL*Plus: alter profile default limit failed_login_attempts 3; alter profile [profile name] limit failed_login_attempts default; Replace [profile name] with any existing, non-default profile names.


UNCLASSIFIED

4-61 V8R1.3 Mar 2009





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0073: CAT II) The DBA will configure the DBMS to lock database accounts after three or an IAO-specified number of consecutive unsuccessful connection attempts within a 60-minute period. The counter may be reset to 0 if a third failed logon attempt does not occur before reset. Where this requirement is not compatible with the operation of a front-end application, the unsuccessful logon count and time will be specified and the operational need documented in the System Security Plan.


UNCLASSIFIED

4-62 V8R1.3 Mar 2009

4.37 DO0270: Oracle redo log file availability

Description: The Oracle redo log files store the detailed information on changes made to the database. This information is critical to database recovery in case of a database failure. Check:

From SQL*Plus: select count(*) from V$LOG where members >1; If the value of the count returned is less than 2, this is a Finding. However, if a minimum of one log group with 2 or more members is stored on a RAID 5 or RAID 1 disk array, this is not a Finding.

Fix: To define additional redo log file groups: From SQL*Plus: alter database add logfile group 3 ('diska:log3.log' , 'diskb:log3.log') size 50K; To add additional redo log file [members] to an existing redo log file group: From SQL*Plus: alter database add logfile member 'diskc:log3.log' to group 3; Replace diska, diskb, diskc with valid, different disk drive specifications. Replace log#.log file with valid or custom names for the log files.



IA Control: COBR Check Type: Auto


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0114: CAT II) The DBA will ensure files critical to database recovery are protected by employment of database and OS high-availability options such as storage on RAID devices.


UNCLASSIFIED

4-63 V8R1.3 Mar 2009

4.38 DO3610: Oracle minimum object auditing

Description: Database object definitions and configurations require similar oversight as application libraries to detect unauthorized changes. Unauthorized changes may indicate attempts to compromise data or application object integrity or confidentiality. Any access to audit data objects stored in the database must be audited to detect any attempts to compromise the audit trail. A compromise to audit data could jeopardize accountability for unauthorized actions. Check:

From SQL*Plus: select count(*) from all_def_audit_opts where ren='A/A'; If the count of 0 is returned, this is a Finding. Check for required auditing of the audit table as follows: From SQL*Plus: select upd, del, object_type from dba_obj_audit_opts where object_name='AUD$' and owner='SYSTEM'; If the record returned is of object type TABLE and upd(ate) and del(ete) are not = 'A/A', this is a Finding. If the record type VIEW is returned and upd and del are = ‘A/A’, this is NOT a Finding. Otherwise, if the record type VIEW is returned and upd and del are NOT = 'A/A', then the underlying table must be checked for update and delete auditing as follows: From SQL*Plus: set long 1000 set wrap on select text from dba_views where view_name='AUD$'; Review the text returned and locate the “from table_owner.table_name”. This should be located at the end of the text returned. Replace table_owner and table_name in the select statement below with the values returned above. From SQL*Plus: select upd, del from dba_obj_audit_opts where owner='table_owner' and object_name = 'table_name';


UNCLASSIFIED

4-64 V8R1.3 Mar 2009

If the value of upd(ate) and del(ete) returned above is NOT equal to 'A/A', this is a Finding.

Fix: The only application objects auditing required is for use of the RENAME privilege on database objects. Configure auditing on RENAME privilege use by default for newly created objects. From SQL*Plus: audit rename on default by access; If application objects have already been created, then the audit rename on object statement should be issued for all application objects. From SQL*Plus: audit rename on [application object name] by access; Enable auditing of access and activity on audit trail data stored in the database. From SQL*Plus: audit update, delete on SYSTEM.AUD$ by access; NOTE: The audit table is by default in the SYSTEM schema, but may have been moved to another schema.





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0142: CAT II) The DBA will ensure privileged DBMS actions and changes to security labels or sensitivity markings of data in the DBMS are audited.


UNCLASSIFIED

4-65 V8R1.3 Mar 2009

4.39 DO3692: Oracle audited events

Description: Configuring proper auditing is critical to recording any malicious events or detecting when attacks on the database occur. Auditing can be turned on for any SQL statement or any use of a system privilege. Auditing can be enabled for all users (system wide) or for specific users. You may indicate whether one audit record for each access to an object or one audit record for the entire session is generated. You can enable auditing for commands that result in success, commands that result in failure, or both. Not all audit options can be audited by session. Audit options set using the BY SESSION clause for those actions that will not produce a session audit record will default to BY ACCESS. Check:

From SQL*Plus: select name from stmt_audit_option_map where name not in (select audit_option from dba_stmt_audit_opts) and name not in ('ANALYZE ANY DICTIONARY','DELETE TABLE', 'EXECUTE PROCEDURE','INSERT TABLE','LOCK TABLE','NETWORK', 'SELECT MINING MODEL','SELECT SEQUENCE', 'SELECT TABLE','UPDATE TABLE','USE EDITION'); If any audit options are returned, this is a Finding.

Fix: There are three (3) types of auditable events: 1) Use of system privileges, 2) Use of object privileges, and 3) Issuance of statements. Activating some auditing options sometimes activates others. For example, the use of a system privilege requires the issuance of a system command. Auditing for use of the privilege also audits for the statement. Configure auditing for Oracle as follows: From SQL*Plus: audit all by access; audit all privileges by access; audit alter java class by access; audit alter java resource by access; audit alter java source by access; audit alter mining model by access; -- 11.1 only audit alter sequence by access; audit alter table by access; audit comment mining model by access; -- 11.1 only audit comment table by access; audit create java class by access; audit create java resource by access; audit create java source by access;


UNCLASSIFIED

4-66 V8R1.3 Mar 2009

audit debug procedure by access; audit drop java class by access; audit drop java resource by access; audit drop java source by access; audit exempt access policy by access; audit exempt identity policy by access; audit grant directory by access; audit grant edition by access; --11.1 only audit grant mining model by access; -- 11.1 only audit grant procedure by access; audit grant sequence by access; audit grant table by access; audit grant type by access; audit sysdba by access; audit sysoper by access; The following SQL statements will disable audits set by the commands above that are not required: noaudit execute assembly; -- ignore errors noaudit execute library; -- ignore errors audit rename on default by access; If application objects have already been created, then the audit rename on object statement should be issued for all application objects. From SQL*Plus: audit rename on [application object name] by access;





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0141: CAT II) The DBA will ensure all database logons, account locking events, blocking or disabling of a database account or logon source location, or any attempt to circumvent access controls is audited.


UNCLASSIFIED

5-67 V8R1.3 Mar 2009

5. Oracle Database Interview Check Procedures

5.1 DG0030: DBMS audit data maintenance

Description: Without preservation, a complete discovery of an attack or suspicious activity may not be determined. DBMS audit data also contributes to the complete investigation of unauthorized activity and needs to be included in audit retention plans and procedures. Check:

Review and verify the implementation of an audit trail retention policy. Verify that audit data is maintained for a minimum of one year. If audit data is not maintained for a minimum of one year, this is a Finding.

Fix: Develop and implement an audit retention policy and procedure. It is recommended that the most recent thirty days of audit logs remain available online. After thirty days, the audit logs may be maintained offline. Online maintenance provides for a more timely capability and inclination to investigate suspicious activity.



IA Control: ECRR Check Type: Interview


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0030: CAT II) The DBA will ensure the DBMS audit trail data is maintained for a minimum of one year.


UNCLASSIFIED

5-68 V8R1.3 Mar 2009

5.2 DG0076: Sensitive data import to development DBMS

Description: Data export from production databases may include sensitive data. Application developers do not have need-to-know to sensitive data. Any access to production data would be considered unauthorized access and may subject sensitive data to unlawful or unauthorized disclosure. See DoDD 8500.1 for a definition of Sensitive

Information. Check:

If the database being reviewed is not a production database, this check is NA. Review policy, procedures and restrictions for data imports of production data containing sensitive information into development databases. If data imports of production data are allowed, review procedures for protecting any sensitive data included in production exports. If sensitive data is included in the exports and no procedures are in place to remove or modify the data to render it not sensitive prior to import into a development database or policy and procedures are not in place to ensure authorization of development personnel to access sensitive information contained in production data, this is a Finding.

Fix: Document policy, procedures and restrictions for production data import. Require any users assigned privileges that allow the export of production data from the database to acknowledge understanding of import policies, procedures and restrictions. Restrict permissions of development personnel requiring use or access to production data imported into development databases containing sensitive information to authorized users. Implement policy and procedures to modify or remove sensitive information in production exports prior to import into development databases.

VKEY: V0003819 Severity: CAT 2 Gold: True MAC/CONF: 1-CS;2-CS;3-CS

IA Control: ECAN Check Type: Interview


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0076: CAT II) The DBA will ensure sensitive application data exported from the database for import to remote databases or applications is not provided to personnel or applications not authorized or approved by the Information Owner.


UNCLASSIFIED

5-69 V8R1.3 Mar 2009

5.3 DG0080: Application user privilege assignment review

Description: Users granted privileges not required to perform their assigned functions are able to make unauthorized modifications to the production data or database. Monthly or more frequent periodic review of privilege assignments assures that organizational and/or functional changes are reflected appropriately. Check:

Review policy, procedures and implementation evidence to determine if periodic reviews of user privileges by the IAO are being performed. Evidence may consist of email or other correspondence that acknowledges receipt of periodic reports and notification of review between the DBA and IAO or other auditors as assigned. If policy and procedures are incomplete or no evidence of implementation exists, this is a Finding.

Fix: Implement policy and procedures for periodic review of database user accounts and privilege assignments. Include methods to provide evidence of review in the procedures to verify reviews occur in accordance with the procedures.



IA Control: ECLP Check Type: Interview


Responsibility: DBA

Documentable: False




UNCLASSIFIED

5-70 V8R1.3 Mar 2009

5.4 DG0165: DBMS symmetric key management

Description: Symmetric keys used for encryption protect data from unauthorized access. However, if not protected in accordance with acceptable standards, the keys themselves may be compromised and used for unauthorized data access. Check:

If the DBMS does not have Oracle Advanced Security installed or data encryption is not required within the database, this check is NA. If the symmetric key management procedures and configuration settings for the DBMS are not specified in the System Security Plan, this is a Finding. If the procedures are not followed with evidence for audit, this is a Finding. NOTE: This check does not include a review of the key management procedures for validity. Specific key management requirements may be covered under separate checks.

Fix: Symmetric and other encryption keys require the following: - protection from unauthorized access in transit and in storage - utilization of accepted algorithms - generation in accordance with required standards for the key's use - expiration date - continuity - key backup and recovery - key change - archival key storage (as necessary) Details for key management requirements are provided by FIPS key management standards available from NIST. Oracle Advanced Security can be installed to provide symmetric key management features if required.



IA Control: IAKM Check Type: Interview


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0165: CAT II) The DBA will ensure symmetric keys used for encryption of database user account passwords or other sensitive data used by or for the DBMS are protected and managed in accordance with NSA or NIST-approved key management technology and processes.


UNCLASSIFIED

5-71 V8R1.3 Mar 2009

5.5 DG0138: DBMS access to sensitive data

Description: Unauthorized access to sensitive data may compromise the confidentiality of personnel privacy, threaten national security or compromise a variety of other sensitive operations. Access controls are best managed by defining requirements based on distinct job functions and assigning access based on the job function assigned to the individual user. Check:

If the database does not store or process sensitive data, this check is NA. Review data access requirements for sensitive data as identified and assigned by the Information Owner in the System Security Plan. Review the access controls for sensitive data configured in the database. If the configured access controls do not match those defined in the System Security Plan, this is a Finding.

Fix: Define, document and implement all sensitive data access controls based on job function in the System Security Plan.


MAC/CONF: 1-CS;2-CS;3-CS



Responsibility: DBA

Documentable: False


STIG Requirement: (DG0138: CAT II) The DBA will ensure all access to sensitive application data stored or defined within database objects is granted only to database application user roles and not directly to database application user accounts.


UNCLASSIFIED

5-72 V8R1.3 Mar 2009

5.6 DG0074: DBMS inactive accounts

Description: Unused or expired DBMS accounts provide a means for undetected, unauthorized access to the database. Check:

Review procedures and implementation for monitoring the DBMS for account expiration and account inactivity. Verify implemented procedures are in place to address expired/locked accounts not required for system/application operation are authorized to remain and are documented. Verify implemented procedures are in place to address accounts that are unlocked and have been inactive in excess of 30 days are authorized to remain unlocked. Verify implemented procedures are in place to address unauthorized, inactive accounts after 30 days are expired and locked. Verify implemented procedures are in place to address expired/locked accounts that are not authorized to remain are dropped/removed/deleted. A finding for this check would be based on insufficient documentation and implemented procedures for monitoring DBMS accounts.

Fix: Develop and implement procedures to monitor database accounts for inactivity and account expiration. Investigate and re-authorize or delete [if appropriate] any accounts that are expired or have been inactive for more than 30 days. Where appropriate, protect authorized expired or inactive accounts by disabling them or applying some other similar protection. NOTE: Password and account requirements have changed for DoD since the STIG requirement listed in the table for this check was published.



IA Control: IAAC Check Type: Interview


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0074: CAT II) The DBA will monitor database account expiration and inactivity and remove expired accounts and accounts that are inactive for 35 days or longer or the site maximum limit.


UNCLASSIFIED

5-73 V8R1.3 Mar 2009

5.7 DO0140: Oracle default account access

Description: The Oracle SYS account has all database privileges assigned to it (SYSDBA). This account is used to manage the database availability status (startup and shutdown). The SYS account is used by any DBMS account that connects to the database with SYSDBA privileges. Direct use of the SYS account does not provide a level of individual accountability for actions taken during its use and does not provide individual accountability. To preserve accountability, direct access to the SYS account should be logged manually and its use monitored closely. Check:

Review the policy and procedures for use of the Oracle default accounts including direct use of the Oracle SYS and SYSTEM accounts. If a policy does not exist for their use, this is a Finding. If procedures, automated or manual, for logging default account use are not defined or implemented, this is a Finding. If monitoring use of default accounts does not exist or is not implemented, this is a Finding.

Fix: Design and implement policy and procedures for use, logging and monitoring of Oracle default accounts. Document the policy and procedures in the System Security Plan and ensure that all those granted access to the accounts is aware of them.



IA Control: IAGA Check Type: Interview


Responsibility: IAO

Documentable: False




UNCLASSIFIED

5-74 V8R1.3 Mar 2009

5.8 DG0031: DBMS audit of changes to data

Description: Unauthorized or malicious changes to data compromise the integrity and usefulness of the data. Auditing changes to data supports accountability and non-repudiation. Auditing changes to data may be provided by the application accessing the DBMS or may depend upon the DBMS auditing functions. When DBMS auditing is used, the DBA is responsible for ensuring the auditing configuration meets the application design requirements. Check:

Review the System Security Plan for requirements for configuration of auditing changes to database data. If the application supports its own auditing requirements and does not require auditing using DBMS features, this check is NA. If the application requires DBMS auditing for changes to data, review the database audit configuration against the application requirement. If the auditing does not comply with the requirement, this is a Finding.

Fix: Configure database data auditing to comply with the requirements of the application.


MAC/CONF: 1-CSP;2-CSP;3-C

IA Control: ECCD Check Type: Interview


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0031: CAT II) The DBA will configure auditing of access or changes to data in accordance with the application requirements specified in the System Security Plan.


UNCLASSIFIED

5-75 V8R1.3 Mar 2009

5.9 DG0135: DBMS connection alert

Description: Unauthorized access to DBMS accounts may go undetected if account access is not monitored. Authorized users may serve as a reliable party to report unauthorized use of their account. Check:

If the database does not store or process classified data, or user accounts are prohibited from accessing the database interactively, this check is NA. NOTE: Per the STIG, The definition of an Interactive Database User can be considered an end-user who accesses the database interactively using tools like SQL*Plus, TOAD, etc. and not through a mid-tier application. Your DAA has the option to consider administration accounts (SYSDBA, SYSOPER, SCHEMA accounts and accounts assigned DBA privileges) as Interactive Database User accounts for the purposes of this check. The definition of an Interactive Database User should be documented in the System Security Plan. Have the DBA perform an interactive logon test (via SQL*Plus) using a non-privileged account (and a privileged account if privileged accounts meet this requirement) to verify display of user access and account usage. If the last successful and number of unsuccessful attempts since the last successful attempt are not reported, this is a Finding.

Fix: Implement an automated method to display at interactive logon the time and date of the last successful login and the number of failed login attempts since the last successful login for users that access the database interactively. This may require a custom-developed logon trigger or procedure to accomplish. NOTE: This may cause interaction/functionality problems with COTS applications not designed for this kind of interaction.


MAC/CONF: 1-C;2-C;3-C

IA Control: ECLO Check Type: Interview


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0135: CAT II) For classified systems, the DBA will configure the DBMS to report to the interactive database user upon successful connection to the database the time and date of the last successful connection and the number of unsuccessful attempts since the last successful connection. Where not available in a DBMS configuration setting, a custom logon trigger or similar function is required.


UNCLASSIFIED

6-76 V8R1.3 Mar 2009

6. Oracle Database Manual Check Procedures

6.1 DG0060: DBMS shared account authorization

Description: Group authentication does not provide individual accountability for actions taken on the DBMS or data. Whenever a single database account is used to connect to the database, a secondary authentication method that provides individual accountability is required. This scenario most frequently occurs when an externally hosted application authenticates individual users to the application and the application uses a single account to retrieve or update database information on behalf of the individual users. Check:

From SQL*Plus: select username from dba_users order by username; Review the list of database account names to determine usage of all non-standard account names or account names that do not appear to be assigned to individuals. For example, accounts named BATCHJOB, FMAPP, FMAPP-ADMIN do not have the appearance of assignment to an individual interactive user. An account name like JDOE appears to be assigned to an individual. Review the list of account names against those listed in the System Security Plan or authorized user list. Consult the IAO or DBA to make a final determination on whether accounts are shared accounts or not. If shared accounts are not documented as such and are not approved, this is a Finding.

Fix: Use accounts assigned to individual users where feasible. Design applications to provide individual accountability (audit logs) for actions performed under a single database account. Implement other DBMS automated procedures that provide individual accountability. Where appropriate, implement manual procedures to use manual logs and monitor entries against account usage to ensure procedures are followed.



IA Control: IAGA Check Type: Manual


Responsibility: DBA

Documentable: False




UNCLASSIFIED

6-77 V8R1.3 Mar 2009

6.2 DG0070: DBMS user account authorization

Description: Unauthorized user accounts provide unauthorized access to the database and may allow access to database objects. Only authorized users should be granted database accounts. Check:

Review procedures for ensuring authorization of new or re-assigned DBMS user accounts. Requests for user account access to the DBMS should include documented approval by an authorized requestor. Procedures should also include notification for a change in status, particularly cause for revocation of account access, to any DBMS accounts. Review the user accounts listed either in the script report or manually against the authorized user list. From SQL*Plus: select username from dba_users order by username; If procedures for DBMS user account authorization are incomplete or not implemented, this is a Finding. If any accounts listed are not clearly authorized, this is a Finding.

Fix: Develop and implement procedures for authorizing creation, changes and deletions of user accounts. Monitor user accounts to verify that they remain authorized.



IA Control: IAAC Check Type: Manual


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0070: CAT II) The DBA will ensure unauthorized database accounts are removed or disabled.


UNCLASSIFIED

6-78 V8R1.3 Mar 2009

6.3 DG0089: Developer DBMS privileges on production databases

Description: Developers play a unique role and represent a specific type of threat to the security of the DBMS. Where restricted resources prevent the required separation of production and development DBMS installations, developers granted elevated privileges to create and manage new database objects must also be prevented from actions that can threaten the production operation. Check:

If this database is not a production database, this check is NA. Review the privileges assigned to developer accounts. Identify login name of developer DBMS accounts from the System Security Plan and/or DBA. For each developer account, display the roles assigned to the account. From SQL*Plus: select granted_role from dba_role_privs where grantee=[developer account name]; If privileges assigned to developer accounts are not restricted to development objects and configurations, or authorizations to allow developer account access to production objects and configurations does not exist in the System Security Plan, this is a Finding.

Fix: Revoke permissions and privileges that allow changes to the production system or production objects from developer accounts or authorize permissions and privileges for developer accounts in the System Security Plan.



IA Control: ECPC Check Type: Manual


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0089: CAT III) The DBA will ensure application developer database accounts are assigned limited privileges in order to protect production application objects.


UNCLASSIFIED

6-79 V8R1.3 Mar 2009

6.4 DG0100: Replication account privileges

Description: Replication accounts may be used to access databases defined for the replication architecture. An exploit of a replication on one database could lead to the compromise of any database participating in the replication that uses the same account name and credentials. If the replication account is compromised and it has DBA privileges, then the database is at additional risk to unauthorized or malicious action. Check:

If the database is not configured for replication, this check is NA. If any replication accounts are assigned DBA roles or roles with DBA privileges, this is a Finding.

Fix: Restrict privileges assigned to replication accounts to the fewest possible privileges. Remove DBA roles from replication accounts. Create and use custom replication accounts assigned least privileges for supporting replication operations.



IA Control: DCFA Check Type: Manual


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0100: CAT II) The DBA will ensure database accounts used for replication or distributed transactions are not granted DBA privileges.


UNCLASSIFIED

7-80 V8R1.3 Mar 2009

7. Oracle Database Verify Check Procedures

7.1 DG0166: Protection of DBMS asymmetric encryption keys

Description: Encryption is only effective if the encryption method is robust and the keys used to provide the encryption are not easily discovered. Without effective encryption, sensitive data is vulnerable to unauthorized access. Check:

If the DBMS does not have Oracle Advanced Security installed or data encryption is not required within the database, this check is NA. For each asymmetric key identified as being used to encrypt sensitive data, verify the key owner is an application object owner or other non-DBA account. If the key owner listed is a DBA, this is a Finding. If any key owner is not the application object owner account or an account specific to the application as documented in the System Security Plan, this is a Finding. If any asymmetric keys whose private key is not encrypted exist in the database, this is a Finding. Review the access permissions to asymmetric keys. Verify that any permission granted is authorized in the System Security Plan for access to the key. Examine evidence that an audit record is created whenever the asymmetric key is accessed by other than authorized users. In particular, view evidence that access by a DBA or other system privileged account results in the generation of an audit record. This is required because system privileges that allow access to encryption keys may be used to access sensitive data where the privileged user does not have a job function need-to-know the data. If an audit record is not generated for unauthorized access to the asymmetric key, this is a Finding.

Fix: Use DoD code-signing certificates to create asymmetric keys stored in the database that are used to encrypt sensitive data stored in the database. Assign the application object owner account as the owner of asymmetric keys used by the application. Create audit events for access to the key by other than the application owner account or approved application objects.


UNCLASSIFIED

7-81 V8R1.3 Mar 2009

Revoke any privileges assigned to the asymmetric key to other than the application object owner account and authorized users. Protect the private key by encrypting it with the database system master key where available. Where available, store encryption keys and certificates on hardware security modules (HSM).



IA Control: IAKM Check Type: Verify


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0166: CAT II) The DBA will ensure asymmetric keys used for encryption of sensitive data used by or for the DBMS use DoD PKI certificates and will ensure the private keys are protected and stored in accordance with NIST (unclassified data protection) or NSA (classified data protection)-approved key management technology and processes.


UNCLASSIFIED

7-82 V8R1.3 Mar 2009

7.2 DO0233: Oracle DIAGNOSTIC_DEST parameter

Description: The DIAGNOSTIC_DEST is used to indicate the directory where trace, alert, core and incident directories and files are located. The files may contain sensitive data or information that could prove useful to potential attackers. Check:

If the Oracle version is not 11.1 or later, this check is NA. From SQL*Plus: select value from v$parameter where name='diagnostic_dest'; On UNIX Systems: ls -ld [pathname] Substitute [pathname] with the directory path listed from the above SQL command. If permissions are granted for world access, this is a Finding. If any groups that include members other than the Oracle process and software owner accounts, DBAs, auditors, or backup accounts are listed, this is a Finding. On Windows Systems (From Windows Explorer): Browse to the directory specified. Select and right-click on the directory, select Properties, select the Security tab. If permissions are granted to everyone, this is a Finding. If any account other than the Oracle process and software owner accounts, Administrators, DBAs, System group or developers authorized to write and debug applications on this database are listed, this is a Finding.

Fix: Alter host system permissions to the DIAGNOSTIC_DEST directory to the Oracle process and software owner accounts, DBAs, SAs (if required) and developers or other users that may specifically require access for debugging or other purposes. Authorize and document user access requirements to the directory outside of the Oracle, DBA and SA account list.


UNCLASSIFIED

7-83 V8R1.3 Mar 2009



IA Control: DCPA Check Type: Verify


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0111: CAT II) The DBA will install and maintain database data directories including transaction log and audit files in dedicated directories or disk partitions separate from software or other application files.


UNCLASSIFIED

7-84 V8R1.3 Mar 2009

7.3 DO0234: Oracle AUDIT_FILE_DEST parameter

Description: The AUDIT_FILE_DEST parameter specifies the directory where the database audit trail file is stored (when AUDIT_TRAIL parameter is set to ‘OS’, ‘xml’ or ‘xml, extended’ where supported by the DBMS). Unauthorized access or loss of integrity of the audit trail could result in loss of accountability or the ability to detect suspicious activity. This directory also contains the audit trail of the SYS and SYSTEM accounts that captures privileged database events when the database is not running (when AUDIT_SYS_OPERATIONS parameter is set to TRUE). Check:

From SQL*Plus: select value from v$parameter where name = 'audit_trail'; select value from v$parameter where name = 'audit_file_dest'; If audit_trail is NOT set to (per MetaLink Note 30690.1):

Oracle 8.1 = 'true', 'os' (true = os for backward compatibility) Oracle 9.2 = 'true', 'os' Oracle 10.1 = 'true', 'os' Oracle 10.2 = 'true', 'os', 'xml', 'xml, extended' Oracle 11.1 = 'true', 'os', 'xml', 'xml, extended'

This check is NA. On UNIX Systems: ls -ld [pathname] Substitute [pathname] with the directory path listed from the above SQL command for audit_file_dest. If permissions are granted for world access, this is a Finding. If any groups that include members other than the Oracle process and software owner accounts, DBAs, auditors, or backup accounts are listed, this is a Finding. On Windows Systems (From Windows Explorer): Browse to the directory specified. Select and right-click on the directory, select Properties, select the Security tab. On Windows hosts, records are also written to the Windows application event log. The location of the application event log is listed under Properties for the log under the Windows console. The default location is C:\WINDOWS\system32\config\EventLogs\AppEvent.Evt. If permissions are granted to everyone, this is a Finding. If any accounts other than the Administrators, DBAs, System group, auditors or backup operators are listed, this is a Finding.


UNCLASSIFIED

7-85 V8R1.3 Mar 2009

Fix:

Alter host system permissions to the AUDIT_FILE_DEST directory to the Oracle process and software owner accounts, DBAs, backup accounts, SAs (if required) and auditors. Authorize and document user access requirements to the directory outside of the Oracle, DBA and SA account list in the System Security Plan.



IA Control: ECTP Check Type: Verify


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0032: CAT II) The DBA will ensure DBMS audit records are protected from unauthorized access.


UNCLASSIFIED

7-86 V8R1.3 Mar 2009

7.4 DO0235: Oracle USER_DUMP_DEST parameter

Description: The USER_DUMP_DEST parameter is used to indicate the directory where files used for debugging applications will be stored. These files may contain sensitive data or information that could prove useful to potential attackers. Check:

If the Oracle version is 11.1 or later, this check is NA. From SQL*Plus: select value from v$parameter where name='user_dump_dest'; On UNIX systems: ls -ld [pathname] Substitute [pathname] with the directory path listed from the above SQL command. If permissions are granted for world access, this is a Finding. On Windows Systems (From Windows Explorer): Browse to the directory specified. Select and right-click on the directory, select Properties, select the Security tab. If permissions are granted to everyone, this is a Finding. If any account other than the Oracle process and software owner accounts, Administrators, DBAs, System group or developers authorized to write and debug applications on this database are listed, this is a Finding.

Fix: Alter host system permissions to the USER_DUMP_DEST directory to the Oracle process and software owner accounts, DBAs, SAs if required, and developers or other users that may specifically require access for debugging or other purposes. Authorize and document user access requirements to the directory outside of the Oracle, DBA and SA account list in the System Security Plan.


UNCLASSIFIED

7-87 V8R1.3 Mar 2009





Responsibility: DBA

Documentable: False




UNCLASSIFIED

7-88 V8R1.3 Mar 2009

7.5 DO0236: Oracle BACKGROUND_DUMP_DEST parameter

Description: The BACKGROUND_DUMP_DEST is used to indicate the directory where files used for storing alert files as well as debugging information from the Oracle background processes. These files may contain sensitive data or information that could prove useful to potential attackers. Check:

If the Oracle version is 11.1 or later, this check is NA. From SQL*Plus: Select value from v$parameter where name='background_dump_dest'; On UNIX Systems: ls -ld [pathname] Substitute [pathname] with the directory path listed from the above SQL command. If permissions are granted for world access, this is a Finding. On Windows Systems (From Windows Explorer): Browse to the directory specified. Select and right-click on the directory, select Properties, select the Security tab. If permissions are granted to everyone, this is a Finding. If any account other than the Oracle process and software owner accounts, Administrators, DBAs, System group or developers authorized to write and debug applications on this database are listed, this is a Finding.

Fix: Alter host system permissions to the BACKGROUND_DUMP_DEST directory to the Oracle process and software owner accounts DBAs, SAs if required, and developers or other users that may specifically require access for debugging or other purposes. Authorize and document user access requirements to the directory outside of the Oracle, DBA and SA account list.


UNCLASSIFIED

7-89 V8R1.3 Mar 2009





Responsibility: DBA

Documentable: False




UNCLASSIFIED

7-90 V8R1.3 Mar 2009

7.6 DO0237: Oracle CORE_DUMP_DEST parameter

Description: The CORE_DUMP_DEST parameter indicates the directory for storing database core dump data. A ‘core dump’ occurs during an Oracle abend or database crash. These files may contain sensitive data or information that could prove useful to potential attackers. Check:

If the Oracle version is 11.1 or later, this check is NA. From SQL*Plus: select value from v$parameter where name='core_dump_dest'; If no value is listed, then Oracle defaults to the $ORACLE_HOME/dbs directory (UNIX) or %ORACLE_HOME%\database directory (Windows) for storing core dumps. On UNIX Systems: ls -ld [pathname] Substitute [pathname] with the directory path listed from the above SQL command. If permissions are granted for world access, this is a Finding. On Windows Systems (From Windows Explorer): Browse to the directory specified. Select and right-click on the directory, select Properties, select the Security tab. If permissions are granted to everyone, this is a Finding. If any account other than the Oracle process and software owner accounts, Administrators, DBAs, System group or developers authorized to write and debug applications on this database are listed, this is a Finding.

Fix: Alter host system permissions to the CORE_DUMP_DEST directory to the Oracle process and software owner accounts, DBAs, SAs (if required) and developers or other users that may specifically require access for debugging or other purposes. Authorize and document user access requirements to the directory outside of the Oracle, DBA and SA account list in the System Security Plan.


UNCLASSIFIED

7-91 V8R1.3 Mar 2009





Responsibility: DBA

Documentable: False




UNCLASSIFIED

7-92 V8R1.3 Mar 2009

7.7 DO0238: Oracle LOG_ARCHIVE_DEST parameter

Description: The LOG_ARCHIVE_DEST parameter is used to specify the directory to which Oracle archive logs are written. Where the DBMS availability and recovery to a specific point in time is critical, the protection of archive log files is critical. Archive log files may also contain unencrypted sensitive data. If written to an inadequately protected or invalidated directory, the archive log files may be accessed by unauthorized persons or processes. Check:

From SQL*Plus: select log_mode from v$database; select value from v$parameter where name = 'log_archive_dest'; select value from v$parameter where name = 'log_archive_duplex_dest'; If the value returned in the first SQL statement is NOARCHIVELOG, this check is NA. On UNIX Systems: ls -ld [pathname] Substitute [pathname] with the directory paths listed from the above SQL statements for log_archive_dest and log_archive_duplex_dest. If permissions are granted for world access, this is a Finding. On Windows Systems (From Windows Explorer): Browse to the directory specified. Select and right-click on the directory, select Properties, select the Security tab. If permissions are granted to everyone, this is a Finding. If any account other than the Oracle process and software owner accounts, Administrators, DBAs, System group or developers authorized to write and debug applications on this database are listed, this is a Finding.

Fix: Specify a valid and protected directory for archive log files. Restrict access to the Oracle process and software owner accounts, DBAs, and backup operator accounts.


UNCLASSIFIED

7-93 V8R1.3 Mar 2009





Responsibility: DBA

Documentable: False




UNCLASSIFIED

7-94 V8R1.3 Mar 2009

7.8 DG0112: DBMS data file protection

Description: In Oracle, DBMS data files have different access control requirements than application data and log files. Granting file access to DBMS data files for purposes other than system operations could lead to a compromise of the DBMS integrity or disclosure of sensitive data. Check:

From SQL*Plus: select file_name from dba_data_files where tablespace_name='SYSTEM'; NOTE: Data files for a given database instance may include data files (*.dbf), REDO log files (redo*.log) and CONTROL files (*.ctl). Review the files in the directory shown above. Allowable files are instance database files (*.dbf), REDO log files (redo*.log) and CONTROL files (*.ctl). If any files other than these exist in the directory, this is a Finding. A good best practice (not consistently endorsed by the Oracle community) is on database creation, using separate subdirectories for data, redo and control files [under the instance name directory] instead of using a single directory to contain all Oracle data, redo and control instance files.

Fix: Create a dedicated directory or dedicated subdirectories to store database instance files. Reconfigure the Oracle instance to point to the files in the new locations. Where feasible, locate database instance files on a dedicated disk partition and/or RAID device to provide additional protection.


MAC/CONF: 1-CSP;2-CSP



Responsibility: DBA

Documentable: False


STIG Requirement: (DG0112: CAT II) The DBA will ensure DBMS data files that store DBMS system tables and other system objects dedicated to support the entire DBMS are not shared with data files used for storage of third-party application database objects.


UNCLASSIFIED

7-95 V8R1.3 Mar 2009

7.9 DO0275: Oracle critical file access

Description: The Oracle parameter file contains configuration settings that are applied to the database at database and instance startup. Unauthorized changes to these parameters could lead to a compromise of the database security posture. Oracle data and redo log files contain the data and transaction information that support the database use. Unauthorized access to these files bypasses access controls defined and enforced by the DBMS itself and can lead to a loss of confidentiality and integrity. Check:

Review file permissions defined for critical files. Review the file permissions on the Binary initialization parameter file (the default name is spfile[SID].ora). Binary initialization parameter files are by default located in the $ORACLE_HOME/dbs directory (UNIX) or %ORACLE_HOME%\database directory (Windows). From SQL*Plus: select value from v$parameter where name='spfile'; select member from v$logfile; select name from v$datafile; select name from v$controlfile; Check directory and file permissions for the files returned by the SQL commands above, for the files located in the $ORACLE_HOME/network/admin directory (UNIX) or %ORACLE_HOME%\network\admin directory (Windows) and the directory specified by the TNS_ADMIN environment variable, if defined. On UNIX systems: ls –ld [pathname] If permissions are granted for world access, this is a Finding. If any groups that include members other than the Oracle process and software owner accounts, DBAs, auditors, or backup accounts are listed, this is a Finding. On Windows Systems (From Windows Explorer): Browse to the directory specified. Select and right-click on the directory, select Properties, select the Security tab. If permissions are granted to everyone, this is a Finding. If any accounts other than the Oracle process and software owner accounts, Administrators, DBAs, System groups, auditors, or backup accounts are listed, this is a Finding.

Fix:


UNCLASSIFIED

7-96 V8R1.3 Mar 2009

Set UNIX permissions on critical files to 640 or more restrictive. Check group membership of the group assigned access permissions to the database software to verify all members are authorized to have the assigned access. Set Windows permissions to Full Control assigned to the Administrators, the Oracle service account and DBAs.



IA Control: ECAN Check Type: Verify


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0122: CAT II) The DBA will ensure all access to sensitive administrative DBMS data stored inside the database and in external host files is granted only to DBA and other authorized administrative database and OS accounts.


UNCLASSIFIED

7-97 V8R1.3 Mar 2009

7.10 DG0015: Data Definition Language use

Description: Application users by definition and job function require only the permissions to manipulate data within database objects and execute procedures within the database. The statements used to define objects in the database are referred to as Data Definition Language (DDL) statements and include the CREATE, DROP, and ALTER object statements. (DDL statements do not include CREATE USER, DROP USER or ALTER USER actions.) This requirement is included here as a production system would not support by definition changes to the data definitions. Where object creation is an indirect result of DBMS operation or dynamic object structures are required by the application function as is found in some object-oriented DBMS applications, this restriction does not apply. Re-use of static data structures to recreate temporary data objects are not exempted. Check:

From SQL*Plus (SPOOL output to file before executing): select owner,object_name,created from dba_objects where owner <>'SYS' order by created,owner,object_name; View the list of objects retuned. If any object-creation dates do not coincide with the software maintenance and upgrade logs or are not objects documented as supporting dynamic object creation functions, then investigate the circumstances under which the object was created. If the object is created using static definitions to store temporary data or indicates that the application uses unauthorized DDL statements, this is a Finding.

Fix: Coordinate with the application designer to modify the application to use static objects with temporary data rather than using temporary objects. Document known object creation that supports dynamic object



IA Control: ECSD Check Type: Verify


Responsibility: IAO

Documentable: False


STIG Requirement: (DG0015: CAT III) The IAO will ensure database applications do not use DDL statements except where dynamic object structures are required.


UNCLASSIFIED

7-98 V8R1.3 Mar 2009

7.11 DO0157: Oracle storage use privileges

Description: Tablespace storage quotas allow limits on storage use to be assigned to Oracle database users. Although this does not grant the user the privilege to create objects within the database, it provides an additional method to restrict unauthorized object creation and ownership. Check:

From SQL*Plus: select username,tablespace_name from dba_ts_quotas where username not in (select distinct owner from dba_objects) and username not in (select grantee from dba_role_privs where granted_role='DBA'); Review the list of user names returned. If any belong to application users or application administrators, this is a Finding.

Fix: Assign tablespace quotas only to database accounts authorized to create and or own objects in the database. Document authorized tablespace quotas for all accounts authorized to own objects in the System Security Plan. Remove any quotas assigned to application users, application administrators, or any other unauthorized accounts. From SQL*Plus: alter user [username] quota 0 on [tablespace name]; Replace [username] with the named user and [tablespace name] with the identified tablespace name.



IA Control: ECLP Check Type: Verify


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0119: CAT II) The DBA will ensure database application user roles are restricted to select, insert, update, delete and execute privileges.


UNCLASSIFIED

7-99 V8R1.3 Mar 2009

7.12 DO0350: Oracle system privilege assignment

Description: System privileges allow system-wide changes to the database or database objects. Unauthorized use of system privileges may jeopardize production applications, application data, or the database configuration and operation. Check:

From SQL*Plus: select grantee||': '||PRIVILEGE from dba_sys_privs where privilege<>'CREATE SESSION' and grantee not in ('PUBLIC','AQ_ADMINISTRATOR_ROLE','AQ_USER_ROLE','CTXSYS', 'DBA','DELETE_CATALOG_ROLE','EXECUTE_CATALOG_ROLE', 'EXP_FULL_DATABASE','GATHER_SYSTEM_STATISTICS', 'HS_ADMIN_ROLE','IMP_FULL_DATABASE', 'LOGSTDBY_ADMINISTRATOR','MDSYS','ODM','OEM_MONITOR', 'OLAPSYS','ORDSYS','OUTLN','MTSSYS', 'RECOVERY_CATALOG_OWNER','SELECT_CATALOG_ROLE', 'SNMPAGENT','SYSTEM','WKSYS','WKUSER','WMSYS', 'WM_ADMIN_ROLE','XDB','ANONYMOUS','CONNECT','DBSNMP', 'JAVADEBUGPRIV','ODM_MTR','OLAP_DBA','ORDPLUGINS', 'RESOURCE','RMAN','SYS','WKPROXY','AURORA$JIS$UTILITY$', 'AURORA$ORB$UNAUTHENTICATED','OSE$HTTP$ADMIN', 'TIMESERIES_DBA','TIMESERIES_DEVELOPER','OLAP_USER') and grantee not in (select grantee from dba_role_privs where granted_role='DBA') and grantee not in (select username from dba_users where upper(account_status) like '%LOCKED%'); If any records are returned, perform the following instructions for this check to determine the finding status. Review the list of active non-DBA accounts and roles granted system privileges. Any accounts listed as authorized for checks DO0340 (Oracle application administration roles enablement), DO0150 (Oracle object ownership) are not a Finding. On a production database, confirm that any accounts listed with create user, alter user, drop user belong to authorized application administration roles. On a development system, ensure that system privileges assigned to developers are justified and authorized by the IAO. If any unauthorized, unjustified or undocumented application user roles or accounts are listed, this is a Finding.


UNCLASSIFIED

7-100 V8R1.3 Mar 2009

Fix: Document and justify system privileges assigned to users/roles in the System Security Plan and authorize with the IAO. Remove unauthorized or unjustified system privileges from user accounts or roles. From SQL*Plus: revoke [privilege] from [user or role name]; Replace [privilege] with the named privilege and [user or role name] with the identified user or role.





Responsibility: IAO

Documentable: False




UNCLASSIFIED

7-101 V8R1.3 Mar 2009

7.13 DO3622: Oracle roles granted WITH ADMIN OPTION

Description: The WITH ADMIN OPTION allows the grantee to grant a role to another database account. Best security practice restricts the privilege of assigning privileges to authorized personnel. Authorized personnel include DBA's, object owners, and, where designed and included in the application's functions, application administrators. Restricting privilege-granting functions to authorized accounts can help decrease mismanagement of privileges and wrongful assignments to unauthorized accounts. Check:

From SQL*Plus: select grantee||': '||granted_role from dba_role_privs where grantee not in ('DBA','SYS','SYSTEM','WKSYS','LBACSYS','WMSYS', 'OWBSYS','CTXSYS','SPATIAL_CSW_ADMIN_USR', 'SPATIAL_WFS_ADMIN_USR','FLOWS_030000') and admin_option='YES' and grantee not in (select distinct owner from dba_objects) and grantee not in (select grantee from dba_role_privs where granted_role='DBA') order by grantee; Review the System Security Plan to confirm any grantees listed are IAO-authorized DBA accounts or application administration roles. If any grantees listed are not authorized and documented, this is a Finding.

Fix: Revoke assignment of roles with the WITH ADMIN OPTION from unauthorized grantees and re-grant them without the option if required. Restrict use of the WITH ADMIN OPTION to authorized administrators. Document authorized role assignments with the WITH ADMIN OPTION in the System Security Plan. From SQL*Plus: revoke [role name] from [grantee]; grant [role name] to [grantee];





Responsibility: DBA

Documentable: False




UNCLASSIFIED

7-102 V8R1.3 Mar 2009

7.14 DG0077: Production data protection on a shared system

Description: Developers granted elevated database, operating system privileges on systems that support both development, and production databases can affect the operation and/or security of the production database system. Operating system and database privileges assigned to developers on shared development and production systems should be restricted. Check:

Review the list of instances and databases installed on the host system with the DBA. Ask which databases are production databases and which are for development. For UNIX systems, use the ps -ef|grep pmon command to see the list of databases; For Windows systems, review the list of services beginning with the name OracleService to see the list of databases. Ask which databases are production databases and which are for development. If only development or only production databases exist on this host, this check is NA. Otherwise, ask the DBA to confirm that policy and procedures are in place for the IAO to review database and operating system privileges on the system to ensure developer accounts do not have access to production DBMS systems. If none is in place, this is a Finding. Ask the DBA/SA if developer host accounts have been granted privileges to production database directories, files or resources. If they have been, this is a Finding. From SQL*Plus: select grantee||': '||privilege from dba_sys_privs where (privilege like 'CREATE%' or privilege like 'ALTER%' or privilege like 'DROP%') and privilege<>'CREATE SESSION' and grantee not in ('ANONYMOUS','AURORA$JIS$UTILITY$', 'AURORA$ORB$UNAUTHENTICATED','CTXSYS','DBSNMP','DIP', 'DVF','DVSYS','EXFSYS','LBACSYS','MDDATA','MDSYS','MGMT_VIEW', 'ODM','ODM_MTR','OLAPSYS','ORDPLUGINS','ORDSYS', 'OSE$HTTP$ADMIN','OUTLN','PERFSTAT','PUBLIC','REPADMIN', 'RMAN','SI_INFORMTN_SCHEMA','SYS','SYSMAN','SYSTEM', 'TRACESVR','TSMSYSWK_TEST','WKPROXY','WKSYS','WKUSER', 'WMSYS','XDB') order by grantee; If any accounts are listed that are not on the list of IAO approved production DBAs, this is a Finding.


UNCLASSIFIED

7-103 V8R1.3 Mar 2009

Fix:

Establish and implement procedures to review and maintain privileges granted to developers on shared production and development host systems and databases.





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0077: CAT II) The DBA will ensure developers are not granted system privileges within a production database.


UNCLASSIFIED

7-104 V8R1.3 Mar 2009

7.15 DO0150: Oracle object ownership

Description: Database object ownership implies full privileges to the owned object including the privilege to assign access to the owned objects to other subjects. Unmanaged or uncontrolled ownership of objects can lead to unauthorized object grants and alterations. Check:

From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts): select distinct owner from dba_objects where owner not in ('ANONYMOUS','AURORA$JIS$UTILITY$', 'AURORA$ORB$UNAUTHENTICATED', 'CTXSYS','DBSNMP','DIP','DVF','DVSYS', 'EXFSYS','LBACSYS','MDDATA', 'MDSYS','MGMT_VIEW','ODM','ODM_MTR', 'OLAPSYS','ORDPLUGINS', 'ORDSYS', 'OSE$HTTP$ADMIN','OUTLN','PERFSTAT', 'PUBLIC','REPADMIN','RMAN','SI_INFORMTN_SCHEMA', 'SYS','SYSMAN','SYSTEM','TRACESVR', 'TSMSYSWK_TEST','WKPROXY','WKSYS', 'WKUSER','WMSYS','XDB') and owner not in (select grantee from dba_role_privs where granted_role='DBA'); If any records are returned, then confirm that any database object owner accounts listed are application owner accounts authorized by the IAO. If any are not, this is a Finding. NOTE: Confirmed default Oracle accounts returned by the SQL statement above should be considered a false positive. See Oracle MetaLink Note 160861.1 for a current list of default accounts. NOTE: Some applications may be designed to require users to create temporary tables during application execution. This design is not considered good security practice and results in a Finding for unauthorized application object owners as application user accounts are not allowed to have system privileges assigned (CREATE TABLE, etc.) nor allowed to own objects in the database. One possible suggestion for resolving this issue is to have the application object owner create a static table for user temporary data storage. All users would share the same table.

Fix: Document all authorized application object owner accounts. Use only authorized application object owner accounts to install and maintain application database


UNCLASSIFIED

7-105 V8R1.3 Mar 2009

objects. Revoke privileges to create, drop, replace or alter application objects from unauthorized application object owners.

VKEY: V0002512 Severity: CAT 2 Policy: Platinum




Responsibility: DBA

Documentable: False


STIG Requirement: (DG0008: CAT II) The DBA will ensure database application objects are owned by an authorized application object owner account.


UNCLASSIFIED

7-106 V8R1.3 Mar 2009

7.16 DO0190: Oracle audit table ownership

Description: Audit data is frequently targeted by malicious users as it can provide a means to detect their activity. The protection of the audit trail data is of special concern and requires restrictions to allow only the auditor and DBMS backup, recovery, and maintenance users access to it. Check:

From SQL*Plus: select owner from dba_tables where table_name='AUD$'; If the owner account returned is not SYS or SYSTEM, this is a Finding. If the AUD$ tables does not exist, this is a Finding.

Fix: Recreate the audit table while logged in as SYS or SYSTEM.



IA Control: ECTP Check Type: Auto


Responsibility: DBA

Documentable: False




UNCLASSIFIED

7-107 V8R1.3 Mar 2009

7.17 DO0231: Oracle application object owner tablespaces

Description: Separation of tablespaces by application helps to protect the application from resource contention and unauthorized access that could result from storage space reuses or host system access controls. Application data should be stored separately from system and custom user-defined objects to facilitate administration and management of its data storage. The SYSTEM tablespace should never be used for application data storage in order to prevent resource contention and performance degradation. Check:

From SQL*Plus: select distinct owner,tablespace_name from dba_tables where owner not in ('SYS','SYSTEM','OUTLN','OLAPSYS','CTXSYS','WKSYS','ODM', 'ODM_MTR','MDSYS','ORDSYS','WMSYS','RMAN','XDB') and tablespace_name is not NULL and (owner, table_name) not in (select owner, table_name from dba_external_tables) order by tablespace_name; Review the list of returned table owners with the tablespace used. If any of the owners listed are not default Oracle accounts and use the SYSTEM or any other tablespace not dedicated for the application’s use, this is a Finding. Look for multiple applications that may share a tablespace. If no records were returned, ask the DBA if any applications use this database. If no applications use the database, this is not a Finding. If there are applications that do use the database and if the application uses the SYS or other default account and SYSTEM tablespace to store its objects, this is a Finding.

Fix: Create and assign dedicated tablespaces for the storage of data by each application using the CREATE TABLESPACE command.





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0113: CAT II) The DBA will ensure database data files used by third-party applications are defined and dedicated for each application.


UNCLASSIFIED

7-108 V8R1.3 Mar 2009

7.18 DO0310: Oracle system data and table access

Description: System tables and DBA views contain information such as user, system and data that could lead to unauthorized access. Revoke any privileges granted to non-DBA accounts that provide direct access to objects owned by SYS or access to DBA views (DBA_%). Check:

From SQL*Plus: select grantee,privilege,owner,table_name from dba_tab_privs where (owner='SYS' or table_name like 'DBA_%') and privilege <> 'EXECUTE' and grantee not in ('PUBLIC','AQ_ADMINISTRATOR_ROLE','AQ_USER_ROLE', 'AURORA$JIS$UTILITY$','OSE$HTTP$ADMIN','TRACESVR', 'CTXSYS','DBA','DELETE_CATALOG_ROLE', 'EXECUTE_CATALOG_ROLE','EXP_FULL_DATABASE', 'GATHER_SYSTEM_STATISTICS','HS_ADMIN_ROLE', 'IMP_FULL_DATABASE','LOGSTDBY_ADMINISTRATOR','MDSYS', 'ODM','OEM_MONITOR','OLAPSYS','ORDSYS','OUTLN', 'RECOVERY_CATALOG_OWNER','SELECT_CATALOG_ROLE', 'SNMPAGENT','SYSTEM','WKSYS','WKUSER','WMSYS', 'WM_ADMIN_ROLE','XDB','LBACSYS','PERFSTAT','XDBADMIN') and grantee not in (select grantee from dba_role_privs where granted_role='DBA') order by grantee; If no accounts or roles are listed, this is not a Finding. Verify that accounts/roles listed have been authorized by the IAO. NOTE: Any accounts created and assigned privileges by Oracle product installations do not require authorization by the IAO. The exclusion list provided in this check is subject to changes or additions made by updates to Oracle products. Non-Oracle products should not be assigned access to Oracle system data and tables, however, if required, document requirement in the System Security Plan and ensure authorization by the IAO.

Fix: Revoke unauthorized access to system tables and data. From SQL*Plus: revoke [object privilege] on [system object name] from [account name or role];


UNCLASSIFIED

7-109 V8R1.3 Mar 2009





Responsibility: DBA

Documentable: False




UNCLASSIFIED

7-110 V8R1.3 Mar 2009

7.19 DO3446: Oracle audit record access

Description: Audit data may contain confidential information such as usernames and passwords. Unauthorized changes or deletion of audit data could compromise its usefulness. To help maintain the integrity of audit data and the confidentiality of its contents, access to it should be restricted to authorized security/security maintenance personnel. Check:

From SQL*Plus: select value from v$parameter where name='audit_trail'; If one of the following values is displayed:

Oracle 8.1.6 – 11.1 = 'db' Oracle 10.1 & 11.1 = 'db_extended' Oracle 10.2 = 'db, extended'

Review access granted to the AUD$ table. From SQL*Plus: select grantee from dba_tab_privs where table_name='AUD$' and grantee not in ('DELETE_CATALOG_ROLE') and grantee not in (select grantee from dba_role_privs where granted_role='DBA') order by grantee; View access granted to the AUD$ table against those authorized in the System Security Plan. If any are not authorized, this is a Finding.

Fix: Document and authorize accounts granted access to the AUD$ table in the System Security Plan. Revoke access permissions granted to the AUD$ table from unauthorized users.



IA Control: ECTP Check Type: Verify


Responsibility: DBA

Documentable: False




UNCLASSIFIED

7-111 V8R1.3 Mar 2009

7.20 DO0340: Oracle application administration roles enablement

Description: Application administration roles, which are assigned system or elevated application object privileges, should be protected from default activation. Application administration roles are determined by system privilege assignment (create / alter / drop user) and application user role ADMIN OPTION privileges. Check:

From SQL*Plus: select grantee,granted_role from dba_role_privs where default_role='YES' and granted_role in (select grantee from dba_sys_privs where upper(privilege) like '%USER%') and grantee not in ('DBA','SYS','SYSTEM','CTXSYS','DBA','IMP_FULL_DATABASE', 'MDSYS','SYS','WKSYS') and grantee not in (select distinct owner from dba_tables) and grantee not in (select distinct username from dba_users where upper(account_status) like '%LOCKED%'); Review the list of accounts reported for this check and ensures that they are authorized application administration roles. If any are not authorized application administration roles, this is a Finding.

Fix: For each role assignment returned, issue: alter user [username] default role all except [role]; If the user has more than one application administration role assigned, then you will have to remove assigned roles from default assignment and assign individually the appropriate default roles.



IA Control: DCFA Check Type: Verify


Responsibility: DBA

Documentable: False




UNCLASSIFIED

7-112 V8R1.3 Mar 2009

7.21 DO3440: Oracle DBA role assignment

Description: The DBA role is very powerful and access to it should be restricted. Verify that any database account granted the DBA role is explicitly authorized by the IAO. In addition to full access to database objects, access to the DBA role by unauthorized accounts may provide full access to the server. Verify that individual DBA accounts are created for each DBA and that the DBA accounts are used only for DBA functions. Check:

From SQL*Plus: select grantee from dba_role_privs where granted_role='DBA' and grantee not in ('SYS','SYSTEM','SYSMAN'); If any accounts are listed, review against the list of DBA accounts authorized by the IAO in the System Security Plan. If any accounts are assigned the DBA role and are not authorized by the IAO, this is a Finding. If any DBA roles are assigned to developer accounts and this is a production database, this is a Finding. If DBAs do not have individually assigned DBA accounts, this is a Finding.

Fix: Authorize and document all DBA role authorizations in the System Security Plan. Revoke DBA role membership from unauthorized accounts. Revoke DBA role membership from any accounts assigned to a developer job function on a shared production/development database.





Responsibility: IAO

Documentable: False




UNCLASSIFIED

7-113 V8R1.3 Mar 2009

7.22 DG0071: Password change variance

Description: Changing passwords frequently can thwart password-guessing attempts or re-establish protection of a compromised DBMS account. Minor changes to passwords may not accomplish this as password guessing may be able to continue to build on previous guesses or the new password may be easily guessed using the old password. Check:

If no DBMS accounts authenticate using passwords, this check is NA. Confirm that database profiles specify a password verify function. From SQL*Plus: select distinct limit from dba_profiles where resource_name='PASSWORD_VERIFY_FUNCTION' order by limit; Review the code for the password verify function or have the DBA demonstrate a password change to ensure that the function requires new passwords to differ from old passwords by more than 4 characters. If reviewing code, logic similar to the following should be discovered: -- Check if the password differs from the previous password -- by more than 4 characters <<endsearch>> if old_password is not null then differ:=length(old_password) - length(password); if abs(differ) < 4 then if length(password) < length(old_password) then m:=length(password); else m:=length(old_password); end if; differ:=abs(differ); for i in 1..m loop if substr(password,i,1) != substr(old_password,i,1) then differ:=differ + 1; end if; end loop; if differ < 4 then


UNCLASSIFIED

7-114 V8R1.3 Mar 2009

raise_application_error(-20004, 'Password should differ by more than 4 characters'); end if; end if; end if; If any password_verify_function routines do not check for a difference of more than 4 characters, this is a Finding.

Fix: Define and apply a password_verify_function for all profiles where passwords are used to authenticate accounts. See Fix information for DO3504 to create a password_verify_function that meets STIG requirements.



IA Control: IAIA Check Type: Verify


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0071: CAT II) The DBA will ensure database passwords differ from previous values by more than 4 characters when changed where supported by the DBMS.


UNCLASSIFIED

7-115 V8R1.3 Mar 2009

7.23 DG0072: DBMS password change time limit

Description: Frequent password changes may indicate suspicious activity or attempts to bypass password controls based on password histories. Limiting the frequency of password changes helps to enforce password change rules and can lead to the discovery of compromised accounts. Check:

If no DBMS accounts authenticate using passwords, this check is NA. Confirm that database profiles specify a password verify function. From SQL*Plus: select distinct limit from dba_profiles where resource_name='PASSWORD_VERIFY_FUNCTION' order by limit; Review the code for the password verify function or have the DBA demonstrate a password change to ensure that the function prevents users from changing their passwords within 24 hours of the last password change. If reviewing code, logic similar to the following should be discovered: -- Check if the password has been changed within the last 24 hours select ctime into pw_change_time from user$ where name = username; if sysdate - pw_change_time < 1 then raise_application_error(-20001, 'Password was changed too recently',FALSE); end if; If any password_verify_function routines do not check for password changes within 24 hours of the last password change, this is a Finding.



UNCLASSIFIED

7-116 V8R1.3 Mar 2009





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0072: CAT II) The DBA will ensure users are not allowed to change their database account passwords more than once every 24 hours without IAO approval where supported by the DBMS. (This requirement does not apply to password changes after password reset actions initiated by the DBA or application administrator).


UNCLASSIFIED

7-117 V8R1.3 Mar 2009

7.24 DG0127: DBMS account password easily guessed

Description: DBMS account passwords set to easily guessed common dictionary words or values render accounts vulnerable to password guessing attacks and unauthorized access. Check:

If no DBMS accounts authenticate using passwords (rare), this check is NA. Confirm that database profiles specify a password verify function. From SQL*Plus: select distinct limit from dba_profiles where resource_name= 'PASSWORD_VERIFY_FUNCTION' order by limit; Review the code for the password verify function or have the DBA demonstrate a password change to ensure that the function does not accept passwords that are the same as the username, the name of the database or instance name. If reviewing code, logic similar to the following should be discovered: -- Check if the password is too simple. A dictionary of words may be -- maintained and a check may be made so as not to allow the words -- that are too simple for the password. if nls_lower(password) in ('welcome','database','account','user','password','oracle','computer','abcdefgh', '12345') then raise_application_error(-20002, 'Password too simple'); end if; If any password_verify_function routines do not check for simple passwords, this is a Finding. Check also to ensure all password-authenticated accounts specify a password_verify_function. From SQL*Plus: select distinct profile from dba_profiles where resource_name='PASSWORD_VERIFY_FUNCTION' and (limit is NULL or limit = NULL); If any profiles are returned that are used by password-authenticated accounts, this is a Finding. To view the names of password-authenticated accounts.


UNCLASSIFIED

7-118 V8R1.3 Mar 2009

From SQL*Plus: select name from user$ where password is not NULL;






Responsibility: DBA

Documentable: False


STIG Requirement: (DG0127: CAT II) The DBA will configure or test database account passwords to prevent use of easily guessed or discovered values.


UNCLASSIFIED

7-119 V8R1.3 Mar 2009

7.25 DO0160: Oracle application object owner accounts

Description: Object owners are implicitly granted full permissions and privileges to the objects they own. These accounts are also granted elevated privileges within the database to permit them to create and manage their objects. These accounts should be protected from daily use by disabling them. After application installation, these accounts should be used only for software update and maintenance. Check:

From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts): select distinct owner from dba_objects, dba_users where owner not in ('ANONYMOUS','AURORA$JIS$UTILITY$', 'AURORA$ORB$UNAUTHENTICATED','CTXSYS','DBSNMP','DIP','DVF', 'DVSYS','EXFSYS','LBACSYS','MDDATA','MDSYS','MGMT_VIEW','ODM', 'ODM_MTR','OLAPSYS','ORDPLUGINS','ORDSYS','OSE$HTTP$ADMIN', 'OUTLN','PERFSTAT','PUBLIC','REPADMIN','RMAN', 'SI_INFORMTN_SCHEMA','SYS','SYSMAN','SYSTEM','TRACESVR', 'TSMSYSWK_TEST','WKPROXY','WKSYS','WKUSER','WMSYS','XDB') and owner = username and upper(account_status) not like '%LOCKED%'; To obtain a list of users assigned DBA privileges. From SQL*Plus: select grantee from dba_role_privs where granted_role=’DBA’; If any records are returned, then verify the account is an authorized application object owner account or a default account installed to support an Oracle product. Verify that any objects owned by custom DBA accounts are for the personal use of that DBA. If any objects are used to support applications or any functions other than DBA functions, this is a Finding. Any unauthorized object owner accounts are not a finding under this check as they are noted as findings under check DO0150. Any other accounts listed are a Finding.

Fix: Disable any application object owner accounts. From SQL*Plus: alter user [username] account lock;


UNCLASSIFIED

7-120 V8R1.3 Mar 2009

Enable application object owner accounts only for installation and maintenance. DBA are special purpose accounts and do not require disabling although they may own objects. For application objects that require routine maintenance, e.g. index objects, to maintain performance, consider allowing a special purpose account to own the index or enable the application owner account for the duration of the routine maintenance function only.





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0004: CAT II) The DBA will ensure custom application owner accounts are disabled or locked when not in use.


UNCLASSIFIED

7-121 V8R1.3 Mar 2009

7.26 DO0210: Oracle shared replication account access

Description: Replication database accounts are used for database connections between databases. Replication requires the configuration of these accounts using the same username and password on all databases participating in the replication. Replication connections use fixed user database links. This means that access to the replication account on one server provides access to the other servers participating in the replication. Granting unauthorized access to the replication account provides unauthorized and privileged access to all databases participating in the replication group. Check:

From SQL*Plus: select 'The number of replication objects defined is: '|| count(*) from all_tables where table_name like 'REPCAT%'; If the count returned is 0, then Oracle Replication is not installed and this check is NA. Otherwise: From SQL*Plus: select count(*) from sys.dba_repcatlog; If the count returned is 0, then Oracle Replication is not in use and this check is NA. If any results are returned, ask the DBA if the replication account (the default is REPADMIN, but may be customized) is restricted to IAO-authorized personnel only. If it is not, this is a Finding. If there are multiple replication accounts, confirm that all are justified and documented with the IAO. If they are not, this is a Finding.

Fix: Change the password for default and custom replication accounts and provide the password to IAO-authorized users only.



IA Control: IAGA Check Type: Verify


Responsibility: IAO

Documentable: False




UNCLASSIFIED

7-122 V8R1.3 Mar 2009

7.27 DO3485: Oracle PASSWORD_LIFE_TIME profile parameter

Description: The PASSWORD_LIFE_TIME value specifies the length of time the same password may be used to authenticate to a database account. After the time period specified has passed for the assigned password, the user is required to change their password or else forfeit access to the database. Frequent password changes help to decrease the likelihood or duration of a password compromise that would result in unauthorized access. Check:

NOTE: The DEFAULT profile is required to have a password lifetime set not to exceed 60 days, which is the current password lifetime limit per DoD policy. Custom profiles for non-interactive accounts (accounts used by applications or other systems) may have a password lifetime set to a time greater than 60 days, but must still have a limit assigned. Limits of one year or less for non-interactive accounts do not require IAO authorization and should be set to a lifetime as low as administration and operation of the application will support. From SQL*Plus: select profile,limit from dba_profiles, (select limit as def_pwd_life_tm from dba_profiles where profile='DEFAULT' and resource_name='PASSWORD_LIFE_TIME') where resource_name='PASSWORD_LIFE_TIME' and ((replace(limit,'DEFAULT',def_pwd_life_tm) in ('UNLIMITED',NULL)) or (lpad(replace(limit,'DEFAULT',def_pwd_life_tm),40,'0') > lpad('60',40,'0'))); If the DEFAULT profile has a value greater than 60 days, this is a Finding. If any non-default profiles have password lifetimes greater than 60 days and are assigned to interactive accounts, this is a Finding. If any non-default profiles have password lifetimes greater than 365 days (1 year) and are assigned to any accounts, this is a Finding. If any profiles have password lifetimes set to UNLIMITED, NULL or no value, this is a Finding. Verify in the System Security Plan that all accounts assigned to profiles with a password lifetime greater than 60 days belong to non-interactive accounts.

Fix:


UNCLASSIFIED

7-123 V8R1.3 Mar 2009

Assign a password lifetime of 60 days or less to the default database profile. Assign a password lifetime of 60 days or less to non-default profiles assigned to interactive database accounts. Assign as password lifetime of 365 days or less to non-default profiles assigned to non-interactive database accounts that do not support frequent password changes. Include a list of all database accounts and their profile assignments in the System Security Plan. Modify profiles to assign a password lifetime. From SQL*Plus: alter profile default limit password_life_time 60; alter profile [profile name] limit password_life_time [60 to 365]; Replace [profile name] with any existing, non-default profile name and [60 to 365] with a value between 60 and 365 (days) inclusive.





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0125: CAT II) The DBA will set expiration times for interactive database user account passwords to 60 days or less where supported by the DBMS.


UNCLASSIFIED

7-124 V8R1.3 Mar 2009

7.28 DO3536: Oracle IDLE_TIME profile parameter

Description: The Idle Time Resource Usage setting limits the maximum idle time allowed in a session. Idle time is a continuous inactive time period during a session, expressed in minutes. Long-running queries and other operations are not subject to this limit. Setting an Idle Time Resource Usage limit helps prevent users from leaving applications open when they are away from their desks. Check:

From SQL*Plus: select limit from DBA_PROFILES where profile=’DEFAULT’ and resource_name=’IDLE_TIME’; select profile||': '||limit from dba_profiles, (select limit as def_idl_tm from dba_profiles where profile = 'DEFAULT' and resource_name = 'IDLE_TIME') where resource_name='IDLE_TIME' and ((replace(limit,'DEFAULT',def_idl_tm) in ('UNLIMITED', NULL)) or (lpad(replace(limit,'DEFAULT',def_idl_tm),40,'0') > lpad('15',40,'0'))); If the idle time on the DEFAULT profile is greater than 15 minutes, this is a Finding. If any non-default profiles have an idle time setting greater than 60 minutes or are set to an UNLIMITED value and not documented in the System Security Plan or not authorized by the IAO, this is a Finding. If any profiles have an idle time setting of NULL or no value, this is a Finding.

Fix: Modify profiles to meet the idle time requirement. From SQL*Plus: alter profile default limit idle_time 15; alter profile [profile name] limit idle_time [IAO-approved value]; Authorize and document any profiles that require idle times greater than 15 minutes in the System Security Plan.


UNCLASSIFIED

7-125 V8R1.3 Mar 2009



IA Control: ECLO Check Type: Verify


Responsibility: DBA

Documentable: False




UNCLASSIFIED

7-126 V8R1.3 Mar 2009

7.29 DO0380: Oracle SYSDBA password file users

Description: Oracle SYSDBA privileges include privileges to administer the database outside of database controls (when the database is shut down or open in restricted mode) in addition to all privileges controlled under database operation. Assignment of SYSDBA privileges in the Oracle password file to unauthorized persons can compromise all DBMS activities. Check:

From SQL*Plus: select username from v$pwfile_users where username not in (select grantee from dba_role_privs where granted_role='DBA') and username<>'INTERNAL' and (sysdba = 'TRUE' or sysoper='TRUE'); If any accounts are listed and are not authorized by the IAO in the System Security Plan, this is a Finding.

Fix: If a REMOTE_LOGIN_PASSWORDFILE is in use (='EXCLUSIVE'), then list database accounts assigned SYSDBA and SYSOPER database privileges and review for appropriate authorization. Document authorized SYSDBA and SYSOPER users in the System Security Plan. From SQL*Plus: select * from v$pwfile_users; To revoke SYSDBA or SYSOPER from accounts: From SQL*Plus: revoke sysdba from [username]; revoke sysoper from [username];





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0085: CAT II) The DBA will ensure the minimum database administrative privileges are assigned to database administrative roles to perform the administrative job function.


UNCLASSIFIED

7-127 V8R1.3 Mar 2009

7.30 DG0075: DBMS links to external databases

Description: DBMS links provide a communication and data transfer path definition between two databases that may be used by malicious users to discover and obtain unauthorized access to remote systems. Database links between production and development DBMSs provide a means for developers to access production data not authorized for their access or to introduce untested or unauthorized applications to the production database. Only protected, controlled, and authorized downloads of any production data to use for development should be allowed. Only applications that have completed the configuration management process should be introduced by the application object owner account to the production system. Check:

From SQL*Plus: select db_link||': '||host from dba_db_links; If no links are returned, this check is NA. Review documentation for definitions of authorized database links to external interfaces. The documentation should include: - Any remote access to the database - The purpose or function of the remote connection - Any access to data or procedures stored externally to the local DBMS - Any network ports or protocols used by remote connections, whether the

remote connection is to a production, test, or development system - Any security accounts used by DBMS to access remote resources or objects If any unauthorized database links are defined or the definitions do not match the documentation, this is a Finding. NOTE: Findings for production-development links under this check are assigned to the production database only. If any database links are defined between the production database and any test or development databases, this is a Finding. If remote interface documentation does not exist or is incomplete, this is a Finding.

Fix: Document all remote or external interfaces used by the DBMS to connect to or allow connections from remote or external sources. Include with the documentation as appropriate, any network ports or protocols, security accounts, and the sensitivity of any data exchanged. Do not define or configure database links between production databases and test or development databases.


UNCLASSIFIED

7-128 V8R1.3 Mar 2009





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0075: CAT II) The DBA will ensure database connections to remote databases or remote or external applications and services are disabled and/or not defined unless database replication is in use or the remote connection is mission and/or operationally required and documented in the AIS functional architecture documentation.


UNCLASSIFIED

7-129 V8R1.3 Mar 2009

7.31 DG0087: DBMS sensitive data labeling

Description: The sensitivity marking or labeling of data items promotes the correct handling and protection of the data. Without such notification, the user may unwittingly disclose sensitive data to unauthorized users. Check:

If Oracle Label Security is not installed or database does not contain sensitive data, this check is NA. From SQL*Plus: select * from DBA_SA_USERS; Compare results to the requirements for labeling as specified in the System Security Plan. If label security is not configured as specified in the System Security Plan, this is a Finding.

Fix: Document label security requirements in the System Security Plan. Configure label security in accordance with the System Security Plan. Monitor and audit changes to the label security configuration.



IA Control: ECML Check Type: Verify


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0087: CAT III) The DBA will configure DBMS marking and labeling of non-public data where required in accordance with the System Security Plan.


UNCLASSIFIED

7-130 V8R1.3 Mar 2009

7.32 DG0091: DBMS source code encoding or encryption

Description: Source code may include information on data relationships, locations of sensitive data that are otherwise obscured, or other processing information that could aid a malicious user. Encoding or encryption of the custom source code objects within the database helps protect against this type of disclosure. Check:

If this is not a production database, this check is NA. From SQL*Plus: select owner||'.'||name from dba_source where line=1 and owner not in ('SYS', 'CTXSYS', 'MDSYS', 'ODM', 'OE', 'OLAPSYS','ORDPLUGINS', 'ORDSYS', 'OUTLN', 'PM', 'QS_ADM','RMAN', 'SYSTEM','WKSYS', 'WMSYS','XDB') and owner not like 'OEM%' and text not like '%wrapped%' and type in ('PACKAGE BODY','FUNCTION','PROCEDURE'); Review the list of results with the DBA. If any results are custom or GOTS application code, this is a Finding. If all returned results are default DBMS or COTS application code, this is not a Finding.

Fix: Use the Oracle WRAP utility to encode application source code stored in application database objects (stored procedures, functions, packages). The following may be used as an example process: 1) export the application object source and store in an external file. From SQL*Plus: set show off set heading off set verify off set echo off set term off set pagesize 0 set feedback off set serveroutput on size 1000000 set wrap on set trimspool on set linesize 512 spool [output file name = proc.sql]


UNCLASSIFIED

7-131 V8R1.3 Mar 2009

select text from dba_source where object_name='[object name]'; spool off 2) From system command line, invoke the wrap utility. wrap iname=proc.sql oname=proc.plb This will result in the file name proc.plb 3) re-create the object with the encoded source code. From SQL*Plus: @proc.plb



IA Control: DCSL Check Type: Verify


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0091: CAT III) The DBA will ensure custom application and Government-Off-The-Shelf (GOTS) source code objects are encoded or encrypted within the production database where supported by the DBMS.


UNCLASSIFIED

7-132 V8R1.3 Mar 2009

7.33 DG0172: DBMS classification level audit

Description: Some DBMS systems provide the feature to assign security labels to data elements. The confidentiality and integrity of the data depends upon the security label assignment where this feature is in use. Changes to security label assignment may indicate suspicious activity. Check:

If the DBMS does not have Oracle Label Security installed or no sensitive data is stored or processed in the database, this check is NA. From SQL*Plus: select * from dba_sa_audit_options; If no records are returned or if output from the SQL statement above does not show classification labels being audited as required in the System Security Plan, this is a Finding..

Fix: Define the policy for auditing changes to security labels defined for the data. Document the audit requirements in the System Security Plan and configure database auditing in accordance with the policy.



IA Control: ECLC Check Type: Verify


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0172: CAT II) The DBA will enable auditing of any changes to the classification or sensitivity level assigned to classified data in the DBMS where available and required by the Information Owner.


UNCLASSIFIED

7-133 V8R1.3 Mar 2009

7.34 DO0220: Oracle instance names

Description: Service names may be discovered by unauthenticated users. If the service name includes version numbers or other database product information, then a malicious user may use that information to develop a targeted attack. Check:

From SQL*Plus: select instance_name from v$instance; select version from v$instance; If the instance name returned references the Oracle release number, this is a Finding. Numbers used that include version numbers by coincidence are not a Finding. The DBA should be able to relate the significance of the presence of a digit in the SID.

Fix: Follow the instructions in Oracle MetaLink Note 15390.1 (and related documents) to change the SID for the database without re-creating the database to a value that does not identify the Oracle version.





Responsibility: DBA

Documentable: False




UNCLASSIFIED

7-134 V8R1.3 Mar 2009

7.35 DO0221: Oracle default SID name

Description: Use of the default Oracle System Identifier (SID) leaves the database vulnerable to attacks that target Oracle installations running under default SID. Using a custom name helps protect the database against this kind of targeted attack. Check:

From SQL*Plus: select instance_name from v$instance; Review the instance name with the DBA. Ask the DBA if the instance name was chosen by the installer to conform to local naming conventions, etc. or if it was determined by the installation software. If it was named by the installation software, this is a Finding.

Fix: Follow the instructions in Oracle MetaLink Note 15390.1 (and related documents) to change the SID for the database without re-creating the database to a value other than the application default.





Responsibility: DBA

Documentable: False




UNCLASSIFIED

7-135 V8R1.3 Mar 2009

7.36 DO0250: Oracle database link usage

Description: Database links define connections that may be used by the local database to access remote Oracle databases. These links provide a means for a compromise to the local database to spread to remote databases in the distributed database environment. Limiting or eliminating use of database links where they are not required to support the operational system can help isolate compromises to the local or a limited number of databases. Check:

From SQL*Plus: select owner||': '||db_link from dba_db_links; select count(*) from sys.dba_repcatlog; If no records are returned from the first SQL statement, this check is NA. If the value of the count returned is 0 for the second SQL statement, none of the database links listed above, if any, is used for replication. Confirm that the public and fixed user database links listed are documented in the System Security Plan, are authorized by the IAO and used for replication or operational system requirements. If any are not, this is a Finding.

Fix: Document all authorized connections from the database to remote databases in the System Security Plan. Remove all unauthorized remote database connection definitions from the database. From SQL*Plus: drop database link [link name]; OR drop public database link [link name]; Review remote database connection definitions periodically and confirm their use is still required and authorized.





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0075: CAT II) The DBA will ensure database connections to remote databases or remote or external applications and services are disabled and/or not defined unless database replication is in use or the remote connection is mission and/or operationally required and documented in the AIS functional architecture documentation.


UNCLASSIFIED

7-136 V8R1.3 Mar 2009

7.37 DO0260: Oracle control file availability

Description: Oracle control files are used to store information critical to Oracle database integrity. Oracle uses these files to maintain time synchronization of database files as well as at system startup to verify the validity of system data and log files. Loss of access to the control files can affect database availability, integrity and recovery. Check:

From SQL*Plus: select name from v$controlfile; Oracle Best Practices recommends a minimum of two distinct control files each located on separate storage devices or on separate, archived partitions within a RAID device. If this minimum listed above is not met, this is a Finding. Consult with the SA or DBA to determine that the mount points or partitions referenced in the file paths indicate separate physical or RAID disks.

Fix: To prevent loss of service during disk failure, multiple copies of Oracle control files should be maintained on separate disks in archived directories. Adding or moving a control file requires careful planning and execution. Please consult and follow the instructions for creating control files in the Oracle Database Administrator's Guide, under Steps for Creating New Control Files.



IA Control: COBR Check Type: Verify


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0114: CAT II) The DBA will ensure files critical to database recovery are protected by employment of database and OS high-availability options such as storage on RAID devices.


UNCLASSIFIED

7-137 V8R1.3 Mar 2009

7.38 DO0420: Oracle XML DB

Description: The XML DB supports storage and retrieval of XML data objects in the Oracle Database. It requires the configuration of an Oracle shared-server dispatcher that is activated / used by the Oracle listener to pass http XML requests. If this service is not required, it should be disabled. Check:

From SQL*Plus: select count(*) from dba_users where username='XDB'; select count(*) from v$parameter where name='dispatchers' and value like '%XDB%'; If a value of 0 is returned for either the first or the second SQL statement above, this is not a Finding. If a value of 1 (or more) is returned for the second SQL statement, review the System Security Plan to verify existence of all XML DB dispatchers is authorized. If it is not, this is a Finding.

Fix: If the database is authorized to support web services using XML over HTTP, then include documentation and authorization in the System Security Plan. If none is authorized, uninstall XML DB per Oracle MetaLink Note 243554.1 for Oracle versions 9.2, 10.1 and 10.2 and Oracle MetaLink Note 742014.1 for Oracle version 11.1.





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0016: CAT III) The DBA will ensure unused optional database components or features, applications, and objects are removed from the database and host system. If the optional component cannot be uninstalled or removed, then the DBA will ensure the unused component or feature is disabled.


UNCLASSIFIED

8-138 V8R1.3 Mar 2009

8. Oracle Home Automated Check Procedures

8.1 DG0003: DBMS patchset/CPU security patch level

Description: Maintaining the currency of the software version protects the database from known vulnerabilities. Check:

Oracle provides patches in patchsets, Critical Patch Updates (CPU) as well as providing patch set exceptions for installed DBMS products. A patchset is an 'amended code set', consisting of a number of bug fixes, which is subjected to a rigorous QA and certification process. Oracle patch sets update the Oracle version number (e.g. 10.2.0.3 to 10.2.0.4) and are usually bundled together to support a product family (for example, Oracle DBMS includes Enterprise, Standard, Personal and Client Editions). Oracle security patches are published quarterly in January, April, July and October as Critical Patch Updates (CPU). CPUs may be viewed at http://www.oracle.com/technology/deploy/security/alerts.htm. Most Oracle CPU patches are also listed in DoD IAVM alerts. Patch set exceptions are fixes per a particular DBMS product based on reported bugs and do not undergo the rigorous QA and certification process that patchsets do. These are installed as needed to correct reported or observed bugs in the Oracle DBMS products. This check applies to the application of the patchsets and the CPU patches. For Oracle patchsets:

From SQL*Plus: select version from v$instance; If the Oracle DBMS version is not at the listed patchset level for your supported platform (see table below), this is a Finding.

1 - Oracle Database Patch Sets (as of March 2009)

Oracle 11g Rel 1 Oracle 10g Rel 1 Oracle 10g Rel 1 Oracle 9i Rel 2 Platform

Latest Patchset

Release Date

Latest Patchset

Release Date

Latest Patchset

Release Date

Latest Patchset

Release Date

Apple MAC OS (PPC)

- - 10.1.0.5 Jan 08, 07 - -

HP Tru64 Unix - - 10.2.0.3 Oct 15, 07 10.1.0.5 Oct 18 , 06 9.2.0.8 Mar 05, 07

HP OpenVMS Alpha

- - 10.2.0.2 Dec 05, 06 10.1.0.5 Feb 15, 08 9.2.0.8 May 04, 07

HP-UX PA-RISC (32-bit)

- - - - - - - -


UNCLASSIFIED

8-139 V8R1.3 Mar 2009

HP-UX PA-RISC (64-bit)

11.1.0.7 Nov 11, 08 10.2.0.4 June 02, 08 10.1.0.5 Feb 05, 06 9.2.0.8 Aug 22, 06

HP-UX Itanium 11.1.0.7 Oct 06, 08 10.2.0.4 May 02 , 08 10.1.0.5 Jun 07, 06 9.2.0.8 Oct 04 , 06

IBM RS/600(32-bit)

- - - - - - - -

IBM RS/600(64-bit)

- - - - - - 9.2.0.5 Apr 08, 04

IBM AIX Based System(5L)

11.1.0.7 Oct 06, 08 10.2.0.4 May 15 , 08 10.1.0.5 Feb 05, 06 9.2.0.8 Aug 22, 06

IBM NUMA-Q DYNX/ptx

- - - - - - - -

IBM z/OS (OS/390)

- - 10.2.0.3 Dec 30, 06 10.1.0.5 Mar 05, 06 9.2.0.8 Aug 22, 06

IBM zSeries Based Linux

- - 10.2.0.3 Jun 15, 07 10.1.0.5 Aug 26, 06 9.2.0.8 Feb 26 , 08

IBM Power Based Linux

- - 10.2.0.3 Mar 14, 07 - - - -

Linux x86 11.1.0.7 Sep 18, 08 10.2.0.4 Feb 15 , 08 10.1.0.5 Jan 30, 06 9.2.0.8 Aug 25, 06

Linux x86-64 (AMD64/EM64T)

11.1.0.7 Sep 18, 08 10.2.0.4 Mar 18, 08 10.1.0.5 Feb 24, 06 9.2.0.8 Aug 22, 06

Linux Itanium - - 10.2.0.3 Dec 30, 06 10.1.0.5 May 01, 06 9.2.0.8 Aug 22, 06

Microsoft Windows (32-bit)

11.1.0.7 Oct 09, 08 10.2.0.4 Mar 18, 08 10.1.0.5 Feb 13, 06 9.2.0.8 Aug 21, 06

Microsoft Windows Itanium

(64-bit)

- 10.2.0.3 Dec 29, 06 10.1.0.5 Jan 30, 06 9.2.0.8 Aug 22, 06

Microsoft Windows x86-64 (AMD64/EM64T)

11.1.0.7 Nov 13, 08 10.2.0.4 May 16 , 08 - - - -

Microsoft Windows 2008 Server (32-bit)

- - - - - - - -

Microsoft Windows Server

2008 (x64)

- - - - - - - -

Microsoft Windows Vista

- - - - - - - -

Microsoft Windows Vista

(x64)

- - - - - - - -

Solaris Operating Env

(SPARC 32-bit)

- - - - - - 9.2.0.8 Aug 24, 06

Solaris Operating Env

(SPARC 64-bit)

11.1.0.7 Oct 06, 08 10.2.0.4 May 02, 08 10.1.0.5 Feb 05, 06 9.2.0.8 Aug 24, 06

Solaris Operating Env (x86)

- - 10.2.0.2 Sep 13, 06 10.1.0.5 Jun 19, 06 - -

Solaris Operating Env (x86 64-bit)

- - 10.2.0.3 Aug 10, 07

Note: The table above was modified from the original found at http://www.oracle.com/technology/support/patches.htm to include the recent Oracle 11g patchset and remove references to Oracle 8i.

For Oracle Critical Patch Updates (CPU): Go to the website http://www.oracle.com/technology/deploy/security/alerts.htm. Click on the latest Critical Patch Update link. Click on the [Database] link in the Supported Products and Components Affected section. Enter your Oracle MetaLink


UNCLASSIFIED

8-140 V8R1.3 Mar 2009

credentials. Locate the Critical Patch Update Availability table. Identify your OS Platform and Oracle version to see if there is a CPU update release. If there is none, this is not a Finding. If there is one, note the patch number for the steps below. View the installed patch numbers for the database using the Oracle opatch utility. On UNIX systems: $ORACLE_HOME/OPatch/opatch lsinventory –detail | grep [PATCHNUM] On Windows systems (From Windows Command Prompt): %ORACLE_HOME%\OPatch\opatch lsinventory –detail | findstr [PATCHNUM] Replace [PATCHNUM] with the Patch number noted above. If the output shows the installed patch is present, this is not a Finding. No output indicates that the patch has not been applied and is a Finding.

Fix:

Apply all Oracle version patchsets and Critical Patch updates to the database software where available. Follow vendor-provided patch installation instructions.



IA Control: VIVM Check Type: Auto

Database level: False

Responsibility: DBA

Documentable: False


STIG Requirement: (DG0003: CAT II) The DBA will ensure all applicable vendor-provided security patches are installed.


UNCLASSIFIED

8-141 V8R1.3 Mar 2009

8.2 DO0100: Oracle version support

Description: Unsupported software versions are not patched by vendors to address newly discovered security versions. An unpatched version is vulnerable to attack. Check:

From SQL*Plus: select banner from v$version where banner like 'Oracle%'; Currently supported versions as of 3/2009 are:

11.1 10.2 10.1 (extended support only) 9.2 (extended support only) 9.2DV (extended support only).

If the Oracle version is not in the list above or does not have extended support where specified, this is a Finding.

Fix: Upgrade to a supported Oracle version. Install latest patchset available. Apply all available security patches. Use the opatch utility to confirm installed patches.

9.2 / Jul 2007 (Extended support provided through Jul 2010) Terminal Patch Set: 9.2.0.8 (Premier Support for 9.2 ended on 31 July 2007) 10.1 / Jan 2009 (Extended support provided through Jan 2012) Terminal Patch Set: 10.1.0.5 (Premier Support for 10.1 ended on 31 January 2009) 10.2 / Jul 2010 (Extended support provided through Jul 2013) Current Patch Set: 10.2.0.4 (as of June 2008 for most platforms) 11.1 / Aug 2012 (Extended support provided through Aug 2015) Current Patch Set: 11.1.0.7 (as of September 2008 for most platforms)

See http://www.oracle.com/technology/support/patches.htm for a definitive list of version patch sets for Oracle DBMS software.


UNCLASSIFIED

8-142 V8R1.3 Mar 2009



IA Control: VIVM Check Type: Auto


Responsibility: IAO

Documentable: False


STIG Requirement: (DG0001: CAT I) The IAO will ensure unsupported DBMS software is removed or upgraded prior to a vendor dropping support.


UNCLASSIFIED

9-143 V8R1.3 Mar 2009

9. Oracle Home Interview Check Procedures

9.1 DG0010: DBMS software monitoring

Description: Changes to files in the DBMS software directory on the host system including executable, configuration, script or batch files can indicate malicious compromise of the software files. Monitoring of changes to these files can assist in a timely discovery of an attack on the database. Changes to non-executable files, such as log files and data files, do not usually reflect unauthorized changes but are modified by the DBMS as part of normal operation. These modifications can be ignored. Check:

Ask the DBA to describe/demonstrate any software modification detection procedures in place and request documents of these procedures for review. Verify by reviewing reports for inclusion of the DBMS executable and configuration files. If documented procedures and proof of implementation does not exist that includes review of the database software directories and database application directories, this is a Finding.

Fix: Document and implement procedures to monitor changes made to the DBMS software. Identify all database files and directories to be included in the host system or database backups and provide these to the person responsible for backups. For Windows systems, you can use the dir /s > filename.txt run weekly to store and compare file modification/creation dates and file sizes using the DOS fc command. For UNIX systems, you can use the ls –as >filename.txt command to store and compare (diff command) file statistics for comparison. These are not as comprehensive as some tools available, but may be enhanced by including checks for checksums or file hashes.



IA Control: DCSL Check Type: Interview


Responsibility: IAO

Documentable: False


STIG Requirement: (DG0010: CAT III) The IAO will ensure DBMS software is monitored on a regular basis no less frequently than weekly to detect unauthorized modifications.


UNCLASSIFIED

9-144 V8R1.3 Mar 2009

9.2 DG0011: DBMS Configuration Management

Description: Uncontrolled, untested or unmanaged changes to database software result in an unreliable security posture. Any change to database software libraries may interrupt operations or produce unexpected behavior. CM can reduce the possibility of unexpected results by providing oversight and control for proposed changes. Address supporting custom and third party applications in the management of database software libraries although the responsibilities may be assigned to more than one organization or group. Related database application libraries may include third-party DBMS management tools, DBMS stored procedures, or other end-user applications. Check:

If this is not a production system, this check is NA. Review documentation and implementation evidence of CM procedures designed to prevent untested and uncontrolled software modifications to the production system. If none is defined and implemented, this is a Finding.

Fix: Develop and implement CM procedures. Include all configurable DBMS features or options. Include upgrades and patch management. Assign responsibilities for oversight and approval for all changes to the database software and configuration.



IA Control: DCPR Check Type: Interview


Responsibility: IAO

Documentable: False


STIG Requirement: (DG0011: CAT III) The IAO will ensure CM procedures are documented and implemented for changes to the DBMS configuration, software libraries, and other related application software libraries


UNCLASSIFIED

9-145 V8R1.3 Mar 2009

9.3 DG0013: Database backup procedures

Description: Database backups provide the required means to restore databases after compromise or loss. Backups help reduce the vulnerability to unauthorized access or hardware loss. Check:

Review the database backup procedures and implementation evidence. Evidence of implementation includes records of backup events and physical review of backup media. Evidence should match the backup plan as documented in the System Security Plan. If backup procedures do not exist or are not implemented in accordance with the procedures, this is a Finding. If backups are not performed weekly or more often for MAC III systems, this is a Finding. If backups are not performed daily or more often for MAC II systems, this is a Finding. If backup data for MAC II systems is not secured and stored offline at an alternate site, this is a Finding. If backups for MAC I systems do not include a redundant secondary system maintained at a separate physical site that can be activated without interruption or loss of data if the primary system fails, this is a Finding.

Fix: Design, document and implement database backup procedures. Include daily backup procedures and offline backup data storage at an alternate site for MAC II systems. Include a secondary server installed at a separate location that can be brought online to prevent any disruption to availability or loss of data for MAC I systems.


UNCLASSIFIED

9-146 V8R1.3 Mar 2009



IA Control: CODB Check Type: Interview


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0013: CAT II) The DBA/SA will ensure backups of database data, configuration, and other files critical to database operation have been performed at intervals consistent with the database's assigned criticality level.


UNCLASSIFIED

9-147 V8R1.3 Mar 2009

9.4 DG0020: DBMS backup and recovery testing

Description: Problems with backup procedures or backup media may not be discovered until after a recovery is needed. Testing and verification of procedures provide the opportunity to discover oversights, conflicts, or other issues in the backup procedures or use of media. Check:

Review documented backup testing and recovery verification procedures noted or documented in the System Security Plan. Review evidence of implementation of testing and verification procedures by reviewing logs from backup and recovery implementation. Logs may be in electronic or hardcopy and may include email or other notification. If backup testing and recovery verification are not documented or noted in the System Security Plan, this is a Finding. If evidence of backup testing and recovery verification does not exist, this is a Finding.

Fix: Design, document and implement backup testing and recovery verification procedures for the DBMS host and all individual database instances and either include or note the name, location, version and current revision date of any external documentation in the System Security Plan. Include any requirements for documenting database backup and recovery testing and verification activities in the procedures.



IA Control: CODP Check Type: Interview


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0020: CAT II) The DBA will ensure the DBMS backup and recovery strategy is documented, implemented and tested at least semi-annually.


UNCLASSIFIED

9-148 V8R1.3 Mar 2009

9.5 DG0050: DBMS software and configuration file monitoring

Description: Unmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations. Check:

Review documented software and configuration monitoring procedures and implementation evidence to verify that monitoring of changes to database software libraries, related applications and configuration files is being performed weekly or more often. Verify that a list of files, directories and database application objects (procedures, functions and triggers) being monitored is complete. If monitoring is not being performed weekly or more often, this is a Finding. If implementation evidence is not complete, this is a Finding.

Fix: Develop, document and implement procedures to monitor for unauthorized changes to DBMS software libraries, related software application libraries and configuration files. If a third-party automated tool is not employed, an automated job that reports file information on the directories and files of interest and compares them to the baseline report for the same will meet the requirement. File hashes or checksums should be used for comparisons as file dates may be manipulated by malicious users. Sample method for establishing a baseline of Oracle database objects for monitoring: NOTE: Before running the procedure, consider spooling the results to a text file on the host. Output may also be directed to a database table with modification to the procedure. From SQL*Plus: create or replace function compute_md5 (proc_name_in in varchar2) return varchar2 is all_text varchar2(32767); cur_md5 varchar2(32767); begin for x in (select text from user_source where name=PROC_NAME_IN) loop cur_md5:=dbms_obfuscation_toolkit.md5(input => utl_raw.cast_to_raw(x.text)); all_text:=dbms_obfuscation_toolkit.md5(input => (cur_md5 || all_text));


UNCLASSIFIED

9-149 V8R1.3 Mar 2009

end loop; return all_text; end; / show errors; set serveroutput on size 1000000; declare begin for x in (select distinct name from user_source) loop dbms_output.put_line(chr(10)); dbms_output.put_line('Procedure: ' || x.name) ; dbms_output.put_line('MD5: ' || compute_md5(x.name)); end loop; end; /



IA Control: DCSL Check Type: Interview


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0050: CAT II) The DBA will ensure database application software is monitored to detect unauthorized modification every week or more often.


UNCLASSIFIED

9-150 V8R1.3 Mar 2009

9.6 DG0053: DBMS client connection definition file

Description: Many sites distribute a single database connection configuration file to all site database users/clients that contains network access information for all databases on the site. Such a file provides information to access databases not required by all users that may assist in unauthorized access attempts. Check:

Review documented and implemented procedures contained or noted in the System Security Plan for providing database client connection information to users and user workstations. Oracle client connection information is stored in the file: $ORACLE_HOME/network/admin/tnsnames.ora (UNIX) %ORACLE_HOME%\network\admin\tnsnames.ora (Windows) If procedures do not indicate and implement restrictions in distribution of connection definitions to personnel/machines authorized to connect to the database, this is a Finding.

Fix: Develop, document and implement procedures to distribute client connection definitions or definition files that contain only connection definitions authorized for that user or user workstation. Include or note these procedures in the System Security Plan.





Responsibility: IAO

Documentable: False


STIG Requirement: (DG0053: CAT II) The IAO will ensure database client software includes only database identification parameters of databases to which that user is authorized access.


UNCLASSIFIED

9-151 V8R1.3 Mar 2009

9.7 DG0066: Temporary password procedures

Description: New accounts authenticated by passwords that are created without a password or with an easily guessed password are vulnerable to unauthorized access. Procedures for creating new accounts with passwords should include the required assignment of a temporary password to be modified by the user upon first use. Check:

If all database accounts are configured to authenticate using certificates or other credentials besides passwords, this check is NA. Review documented procedures and evidence of implementation for assignment of temporary passwords for password-authenticated accounts. Confirm temporary passwords meet DoD password requirements. Review documented procedures for distribution of temporary passwords to users. Have the DBA demonstrate that the DBMS or applications accessing the database are configured to require a change of password by the user upon first use. If documented procedures and evidence do not exist or are not complete, temporary passwords do not meet DoD password requirements, or the DBMS or applications accessing the database are not configured to require a change of password by the user upon first use, this is a Finding.

Fix: Develop, document and implement procedures for assigning, distributing and changing of temporary passwords for new database user accounts. Procedures should include instruction that meet current DoD password length and complexity requirements and provide a secure method to relay the temporary password to the user. Temporary passwords should also be short-lived and require immediate update by the user upon first use. Consider using account authentication using certificates or other credentials in place of password authentication.



IA Control: IAIA Check Type: Interview


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0066: CAT II) The DBA will assign a database account password at database account creation.


UNCLASSIFIED

9-152 V8R1.3 Mar 2009

9.8 DG0067: DBMS account password external storage

Description: Passwords stored in clear text for access by host applications and/or batch jobs are vulnerable to unauthorized disclosure. Passwords should always be encrypted when stored in host system files. Check:

NOTE: This check applies specifically to the Oracle DBMS installation and its associated files, scripts and environments. Review with the DBA the list of DBMS configuration files, scripts and applications not defined within the database that access the database included or noted in the System Security Plan. The list should also include files or settings used to configure the operational environment for the DBMS and for interactive DBMS user accounts. Determine if any DBMS configuration files, scripts, applications or DBMS/user environment files/settings contain database passwords. If any do, confirm that the passwords, files and settings are encoded or encrypted. If any passwords are stored in clear text, this is a Finding. If a list of DBMS configuration files, scripts, applications and environment files/settings not defined within the database that access the database does not exist, this is a Finding.

Fix: Develop, document and maintain a list of DBMS configuration files, scripts, applications and environment files/settings not defined within the database that access the database. Record whether they do or do not contain database passwords. If passwords are stored, ensure they are encoded or encrypted and protected by host system security. Also, consider the use of Oracle Database Vault or making the database account authenticate externally.



IA Control: IAIA Check Type: Interview


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0067: CAT I) The DBA will ensure database account passwords are stored in encrypted format whether stored in database objects, external host files, environment variables or any other storage location.


UNCLASSIFIED

9-153 V8R1.3 Mar 2009

9.9 DG0068: DBMS application password display

Description: Database applications may allow for entry of the account name and password as a visible parameter of the application execution command. This practice should be prohibited and disabled, if possible, by the application. If it cannot be disabled, then users should be strictly instructed not to use this feature. Typically, the application will prompt for this information and accept it without echoing it on the users computer screen. Check:

Review policy and instructions included or noted in the System Security Plan used to inform users and administrators not to enter database passwords at the command line. Review documented and implemented procedures used to monitor the DBMS system for such activity. If policy or instructions do not exist, proof of users and administrators being briefed does not exist or monitoring for compliance is not being performed to dissuade the practice of entering database passwords on the command line, this is a Finding.

Fix: Develop, document and implement policy and instructions to train users not to enter database passwords on the command line. Develop, document and implement monitoring for compliance. Alter command-line utilities to prevent or report when a password has been entered on a command line or disable its use.



IA Control: ECCR Check Type: Interview


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0068: CAT II) The DBA will ensure applications that access the database are not used with options that display the database account password on the command line.


UNCLASSIFIED

9-154 V8R1.3 Mar 2009

9.10 DG0069: Production data import to development DBMS

Description: Data export from production databases may include sensitive data. Application developers may not be cleared for or have need-to-know to sensitive data. Any access they may have to production data would be considered unauthorized access and subject the sensitive data to unlawful or unauthorized disclosure. Check:

If the database being reviewed is not a production database or does not contain sensitive data, this check is NA. Review documented policy, procedures and proof of implementation for restrictions placed on data exports from the production database. Policy and procedures should include that only authorized users have access to DBMS export utilities and that export data is properly sanitized prior to import to a development database. Policy and procedures may also include that developers be granted the necessary clearance and need-to-know prior to import of production data. If documented policy, procedures and proof of implementation are not present or complete, this is a Finding. If methods to sanitize sensitive data are required and not documented or followed, this is a Finding.

Fix: Develop, document and implement policy and procedures that provide restrictions for production data export. Require users and administrators assigned privileges that allow the export of production data from a production database to acknowledge understanding of export restrictions. Restrict permissions allowing use or access to database export procedures or functions to authorized users. Ensure sensitive data from production is sanitized prior to import to a development database (See check DG0076). Grant access and need-to-know to developers where allowed by policy.





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0069: CAT II) The DBA will ensure production data is not exported for import to development databases except in accordance with processes and procedures approved by the Information Owner.


UNCLASSIFIED

9-155 V8R1.3 Mar 2009

9.11 DG0083: Audit record report automation

Description: Audit record collection may quickly overwhelm storage resources and an auditor's ability to review it in a productive manner. Automated tools can provide the means to manage the audit data collected as well as present it to an auditor in an efficient way. Check:

If the database being reviewed is not a production database, this check is NA. Interview the auditor or IAO to determine if an automated tool or procedure is used to report audit trail data. If an automated tool or procedure is not used, this is a Finding.

Fix: Develop database or host system procedures to report audit trail data in a form usable to detect unauthorized access to or usage of DBMS privileges, procedures or data. You may also want to consider procuring a third-party auditing tool like Oracle Audit Vault with support for Oracle, SQL Server, DB2 and Sybase. NOTE: Audit data may contain sensitive information. The use of a single repository for Audit data should be protected at the highest level based on the sensitivity of the databases being audited.



IA Control: ECRG Check Type: Interview


Responsibility: IAO

Documentable: False


STIG Requirement: (DG0083: CAT II) The IAO will ensure automated tools are available and implemented for review and reporting of DBMS audit records.


UNCLASSIFIED

9-156 V8R1.3 Mar 2009

9.12 DG0086: DBA role privilege monitoring

Description: Excess privilege assignment can lead to intentional or unintentional unauthorized actions. Such actions may compromise the operation or integrity of the DBMS and its data. Monitoring assigned privileges assists in the detection of unauthorized privilege assignment. The DBA role is assigned privileges that allow DBAs to modify privileges assigned to them. Ensure that the DBA Role is monitored for any unauthorized changes. Check:

Review documented procedures and implementation evidence of DBA role privilege monitoring. If procedures are not documented or noted in the System Security Plan or are not complete, this is a Finding. If evidence of implementation for monitoring does not exist, this is a Finding. If monitoring does not occur monthly (~30 days) or more often, this is a Finding.

Fix: Design, document and implement procedures for monitoring DBA role privilege assignments. Grant the DBA role the minimum privileges required to perform administrative functions. Establish monitoring of DBA role privileges monthly or more often.





Responsibility: IAO

Documentable: False


STIG Requirement: (DG0086: CAT II) The IAO will review monthly or more frequently, the database privileges assigned to database administrative roles to ensure they are limited to the minimum required.


UNCLASSIFIED

9-157 V8R1.3 Mar 2009

9.13 DG0088: DBMS vulnerability mgmt and IA compliance testing

Description: The DBMS security configuration may be altered either intentionally or unintentionally over time. The DBMS may also be the subject of published vulnerabilities that require the installation of a security patch or a reconfiguration to mitigate the vulnerability. If the DBMS is not monitored for required or unintentional changes that render it not compliant with requirements, then it can be vulnerable to attack or compromise. Check:

Review procedures and evidence of implementation for monitoring and testing DBMS IA and vulnerability management compliance. If monitoring/testing procedures are not documented or noted in the System Security Plan, this is a Finding. If evidence of periodic monitoring and testing for continued compliance does not exist, this is a Finding.

Fix: Develop, document and implement procedures for periodic monitoring and testing of the DBMS against current vulnerability management and IA configuration requirements compliance. Perform periodic monitoring/testing to ensure continued compliance.



IA Control: ECMT Check Type: Interview


Responsibility: IAO

Documentable: False


STIG Requirement: (DG0088: CAT III) The IAO will ensure the DBMS is included in the periodic testing of conformance with vulnerability management and IA configuration requirements.


UNCLASSIFIED

9-158 V8R1.3 Mar 2009

9.14 DG0095: DBMS audit trail data review

Description: Review of audit trail data provides a means for detection of unauthorized access or attempted access. Frequent and regularly scheduled reviews ensure that such access is discovered in a timely manner. Check:

If the database being reviewed is not a production database, this check is NA. Review policy and procedures documented or noted in the System Security plan as well as evidence of implementation for daily audit trail monitoring. If policy and procedures are not documented or evidence of implementation is not available, this is a Finding.

Fix: Develop, document and implement policy and procedures to monitor audit trail data daily.



IA Control: ECAT Check Type: Interview


Responsibility: IAO

Documentable: False


STIG Requirement: (DG0095: CAT II) The IAO will ensure the database audit data is reviewed daily to discover suspicious or unusual activity.


UNCLASSIFIED

9-159 V8R1.3 Mar 2009

9.15 DG0096: DBMS IA policy and procedure review

Description: A regular review of current database security policies and procedures is necessary to maintain the desired security posture of the DBMS. Policies and procedures should be measured against current DoD policy, STIG guidance, vendor-specific guidance and recommendations, and site-specific or other security policies. Check:

Review documented policy and procedures included or noted in the System Security Plan as well as evidence of implementation for annual reviews of DBMS IA policy and procedures. If policy and procedures do not exist, are incomplete, or are not implemented and followed annually or more frequently, this is a Finding.

Fix: Develop, document and implement procedures to review DBMS IA policies and procedures.



IA Control: DCAR Check Type: Interview


Responsibility: IAO

Documentable: False


STIG Requirement: (DG0096: CAT III) The IAO will ensure database IA policies and procedures are reviewed at least annually and are current and consistent with all IA requirements.


UNCLASSIFIED

9-160 V8R1.3 Mar 2009

9.16 DG0097: DBMS Testing Plans and Procedures

Description: Updates and patches to existing software have the intention of improving the security or enhancing or adding features to the product. However, it is unfortunately common that updates or patches can render production systems inoperable or even introduce serious vulnerabilities. Some updates also set security configurations back to unacceptable settings that do not meet security requirements. For these reasons, it is a good practice to test updates and patches offline before introducing them in a production environment. Check:

Review policy and procedures documented or noted in the System Security Plan and evidence of implementation for testing DBMS installations, upgrades and patches prior to production deployment. If policy and procedures do not exist or evidence of implementation does not exist, this is a Finding.

Fix: Develop, document and implement procedures for testing DBMS installations, upgrades and patches prior to deployment on production systems.



IA Control: DCCT Check Type: Interview


Responsibility: IAO

Documentable: False


STIG Requirement: (DG0097: CAT II) The IAO will ensure comprehensive testing plans and procedures for database installations, updates, and patches are defined and implemented before being deployed in a production environment.


UNCLASSIFIED

9-161 V8R1.3 Mar 2009

9.17 DG0107: Sensitive data identification in the DBMS

Description: A DBMS that does not have the correct confidentiality level identified or any confidentiality level assigned is not being secured at a level appropriate to the risk it poses. Check:

If no sensitive or classified data is stored in the database, listed in the System Security Plan and listed in the AIS Functional Architecture documentation, this check is NA. Review AIS Functional Architecture documentation for the DBMS and note any sensitive data that is identified. Review database table column data or descriptions that indicate sensitive data. For example, a data column labeled "SSN" could indicate social security numbers are stored in the column. Question the IAO or DBA where any questions arise. General categories of sensitive data requiring identification include any personal data (health, financial, social security number and date of birth), proprietary or financially sensitive business data or data that might be classified. If any data is considered sensitive and is not documented in the AISFA, this is a Finding.

Fix: Include identification of any sensitive data in the AIS Functional Architecture and the System Security Plan. Include data that appear to be sensitive with a discussion as to why it is not marked as such.



IA Control: DCFA Check Type: Interview


Responsibility: IAO

Documentable: False


STIG Requirement: (DG0107: CAT II) The IAO will ensure all categories of sensitive data stored or processed by the database are identified in the AIS functional architecture documentation.


UNCLASSIFIED

9-162 V8R1.3 Mar 2009

9.18 DG0108: DBMS restoration priority

Description: When DBMS service is disrupted, the impact it has on the overall mission of the organization can be severe. Without proper assignment of the priority placed on restoration of the DBMS and its subsystems, restoration of DBMS services may not meet mission requirements. Check:

Review the System Security Plan to discover the restoration priority assigned to the DBMS. If a restoration priority is not assigned, this is a Finding.

Fix: Review the mission criticality of the DBMS in relation to the overall mission of the organization and assign it a restoration priority.



IA Control: DCFA Check Type: Interview


Responsibility: IAO

Documentable: False


STIG Requirement: (DG0108: CAT III) The IAO will ensure the restoration priority of the database and its supporting subsystems are identified in the System Security Plan.


UNCLASSIFIED

9-163 V8R1.3 Mar 2009

9.19 DG0110: DBMS host shared with a security service

Description: The Security Support Structure is a security control function or service provided by an external system or application. An example of this would be a Windows domain controller that provides identification and authentication that can be used by other systems to control access. The associated risk of a DBMS installed on a system that provides security support is significantly higher than when installed on separate systems. In cases where the DBMS is dedicated to local support of a security support function (e.g. a directory service), separation may not be possible. Check:

Review the services and processes active on the DBMS host system. If the host system is a Windows domain controller, this is a Finding. If the host system is supporting any other security or directory services that do not use the DBMS to store information, this is a Finding. NOTE: This does not include client security applications like firewall and antivirus software.

Fix: Install the DBMS software on a dedicated host.



IA Control: DCSP Check Type: Interview


Responsibility: IAO

Documentable: False


STIG Requirement: (DG0110: CAT II) The IAO will ensure the DBMS is not installed on a host system that provides directory services or other security services except when serving as a required component of the security service.


UNCLASSIFIED

9-164 V8R1.3 Mar 2009

9.20 DG0154: DBMS System Security Plan

Description: A System Security Plan identifies security control applicability and configuration for the DBMS. It also contains security control documentation requirements. Security controls applicable to the DBMS may not be documented, tracked or followed if not identified in the System Security Plan. Any omission of security control consideration could lead to an exploit of DBMS vulnerabilities. Check:

Review the System Security Plan for the DBMS. Review coverage of the following in the System Security Plan: - Technical, administrative and procedural IA program and policies that govern the DBMS - Identification of all IA personnel (IAM, IAO, DBA, SA) assigned responsibility to the DBMS - Specific IA requirements and objectives (e.g., requirements for data handling or dissemination (to include identification of sensitive data stored in the database, database application user job functions/roles and privileges), system redundancy and backup, or emergency response) If a System Security Plan does not exist or does not identify or reference all relevant security controls, this is a Finding.

Fix: Develop, document and implement a System Security Plan for the DBMS. Include IA documentation related to the DBMS in the System Security Plan for the system that the DBMS supports.



IA Control: DCSD Check Type: Interview


Responsibility: IAO

Documentable: False


STIG Requirement: (DG0154: CAT III) The IAO will ensure the DBMS is included in or has defined for it a System Security Plan.


UNCLASSIFIED

9-165 V8R1.3 Mar 2009

9.21 DG0159: Review of DBMS remote administrative access

Description: Remote administrative access to systems provides a path for access to and exploit of DBA privileges. Where the risk has been accepted to allow remote administrative access, it is imperative to implement increased monitoring of this access to detect any abuse or compromise. Check:

If remote administrative access to the database is prohibited and is disabled (See Check DG0093), this check is NA. Review policy, procedure and evidence of implementation for monitoring of remote administrative access to the database. If monitoring procedures for remote administrative access are not documented or implemented, this is a Finding.

Fix: Develop, document and implement policy and procedures to monitor remote administrative access to the DBMS. The automated generation of a log report with automatic dissemination to the IAO/IAM may be used. Require and store an acknowledgement of receipt and confirmation of review for the log report.



IA Control: EBRP Check Type: Interview


Responsibility: IAO

Documentable: False


STIG Requirement: (DG0159: CAT II) The IAO or IAM will review daily audit trails of remote administrative sessions to discover any unauthorized access or actions.


UNCLASSIFIED

9-166 V8R1.3 Mar 2009

9.22 DG0161: DBMS audit tool

Description: Audit logs only capture information on suspicious events. Without an automated monitoring and alerting tool, malicious activity may go undetected and without response until compromise of the database or data is severe. Check:

Review evidence or operation of audit tool monitoring and alerts. If a monitoring tool that provides alerts is not implemented, this is a Finding.

Fix: Implement an automated tool that monitors audit logs and generates automated alerts. Compliance may be accomplished using existing database features.



IA Control: ECAT Check Type: Interview


Responsibility: IAO

Documentable: False


STIG Requirement: (DG0161: CAT II) The IAO will ensure an automated monitoring tool or capability is employed to review DBMS audit data and immediately report suspicious or unauthorized activity.


UNCLASSIFIED

9-167 V8R1.3 Mar 2009

9.23 DG0186: DBMS network perimeter protection

Description: Databases often store critical and/or sensitive information used by the organization. For this reason, databases are targeted for attacks by malicious users. Additional protections provided by network defenses that limit accessibility help protect the database and its data from unnecessary exposure and risk. Check:

Review the System Security Plan to determine if the DBMS serves data to users or applications outside the local enclave. If the DBMS is not accessed outside of the local enclave, this is not a Finding. If the DBMS serves applications available from a public network (e.g. the Internet), then confirm that it is located in a DMZ. If the DBMS is located inside the local enclave and is directly accessible to public users, this is a Finding. If the DBMS serves public-facing applications and is not protected by location in a DMZ, this is a Finding.

Fix: Do not allow direct connections from users originating from the Internet or other public network to the DBMS. Locate the DBMS in a DMZ if it serves data to public-facing applications. Do not locate a DBMS that serves public-facing applications inside the local enclave. Include in the System Security Plan for the system whether the DBMS serves public-facing applications or applications serving users from other untrusted networks.


MAC/CONF: 1-SP;2-SP;3-SP

IA Control: EBBD Check Type: Interview


Responsibility: IAO

Documentable: False


STIG Requirement: (DG0186: CAT II) The IAO will ensure the DBMS is protected from direct client connections from public or unauthorized networks.


UNCLASSIFIED

9-168 V8R1.3 Mar 2009

9.24 DG0187: DBMS software file backups

Description: The DBMS application depends upon the availability and integrity of its software libraries. Without backups, compromise or loss of the software libraries can prevent a successful recovery of DBMS operations. Check:

Review evidence of Oracle database and dependent application files and directories. For UNIX Systems: These files are found in the directories $ORACLE_BASE and $ORACLE_HOME. For Windows Systems: The Oracle software directory is specified on a Windows host in the registry value HKLM\SOFTWARE\Oracle\KEY_[ORACLE_HOME_NAME]\ORACLE_HOME. Other Oracle software including, but not limited to Oracle tools and utilities, are found on Windows platforms in the C:\Program Files\Oracle directory and subdirectories. Third-party applications may be located in other directory structures. Review the System Security Plan for a list of all DBMS application software libraries to be included in software library backups. If any software library files are not included in regular backups, this is a Finding.

Fix: Configure backups to include all ORACLE home directories and subdirectories and any other Oracle application and third-party database application software libraries.



IA Control: COSW Check Type: Interview


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0187: CAT II) The DBA will ensure critical database software directories are backed up.


UNCLASSIFIED

9-169 V8R1.3 Mar 2009

9.25 DG0194: DBMS developer privilege monitoring on shared DBMS

Description: The developer role does not include need-to-know or administrative privileges to production databases. Assigning excess privileges can lead to unauthorized access to sensitive data or compromise of database operations. Check:

If the DBMS or DBMS host is not shared by production and development activities, this check is NA. Review policy and procedures documented or noted in the System Security Plan and evidence of monitoring of developer privileges on shared development and production DBMS and DBMS host systems. If developer privileges are not monitored every three months or more frequently, this is a Finding.

Fix: Develop, document and implement procedures to monitor DBMS and DBMS host privileges assigned to developers on shared production and development systems to detect unauthorized assignments every three months or more often.



IA Control: ECPC Check Type: Interview


Responsibility: IAO

Documentable: False


STIG Requirement: (DG0194: CAT II) The IAO will review privileges granted to developers on shared production/development database systems that allow modification of application code or application objects every three months or more frequently.


UNCLASSIFIED

9-170 V8R1.3 Mar 2009

9.26 DG0064: DBMS backup and restoration file protection

Description: Lost or compromised DBMS backup and restoration files may lead to not only the loss of data, but also the unauthorized access to sensitive data. Backup files need the same protections against unauthorized access when stored on backup media as when online and actively in use by the database system. In addition, the backup media needs to be protected against physical loss. Most DBMSs maintain online copies of critical control files to provide transparent or easy recovery from hard disk loss or other interruptions to database operation. Check:

Review documented backup and restoration procedures to determine ownership and access during all phases of backup and recovery. Review file protections assigned to online backup and restoration files and tools. Review access, physical security protections and documented procedures for offline backup and restoration files and tools. If implementation evidence indicates that backup or restoration files are subject to corruption, unauthorized access or physical loss, this is a Finding.

Fix: Develop, document and implement protection for backup and restoration files. Document personnel and the level of access authorized for each to backup and restoration files and tools. In addition to physical and host system protections, consider other methods including password protection of the files.



IA Control: COBR Check Type: Interview


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0064: CAT II) The DBA will ensure access to database backup and recovery files are restricted to the database and/or OS backup and recovery processes, DBAs, and database backup/recovery operators.


UNCLASSIFIED

9-171 V8R1.3 Mar 2009

9.27 DG0118: IAM review of change in DBA assignments

Description: Unauthorized assignment of DBA privileges can lead to a compromise of DBMS integrity. Providing oversight to the authorization and assignment of privileges provides the separation of duty to support sufficient oversight. Check:

Review policy and procedures documented or noted in the System Security Plan as well as evidence of implementation for monitoring changes to DBA role assignments and procedures for notifying the IAM of the changes for review. If policy, procedures or implementation evidence do not exist, this is a Finding.

Fix: Develop, document and implement procedures to monitor changes to DBA role assignments. Develop, document and implement procedures to notify the IAM of changes to DBA role assignments. Include in the procedures methods that provide evidence of monitoring and notification.



IA Control: ECPA Check Type: Interview


Responsibility: IAM

Documentable: False


STIG Requirement: (DG0118: CAT II) The IAM will review DBA role assignments whenever changes to the assignments occur.


UNCLASSIFIED

9-172 V8R1.3 Mar 2009

9.28 DG0040: DBMS software owner account access

Description: DBA and other privileged administrative or application owner accounts are granted privileges that allow actions that can have a greater impact on database security and operation. It is especially important to grant access to privileged accounts to only those persons who are qualified and authorized to use them. Check:

Review documented and implemented procedures for controlling and granting access of the Oracle DBMS software installation account. If access or use of this account is not restricted to the minimum number of personnel required or unauthorized access to the account has been granted, this is a Finding. On UNIX systems: If the account is not disabled when not in use, this is a Finding. On Windows systems: The Oracle DBMS software is installed using an account with administrator privileges. Ownership is assigned to the account used to install the DBMS software. Change of ownership can be performed, but is not necessary and any check results are not a Finding.

Fix: Develop, document and implement procedures to restrict use of the Oracle DBMS software installation account. Ensure that the Oracle DBMS software installation account is locked when not in use.





Responsibility: IAO

Documentable: False


STIG Requirement: (DG0040: CAT II) The IAO will ensure access to the DBMS software installation account is restricted to IAO-authorized personnel only.


UNCLASSIFIED

9-173 V8R1.3 Mar 2009

9.29 DG0041: DBMS installation account use logging

Description: The DBMS installation account may be used by any authorized user to perform DBMS installation or maintenance. Without logging, accountability for actions attributed to the account is lost. Check:

Review documented and implemented procedures for monitoring the use of the DBMS software installation account in the System Security Plan. If use of this account is not monitored or procedures for monitoring its use do not exist or are incomplete, this is a Finding. On Windows systems:

The Oracle DBMS software is installed using an account with administrator privileges. Ownership is assigned to the account used to install the DBMS software. If monitoring does not include all accounts with administrator privileges on the DBMS host, this is a Finding.

Fix: Develop, document and implement a logging procedure for use of the DBMS software installation account that provides accountability to individuals for any actions taken by the account. Host system audit logs should be included in the DBMS account usage log along with an indication of the person who accessed the account and an explanation for the access. Ensure all accounts with administrator privileges are monitored for DBMS host on Windows OS platforms.





Responsibility: IAO

Documentable: False


STIG Requirement: (DG0041: CAT II) The IAO will ensure use of the DBMS software installation account is logged and/or audited to indicate the identity of the person who accessed the account.


UNCLASSIFIED

9-174 V8R1.3 Mar 2009

9.30 DG0042: DBMS software installation account use

Description: The DBMS software installation account is granted privileges not required for DBA or other functions. Use of accounts configured with excess privileges may result in unauthorized or unintentional compromise of the DBMS. Check:

Review the DBMS account usage log for use of the Oracle DBMS software installation account. Interview personnel authorized to access the DBMS software installation account to ask how the account is used. If any usage of the account is to support daily operations or general DBA responsibilities, this is a Finding. On Windows systems: The Oracle DBMS software is installed using an account with administrator privileges. Ownership is assigned to the account used to install the DBMS software. Except where a change in ownership is made to a dedicated account, any check results are not a Finding.

Fix: Develop, document, implement procedures, and train authorized users to restrict usage of the DBMS software installation account for DBMS software installation, upgrade and maintenance only.





Responsibility: IAO

Documentable: False


STIG Requirement: (DG0042: CAT II) The IAO will ensure the DBMS software installation account is only used when performing software installation and upgrades or other DBMS maintenance. The IAO will ensure the DBMS software installation account is not used for DBA activities not related to DBMS file permission and ownership maintenance.


UNCLASSIFIED

10-175 V8R1.3 Mar 2009

10. Oracle Home Manual Check Procedures

10.1 DG0017: DBMS shared production/development use

Description: On shared production and development DBMS systems access identifiers that do not clearly indicate whether the DBMS or DBMS object being accessed is part of the production or development objects can lead to unintentional modification of production objects. Check:

If the DBMS host is not a shared production/development host, this check is NA. NOTE: Though shared production/development DBMS systems may be allowed under current database STIG guidance, doing so may place it in violation of OS, Application, Network or Enclave STIG guidance. Ensure that any shared production/development DBMS systems meet STIG guidance requirements at all levels or mitigate any conflicts in STIG guidance with your DAA. Review all environment variables or other identifiers configured on the host system used by production DBAs, other users and developers to access the production and development DBMSs. If the names or values of any identifiers do not clearly distinguish the development from the production applications, databases or database objects, this is a Finding. An example of poor identifier naming would be MYDBAPP1 for production and MYDBAPP2 for development. Acceptable identifiers would be MYDBAPP-PROD and MYDBAPP-DEV or completely different names such as FREDSAPP and SALLYSAPP where the related SALLYSAPP identifiers are known only to DBAs and Developers. Check Windows service names and UNIX process names to review identifiers as well as environment variables used by DBAs and developers. Have the DBA display any other system level or local environment variables that reference the database installation directories or instances.

Fix: Rename identifiers or configuration parameters to distinguish production applications, databases and objects from development. Ensure the DBMS host complies with all applicable STIG guidelines where shared production/development usage is noted or mitigate and document any conflicts with the DAA.


UNCLASSIFIED

10-176 V8R1.3 Mar 2009



IA Control: ECSD Check Type: Manual


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0017: CAT II) The DBA will ensure software development on a production system is separated through the use of separate and uniquely identified data and application file storage partitions and processes/services.


UNCLASSIFIED

10-177 V8R1.3 Mar 2009

10.2 DG0021: DBMS software and configuration baseline

Description: Without maintenance of a baseline of current DBMS application software, monitoring for changes cannot be complete and unauthorized changes to the software can go undetected. Changes to the DBMS executables could be the result of intentional or unintentional actions. Check:

Review DBMS software baseline procedures and implementation evidence. Review the list of files, directories and details included in the current baseline for completeness. If DBMS software configuration baseline procedures do not exist, evidence of implementation does not exist, or baseline is not documented and current, this is a Finding.

Fix: Develop, document and implement DBMS software baseline procedures that include all DBMS software files and directories under the ORACLE_BASE and ORACLE_HOME environment variables and any custom and platform-specific directories. Generate a list of files, directories and details for the DBMS software configuration baseline. Update the configuration baseline after new installations, upgrades/updates or maintenance activities that include changes to the baseline software.



IA Control: DCSW Check Type: Manual


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0021: CAT II) The DBA will ensure a baseline of database application software and DBMS application objects is maintained for comparison.


UNCLASSIFIED

10-178 V8R1.3 Mar 2009

10.3 DG0052: DBMS software access audit

Description: Protections and privileges are designed within the database to correspond to access via authorized software. Use of unauthorized software to access the database could indicate an attempt to bypass established permissions. Reviewing the use of application software to the database can lead to discovery of unauthorized access attempts. Check:

On UNIX Systems: ps –ef | grep tnslsnr | grep –v grep On Windows Systems: Launch the Services snap-in, locate the Oracle processes and look for any TNSListener processes with STATUS = Started. If a listener is not running on the local database host server, this check is NA. Review the listener.ora file for each listener that accepts remote database connections. For each of these listeners, confirm the listener configuration file does not include the parameter and value (where the word LISTENER listed below is replaced by the actual alias of your listener): LOGGING_LISTENER = OFF If it does, listener logging of connection data is not enabled. Confirm that disabling of listener logging is authorized by the IAO and that database access is audited by another method. If it is disabled and is not authorized, this is a Finding.

Fix: Configure the listener to log connection data by including or modifying the following parameter definition in the listener.ora file (where the word LISTENER listed below is replaced by the actual alias of your listener) or removing the line entirely (Oracle Listener default is to log connection data): LOGGING_LISTENER = ON



IA Control: ECAT Check Type: Manual


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0052: CAT II) The DBA will include the name of the application used to connect to the database in the audit trail where available.


UNCLASSIFIED

10-179 V8R1.3 Mar 2009

10.4 DG0054: DBMS software access audit review

Description: Regular and timely reviews of audit records increases the likelihood of early discovery of suspicious activity. Discovery of suspicious behavior can in turn trigger protection responses to minimize or eliminate a negative impact from malicious activity. Use of unauthorized application to access the DBMS may indicate an attempt to bypass security controls. Check:

If application access audit data is not available due to the lack of a local listener process or alternate method of auditing database access, this check is NA (see check DG0052). Review the list of applications authorized to connect to the Oracle database as listed or noted in the System Security Plan. If no list exists, this is a Finding. Review evidence of audit log monitoring to detect use of unauthorized applications to access the database. If no evidence exists or is incomplete, this is a Finding.

Fix: Document applications authorized to access the DBMS in the System Security Plan. Design, document and implement a process to review the listener log file or the results from any alternate methods used to support database access auditing to detect connections from unauthorized applications. Include in this process a method to generate and provide evidence of monitoring. This may include automated or manual processes acknowledged by the auditor or IAO.



IA Control: ECAT Check Type: Manual


Responsibility: IAO

Documentable: False


STIG Requirement: (DG0054: CAT III) The IAO or Database Auditor will regularly review the audit trail to discover access by unauthorized application software.


UNCLASSIFIED

10-180 V8R1.3 Mar 2009

10.5 DG0109: DBMS Dedicated Host

Description: In the same way that added security layers can provide a cumulative positive effect on security posture, multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit to one application can lead to an exploit of other applications sharing the same security context. For example, an exploit to a web server process that leads to unauthorized administrative access to the host system can most likely lead to a compromise of all applications hosted by the same system. A DBMS not installed on a dedicated host is threatened by other hosted applications. Applications that share a single DBMS may also create risk to one another. Access controls defined for one application by default may provide access to the other application's database objects or directories. Any method that provides any level of separation of security context assists in the protection between applications. Check:

Review a list of Windows service or UNIX processes running on the DBMS host. For Windows, review the Services snap-in. Investigate with the DBA/SA any unknown services. For UNIX, issue the ps -ef command. Investigate with the DBA/SA any unknown processes. If web, application, ftp, domain, print or other non-DBMS services or processes are identified as supporting other optional applications or functions not authorized in the System Security Plan, this is a Finding. NOTE: Only applications that are technically required to share the same host system may be authorized to do so. Applications that share the same host for administrative, financial or other non-technical reasons may not be authorized and are a Finding.

Fix: A dedicated host system in this case refers to an instance of the operating system at a minimum. The operating system may reside on a virtual host machine. Remove any unauthorized processes or services and install on a separate host system. Where separation is not supported, update the System Security Plan to provide the technical requirement for having the application share a host with the DBMS.


UNCLASSIFIED

10-181 V8R1.3 Mar 2009



IA Control: DCPA Check Type: Manual


Responsibility: IAO

Documentable: False


STIG Requirement: (DG0109: CAT II) The IAO will ensure the DBMS host is dedicated to support of the DBMS and is not shared with other application services including web, application, file, print, or other services unless mission or operationally required and documented in the System Security Plan.


UNCLASSIFIED

10-182 V8R1.3 Mar 2009

10.6 DG0175: DBMS host and component STIG compliancy

Description: The security of the data stored in the DBMS is also vulnerable to attacks against the host platform, calling applications, and other application or optional components. Check:

If the DBMS host being reviewed is not a production DBMS host, this check is NA. Review evidence of security hardening and auditing of the DBMS host platform, the application(s) that store data in the database, and any other separately configured components that access the database including web servers, application servers, report servers, etc. If any have not been hardened and received a security audit, this is a Finding.

Fix: Configure all related application components and the DBMS host platform in accordance with the applicable DoD STIG. Regularly audit the security configuration of related applications and the host platform to confirm continued compliance with security requirements.



IA Control: ECSC Check Type: Manual


Responsibility: IAO

Documentable: False


STIG Requirement: (DG0175: CAT II) The IAO will ensure the DBMS host and related applications and components comply with all applicable DoD STIGs.


UNCLASSIFIED

10-183 V8R1.3 Mar 2009

10.7 DG0176: DBMS audit log backups

Description: DBMS audit logs are essential to the investigation and prosecution of unauthorized access to the DBMS data. Unless audit logs are available for review, the extent of data compromise may not be determined and the vulnerability exploited may not be discovered. Undiscovered vulnerabilities could lead to additional or prolonged compromise of the data. Check:

Oracle audit events are logged to error logs, trace files, host system logs and may be stored in database tables. For each Oracle database on the host, determine the location of the database audit trail. From SQL*Plus: select value from v$parameter where name='audit_trail'; If the audit trail is directed to database tables (DB*), ensure the audit table data is included in the database backups. Backups of host system log files are covered in host system security reviews and are not covered here. Other Oracle log files include: - Listener trace file (specified in the listener.ora file) - SQLNet trace file (specified in the sqlnet.ora file) - Oracle database alert and trace files (specified in Oracle parameters): -- audit_file_dest -- db_recovery_file_dest -- diagnostic_dest – 11.1 and higher -- log_archive_dest -- log_archive_dest_n If evidence of inclusion of all audit log files in regular DBMS or host backups does not exist, this is a Finding.

Fix: Document and implement locations of trace, log and alert locations in the System Security Plan. Include all trace, log and alert files in regular backups.



IA Control: ECTB Check Type: Manual


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0176: CAT II) The DBA will ensure the DBMS audit logs are included in DBMS backup procedures.


UNCLASSIFIED

10-184 V8R1.3 Mar 2009

10.8 DG0012: DBMS software storage location

Description: A DBMS not installed on a dedicated host is threatened by other hosted applications. Any method that provides a level of separation of security context assists in the protection between applications. Check:

For UNIX Systems: ls $ORACLE_BASE ls $ORACLE_HOME If the ORACLE_BASE directory contains subdirectories other than ORACLE_HOME directories, a flash_recovery_area directory and an admin directory, verify they are used by the DBMS. If they are not part of the Oracle DBMS software product, this is a Finding. NOTE: Oracle DBMS data file storage may be placed on a separate, dedicated disk partition and linked to ORACLE_BASE. Refer to check DG0112. For Windows Systems: echo %ORACLE_BASE% echo %ORACLE_HOME% ORACLE_BASE, if defined, is usually set to C:\Program Files\Oracle. For Both: If ORACLE_HOME is not on a dedicated drive or partition from the OS software and other applications, this is a Finding.

Fix: Install DBMS applications on partitions or directories separate from the OS software and other applications. Recommend DBMS server software be installed on a dedicated DBMS server host.



IA Control: DCPA Check Type: Manual


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0012: CAT II) The DBA will install and maintain database software directories including DBMS configuration files in dedicated directories or disk partitions separate from the host OS and other applications.


UNCLASSIFIED

10-185 V8R1.3 Mar 2009

10.9 DG0019: DBMS software ownership

Description: File and directory ownership imparts full privileges to the owner. These privileges should be restricted to a single, dedicated account to preserve proper chains of ownership and privilege assignment management. Check:

Ask the DBA/SA to demonstrate file ownership of the Oracle DBMS software and files/directories. On Windows systems: The Oracle DBMS software is installed using an account with administrator privileges. Ownership is assigned to the account used to install the DBMS software. Change of ownership can be performed, but is not necessary and any check results are not a Finding. On UNIX systems: cd $ORACLE_BASE;ls -lR>orafiles.txt;more orafiles.txt

Review the resulting text file and note the owner/group ownership. Also Review Oracle DBMS files/directories outside of $ORACLE_BASE (e.g. /etc, /var/opt/oracle, /usr/local/bin) and ensure file and group ownership is assigned to the dedicated host OS account. If any files or directories belonging to the DBMS software are not owned by a designated host OS account, this is a Finding. The ownership and permissions for the following files (if present) should not be changed:

extjob nmb nmo oradism externaljob.ora

Fix:

Assign DBMS file and directory ownership to a dedicated host OS software installation and maintenance account. Use the software owner account to install and maintain the DBMS software libraries and configuration files where applicable. Document locations of Oracle DBMS files and directories in the System Security Plan.


UNCLASSIFIED

10-186 V8R1.3 Mar 2009



IA Control: DCSL Check Type: Manual


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0019: CAT III) The DBA will ensure database application software is owned by the authorized application owner account.


UNCLASSIFIED

10-187 V8R1.3 Mar 2009

10.10 DG0092: DBMS data file encryption

Description: Where system and DBMS access controls do not provide complete protection of sensitive or classified information, the Information Owner may require encryption to provide additional protection. Encryption of sensitive data helps protect disclosure to privileged users who do not have a need-to-know requirement to the data, but may be able to access DBMS data files using OS file tools. NOTE: The decision to encrypt data is the responsibility of the Information Owner and should be based on other access controls employed to protect the data. Check:

Review the System Security Plan to determine if sensitive or classified data identified by the Information Owner requires encryption. If no data is identified as being sensitive or classified in the System Security Plan or if no sensitive or classified data is identified as requiring encryption by the Information Owner in the System Security Plan, this check is NA. Consider which data files store sensitive or classified data. Not all DBMS data files require encryption. Review encryption applied to the DBMS host data file. If no encryption is applied, this is a Finding.

Fix: Use native DBMS or native OS encryption to encrypt DBMS data files that store sensitive or classified data as required by the Information Owner. To reduce the impact on system performance, separate sensitive data where file encryption is required into dedicated data files.



IA Control: ECCR Check Type: Manual


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0092: CAT II) The DBA will ensure database data files are encrypted where encryption of sensitive data within the DBMS is not available.


UNCLASSIFIED

10-188 V8R1.3 Mar 2009

10.11 DG0195: DBMS host file privileges assigned to developers

Description: Developer roles should not be assigned DBMS administrative privileges to production DBMS application and data directories. The separation of production DBA and developer roles helps protect the production system from unauthorized, malicious or unintentional interruption due to development activities. Check:

If the DBMS or DBMS host is not shared by production and development activities, this check is NA. Review OS DBA group membership. If any developer accounts as identified in the System Security Plan have been assigned DBA privileges, this is a Finding.

Fix: Create separate DBMS host OS groups for developer and production DBAs. Do not assign or remove production DBA OS group membership from accounts used for development.



IA Control: ECPC Check Type: Manual


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0195: CAT II) The SA/DBA will ensure developer accounts on a shared production/development host system are not granted operating system privileges to production files, directories or database components.


UNCLASSIFIED

10-189 V8R1.3 Mar 2009

10.12 DO0133: Oracle connection credential protection

Description: Access to database connection credential stores provides easy access to the database. Without access controls in place to prevent unauthorized access to the credentials, unauthorized access to the database can result. Check:

Review the System Security Plan to discover any external storage of passwords used by applications, batch jobs or users to connect to the database. If no database passwords or credentials are stored outside of the database including use of Oracle Wallets and the Oracle password file (pwd*.ora or orapwd*.ora), this check is NA. View the sqlnet.ora file to determine if Oracle Wallets are used for authentication. If the "WALLET_LOCATION" entry exists in the file, then view permissions on the directory and contents. If access to this directory and these files is not restricted to the Oracle database and listener services, DBA's, and other authorized system and administrative accounts this is a Finding. From SQL*Plus: select value from v$parameter where name='remote_login_passwordfile'; If the command returns the value NONE, this is not a Finding. If it returns the value SHARED, this is a Finding. If it returns the value EXCLUSIVE, view access permissions to the Oracle password file. The default name for Windows is pwd[SID].ora and is located in the ORACLE_HOME\database directory. On UNIX hosts, the file is named orapw[SID] and stored in the $ORACLE_HOME/dbs directory. If access to this file is not restricted to the Oracle database, DBA's, and other authorized system and administrative accounts, this is a Finding. For other password or credential stores, interview the DBA to ask what restrictions to the storage location of passwords have been assigned. If accounts other than those that require access to the storage location have been granted permissions, this is a Finding.

Fix: Consider alternate methods for database connections to avoid custom storage of local connection credentials. Develop and document use of locally stored credentials and their authorized use and access in the System Security Plan. Restrict access and use of the credentials to authorized users using host file permissions and any other available method to restrict access.


UNCLASSIFIED

10-190 V8R1.3 Mar 2009





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0191: CAT II) The DBA will ensure credentials stored in or used by the DBMS that are used to access remote databases or other applications are protected by encryption and access controls.


UNCLASSIFIED

10-191 V8R1.3 Mar 2009

10.13 DO3847: Oracle spoolmain.log file (Oracle 9i)

Description: The spoolmain.log file is generated by the Database Configuration Assistant (DBCA) database management tool. This file may contain login passwords in clear text. Disclosure of this file to unauthorized persons provides login credentials to the privileged DBA account. Check:

If the Oracle version is 10.1 and later, this check is NA. View the ORACLE_HOME/assistants/dbca or /oracle/admin/[SID]/scripts/log directory for any file named spoolmain.log. If one exists, this is a Finding. Review the System Security Plan for monitoring procedures to detect and delete the spoolmain.log file. If monitoring procedures are not documented and evidence of implementation is not present, this is a Finding.

Fix: Delete the spoolmain.log file after use of the DBCA utility. The DBCA utility may automatically run during database installation. Develop, document and implement procedures to monitor the DBMS system to detect and delete any re-occurrence of the spoolmain.log file.





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0191: CAT II) The DBA will ensure credentials stored in or used by the DBMS that are used to access remote databases or other applications are protected by encryption and access controls.


UNCLASSIFIED

10-192 V8R1.3 Mar 2009

10.14 DO5037: Oracle SQLNet and listener log files protection

Description: The SQLNet and Listener log files provide audit data useful to the discovery of suspicious behavior. The log files may contain usernames and passwords in clear text as well as other information that could aid a malicious user with unauthorized access attempts to the database. Generation and protection of these files helps support security monitoring efforts. Check:

Locate the Listener and SQLNet log files. For all Oracle versions/platforms, view the contents of the sqlnet.ora and listener.ora configuration files located in the ORACLE_HOME/network/admin directory or the directory specified by the TNS_ADMIN environment variable (if set) for the listener process/service account: If the sqlnet.ora parameter TRACE_LEVEL_SERVER is not defined or is set to OFF OR 0, then SQLNet logging is not enabled and the check for these parameters below is NA. Otherwise, verify the directories specified in the following parameters of the sqlnet.ora file exist:

LOG_FILE_SERVER = sqlnet [filename is sqlnet.log] LOG_DIRECTORY_SERVER = [directory on a volume with enough free space]

Verify the directories and files specified in the following parameters of the listener.ora exist: NOTE: If the Oracle version is 11.1 or higher and you are using Automatic Diagnostic Repository (ADR) logging (DIAG_ADR_ENABLED_[listener name] = ON in listener.ora), the following parameters are NA for Oracle 11.1. Setting DIAG_ADR_ENABLED_[listener name] = OFF in Oracle 11.1 reverts to traditional listener tracing/logging and the following parameters are in effect. For more information on Automatic Diagnostic Repository (ADR), refer to Oracle MetaLink Note 454927.1. LOG_DIRECTORY_[listener name] = [directory on a volume with enough free space] LOG_FILE_[listener name] = listener TRACE_DIRECTORY_[listener name] = [directory on a volume with enough free space]

Default log file locations (by Oracle Version): - Oracle 11.1 (DIAG_ADR_ENABLED_[listener name] = OFF): -- listener log directory and file: ORACLE_HOME/network/log/listener.log -- listener trace directory and files: ORACLE_HOME/network/trace/listener.trc -- sqlnet log file: ORACLE_HOME/network/log/sqlnet.log


UNCLASSIFIED

10-193 V8R1.3 Mar 2009

-- sqlnet trace file: ORACLE_HOME/network/trace/sqlnet.trc

- Oracle 11.1 (DIAG_ADR_ENABLED_[listener name] = ON):

NOTE: The ADR_HOME is defined from the ADR_BASE parameter. If ADR_BASE is not defined, then ADR_BASE is set to the value of the DIAGNOSTIC_DEST initialization parameter, or if DIAGNOSTIC_DEST is not defined, then the value of the ORACLE_BASE environment variable is used. See Oracle MetaLink Note 453125.1 for more information on ADR file locations.

-- listener log directory and file: [ADR_HOME]/alert/log.xml -- listener trace log directory and files: [ADR_HOME]/trace/alert_[SID].log and

[ADR_HOME]/trace/*.trc -- sqlnet log file: [ADR_BASE]/diag/clients/[database name]/[SID]/trace/sqlnet.log and [listener

name].log -- sqlnet trace file: [ADR_BASE]/diag/clients/[database name]/[SID]/trace/*.trc

- Oracle 10.2 and earlier: -- listener and sqlnet log files: ORACLE_HOME/network/log -- sqlnet log file: ORACLE_HOME/network/log/sqlnet.log -- sqlnet trace file: ORACLE_HOME/network/trace/*.trc

The listener log file location may also be determined using the lsnrctl utility, STATUS command, and viewing the value displayed for listener log file. Review access permissions assigned to the files and directories: - For UNIX, verify that the permissions on the directory and log files are restricted to the Oracle software owner and OS DBA and/or Listener process group. - For Windows, verify that the file permissions on the listener.log and sqlnet.log files restrict access to the Oracle software owner and OS DBA and/or Listener process group. If access to the files is not restricted as listed above, this is a Finding.

Fix: Restrict access to the listener and sqlnet log files. Restrict access to the tnslsnr service account to DBAs, SAs and auditors where they are required by assigned responsibilities.


UNCLASSIFIED

10-194 V8R1.3 Mar 2009



IA Control: ECTP Check Type: Manual


Responsibility: DBA

Documentable: False




UNCLASSIFIED

10-195 V8R1.3 Mar 2009

10.15 DG0140: DBMS security data access audit

Description: DBMS security data is useful to malicious users to perpetrate activities that compromise DBMS operations or data integrity. Implementing auditing of access to security data can support forensic and accountability investigations. Check:

Determine the locations of DBMS audit, configuration, credential and other security data. Review audit settings for these files or data objects. If access to the security data is not audited, this is a Finding. If no access is audited, consider the operational impact and appropriateness for access that is not audited. If the risk for incomplete auditing of the security files is reasonable and documented in the System Security Plan, then do not include this as a Finding.

Fix: Determine all locations for storage of DBMS security and configuration data. Enable auditing for access to any security data. If auditing results in an unacceptable adverse impact on application operation, reduce the amount of auditing to a reasonable and acceptable level. Document any incomplete audit with acceptance of the risk of incomplete audit in the System Security Plan.



IA Control: ECAR Check Type: Manual


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0140: CAT II) The DBA will ensure all access to DBMS configuration files, database audit data, database credential, or any other DBMS security information is audited.


UNCLASSIFIED

10-196 V8R1.3 Mar 2009

10.16 DO0145: Oracle SYSDBA OS group membership

Description: Oracle SYSDBA privileges include privileges to administer the database outside of database controls (when the database is shut down) in addition to all privileges controlled under database operation. Assignment of membership to the OS dba group to unauthorized persons can compromise all DBMS activities. Check:

Review the membership for the Oracle DBA host system OS group. On UNIX systems:

cat /etc/group | grep -i dba [where dba is the default group name from Oracle] To display the group name if dba is not the default, use the command: cat $ORACLE_HOME/rdbms/lib/config.[cs] | grep SS_DBA_GRP

On Windows Systems: Open Computer Management, expand System Tools, expand Local Users and Groups, select the Group folder. Double-click on the ORA_DBA group to view group members.

Compare the list of members with the list of authorized DBA accounts documented in the System Security Plan. If any users are assigned to the group that are not authorized by the IAO and documented in the System Security Plan for the system, this is a Finding.

Fix: Document user accounts that are authorized by the IAO to be assigned DBA privileges. Remove any accounts assigned membership in the operating system DBA group that has not been authorized. Develop and implement procedures for periodic review of accounts assigned membership to the DBA group.



IA Control: DCSD Check Type: Manual


Responsibility: IAO

Documentable: False


STIG Requirement: (DG0153: CAT III) The IAO will assign and authorize DBA responsibilities for the DBMS.


UNCLASSIFIED

10-197 V8R1.3 Mar 2009

10.17 DG0025: DBMS encryption compliance

Description: Use of cryptography to provide confidentiality and non-repudiation is not effective unless strong methods are employed with its use. Many earlier encryption methods and modules have been broken and/or overtaken by increasing computing power. The NIST FIPS 140-2 cryptographic standards provide proven methods and strengths to employ cryptography effectively. Check:

For UNIX systems: $ORACLE_HOME/OPatch/opatch lsinventory –detail | grep “Oracle Advanced Security” For Windows Systems: %ORACLE_HOME%/OPatch/opatch lsinventory –detail | find “Oracle Advanced Security” If Oracle Advanced Security is not installed, this check is NA. For Oracle version 11.1 and later:

View the FIPS.ORA file found in the ORACLE_HOME/ldap/admin directory or the directory specified in the FIPS_HOME environment variable if set. If the file does not exist, it can be created. If SSLFIPS_140=TRUE is not set, this is a Finding. If SSL_CIPHER_SUITES is not defined, this is a Finding. If any cipher suite listed in SSL_CIPHER_SUITES value list is not included in the cipher suite list included below (and in this order), this is a Finding.

For Oracle version 10.1 and 10.2:

View the SQLNET.ORA file. If SQLNET.SSLFIPS_140=TRUE is not set, this is a Finding. If SSL_CIPHER_SUITES is not defined, this is a Finding. If any cipher suites listed in SSL_CIPHER_SUITES value list is not included in the cipher suite list included below (and in this order), this is a Finding.

FIPS 140-2 validated cipher suites for the Oracle SSL Libraries in the order of strongest to weakest:

SSL_RSA_WITH_AES_256_CBC_SHA SSL_RSA_WITH_AES_128_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_DES_CBC_SHA SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_RC4_128_MD5 SSL_DH_anon_WITH_DES_CBC_SHA


UNCLASSIFIED

10-198 V8R1.3 Mar 2009

NOTE: Earlier versions of Oracle’s cryptographic modules were validated only against FIPS 140-1 criteria.

Fix: Installation of Oracle Advanced Security product (which may require additional Oracle licensing consideration) is required to use native Oracle encryption. Please see the Oracle Advanced Security Administration Guide for configuration and use of encryption in the database. The OAS Administration Guide provides references to the encryption features provided by Oracle Advanced Security. Instructions for the configuration of FIPS 140-2 compliance for encryption of network communications are provided in a dedicated appendix of the Oracle Advanced Security Administration Guide. Encryption of data stored within the database is available only in Oracle versions 11.1 and later. View Data Encryption and Integrity in the Oracle Advanced Security Administration Guide for configuration details. All cipher suites listed above include FIPS 140-2 validated algorithms available for data encryption.



IA Control: DCNR Check Type: Manual


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0025: CAT II) The DBA will ensure FIPS 140-2 validated cryptography is used where encryption, digital signature, key exchange, and secure hashing is required and is configured to use NIST approved standards.


UNCLASSIFIED

10-199 V8R1.3 Mar 2009

10.18 DG0093: Remote administration encryption for confidentiality

Description: Communications between a client and database service across the network may contain sensitive information including passwords. This is particularly true in the case of administrative activities. Encryption of remote administrative connections to the database ensures confidentiality of configuration, management, and other administrative data. Check:

Ask the DBA if the DBMS is accessed remotely for administration purposes. If it is not, this check is NA. If it is, ask the DBA if the remote access to DBA accounts is made using remote access to the DBMS host or made directly to the database from a remote database client. If administration is performed using remote access to the DBMS host, review policy and procedures documented or noted in the System Security Plan, along with evidence that remote administration of the DBMS is performed only via an encrypted connection protocol such as SSH or IPSec. If it is not, this is a Finding. If administration is performed from a remote database client, confirm that a dedicated database listener that encrypts communications exists for remote administrative communications. If a DBMS listener that encrypts traffic is not configured, this is a Finding. If any listeners on the DBMS host are configured to accept unencrypted traffic, review documented policy, procedures and evidence of training DBAs not to use the unencrypted listener for remote access to DBA accounts. If no such policy exists or the DBAs have not been instructed not to use the unencrypted connections, this is a Finding.

Fix: Where remote access to DBA accounts is not allowed, establish and implement policies and train DBAs that remote access to DBA accounts is prohibited. Where remote access to DBA accounts is allowed, the remote connection must be encrypted. If remote access is established via the database listener, then install a dedicated listener configured to encrypt all traffic for use by DBAs for remote access. This requires use of Oracle Advanced Security and Oracle Wallet Manager. See the Oracle Advanced Security Guide, Configuring Network Data Encryption and Integrity for Oracle Servers and Clients for details. Configure the listener to require SSL for the DBA connections by specifying the TCPS as the network protocol. Sample listener.ora entries: DBALSNR = (DESCRIPTION =


UNCLASSIFIED

10-200 V8R1.3 Mar 2009

(ADDRESS = (PROTOCOL = TCPS) (HOST = [IP]) (PORT = 1575)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = [SID]) ) ) Configure the server's FIPS.ORA or SQLNET.ORA file to use FIPS 140-2 compliant settings to encrypt the traffic and ensure integrity of the transmission: In the FIPS.ORA (11.1 and later) file in the $ORACLE_HOME/ldap/admin directory or the directory specified in the FIPS_HOME environment variable for the dedicated listener on the server, add the following line: SSLFIPS_140=TRUE In the SQLNET.ORA (10.2 and earlier) file in the ORACLE_HOME/ldap/admin directory or the directory specified in the TNS_ADMIN environment variable for the dedicated listener on the server, add the following line (both client and server): SQLNET.SSLFIPS_140=TRUE Monitor the listener log files for evidence of any unencrypted remote access to DBA accounts.



IA Control: ECCT/ECNK

Check Type: Manual


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0093: CAT II) The DBA will ensure remote administrative connections to the database are encrypted.


UNCLASSIFIED

10-201 V8R1.3 Mar 2009

10.19 DG0103: DBMS listener network restrictions

Description: Network listeners provide the means to connect to the DBMS from remote systems. Restricting remote access to specific, trusted systems, helps prevent access by unauthorized and potentially malicious users. Check:

If a listener is not running on the local database host server, this check is NA. IP address restriction may be defined for the database listener, by use of the Oracle Connection Manager, or by another network device. Identify the method used to enforce address restriction (interview or System Security Plan review). If enforced by the database listener, then review the SQLNET.ORA file located in the ORACLE_HOME/network/admin directory or the directory indicated by the TNS_ADMIN environment variable or registry setting. If the following entries do not exist, then restriction by IP address is not configured and is a Finding. tcp.validnode_checking=YES tcp.invited_nodes=(IP1, IP2, IP3) If enforced by an Oracle Connection Manager, then review the CMAN.ORA file for the Connection Manager (located in the TNS_ADMIN or ORACLE_HOME/network/admin directory for the connection manager). If a RULE entry allows all addresses ("/32") or does not match the address range specified in the System Security Plan, this is a Finding. (rule=(src=[IP]/27)(dst=[IP])(srv=*)(act=accept)) NOTE: an IP address with a "/" indicates acceptance by subnet mask where the number after the "/" is the left most number of bits in the address that must match for the rule to apply. If this rule is database-specific, then determine if the SERVICE_NAME parameter is set: From SQL*PLUS: show parameter service_name; If SERVICE_NAME is set in the initialization file for the database instance, use (srv=[service name]), else, use (srv=*) if not set or rule applies to all databases on the DBMS server. If network address restriction is by an external device, confirm the device is configured in accordance with the System Security Plan specification for it. If it is not, this is a Finding.

Fix:


UNCLASSIFIED

10-202 V8R1.3 Mar 2009

Configure the database listener to restrict access by IP address. Where the number of addresses to allow is not feasible to define for the listener, use the Oracle Connection manager or an external device. See the Oracle Net Reference and Oracle Net Services Administrators Guides (release-specific) for information on configuring the listener or Connection Manager.





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0103: CAT II) The DBA will ensure database and host system listeners that provide configuration of network restrictions are configured to restrict network connections to the database to authorized network addresses and protocols.


UNCLASSIFIED

10-203 V8R1.3 Mar 2009

10.20 DG0167: Encryption of DBMS sensitive data in transit

Description: Sensitive data served by the DBMS and transmitted across the network in clear text is vulnerable to unauthorized capture and review. Check:

Review the System Security Plan to determine if any requirements to encrypt sensitive data are listed for network transmission of DBMS data. If no requirements are listed, this check is NA. If encryption requirements are listed and specify configuration at the host system or network device level, then review evidence that the configuration meets the specification. It may be necessary to review network device configuration evidence or host communications configuration evidence. If the evidence review does not meet the requirement or specification as listed in the System Security Plan, this is a Finding.

Fix: Configure encryption of sensitive data served by the DBMS in accordance with the specifications provided in the System Security Plan.



IA Control: ECCT Check Type: Manual


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0167: CAT I) The DBA will ensure database communications are encrypted when transmitting sensitive data across untrusted network segments and in accordance with the application requirements.


UNCLASSIFIED

10-204 V8R1.3 Mar 2009

10.21 DG0198: DBMS remote administration encryption

Description: Remote administration provides many conveniences that can assist in the maintenance of the designed security posture of the DBMS. On the other hand, remote administration of the database also provides malicious users the ability to access from the network a highly privileged function. Remote administration needs to be carefully considered and used only when sufficient protections against its abuse can be applied. Encryption and dedication of ports to access remote administration functions can help prevent unauthorized access to it. Check:

Ask the DBA if the DBMS is accessed remotely for administration purposes. If it is not, this check is NA. Check DG0093 specifies remote administration encryption for confidentiality. This check should confirm the use of dedicated and encrypted network addresses and ports. Review configured network access interfaces for remote DBMS administration. These may be host-based encryptions such as IPSec or may be configured for the DBMS as part of the network communications and/or in the DBMS listening process. For DBMS listeners, verify that encrypted ports exist and are restricted to specific network addresses to access the DBMS. View the System Security Plan to review the authorized procedures and access for remote administration. If the configuration does not match the specifications in the System Security Plan, this is a Finding.

Fix: Disable remote administration where it is not required. Consider restricting administrative access to local connections only. Where necessary, configure the DBMS network communications to provide an encrypted, dedicated port for remote administration access. Develop and provide procedures for remote administrative access to DBAs that have been authorized for remote administration. Verify during audit reviews that DBAs do not access the database remotely except through the dedicated and encrypted port.



IA Control: EBRP Check Type: Manual


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0198: CAT II) The SA/DBA will ensure remote administration connections to the database are restricted to dedicated and encrypted network addresses and ports.


UNCLASSIFIED

10-205 V8R1.3 Mar 2009

10.22 DO0285: Oracle listener network port assignment

Description: Use of default ports is required in DoD networks to support network security device management. NOTE: This supersedes previous instruction for this check. Check:

If a listener is not running on the local database host server, this check is NA. Review the listener.ora file located by default in the ORACLE_HOME\network\admin directory or in the directory specified in the environment variable TNS_ADMIN defined for the listener process or service. View the "PORT=" parameter for any protocols defined. If any do not match an entry in the following list, then confirm that it is not a default or registered port for the service. If any non-default or non-registered ports are listed, this is a Finding. Default Oracle listener ports: 1521, 2483, 2484 and 1830 Default Connection Manager port: 1630 Registered ports MAY be listed at http://www.iana.org/assignments/port-numbers or in the DoD Ports, Protocols, and Services Category Assurance List (CAL).

Fix: Specify a default or registered port for TCP/IP protocols in the listener.ora file in the PORT= parameter of the address specification.



IA Control: DCPP Check Type: Manual


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0152: CAT II) The SA/DBA will ensure DBMS network communications comply with DoDI 8551.1 Ports, Protocols and Services Management.


UNCLASSIFIED

10-206 V8R1.3 Mar 2009

10.23 DO0286: Oracle connection timeout parameter

Description: The INBOUND_CONNECT_TIMEOUT_[listener-name] and SQLNET.INBOUND_CONNECT_TIMEOUT defines the limit the database listener and database server respectively will wait for a client connection to complete after a connection request is made. This limit protects the listener and database server from a Denial-of-Service attack where multiple connection requests are made that are not used or closed from a client. Server resources can be exhausted if unused connections are maintained. Check:

Review the listener.ora file and the sqlnet.ora file. If the INBOUND_CONNECT_TIMEOUT_[listener-name] parameter does not exist for each listener found in the listener.ora and contain a value greater than 0, this is a Finding. If the SQLNET.INBOUND_CONNECT_TIMEOUT parameter does not exist in the sqlnet.ora and contain a value greater than 0, this is a Finding. NOTE: although the default value may provide adequate protection, assuming the default could lead to unanticipated changes in future product updates. Specify a value to manage the setting.

Fix: Using a text editor or administrative tool, modify the listener.ora file to include a limit for connection request timeouts for the listener. Example entry (value unit is in seconds): INBOUND_CONNECT_TIMEOUT_LISTENER = 2 Modify the sqlnet.ora file to include a limit for connection request timeouts for the listener. Example entry (value unit is in seconds): SQLNET.INBOUND_CONNECT_TIMEOUT = 3


UNCLASSIFIED

10-207 V8R1.3 Mar 2009



IA Control: ECLO Check Type: Manual


Responsibility: DBA

Documentable: False




UNCLASSIFIED

10-208 V8R1.3 Mar 2009

10.24 DO0287: Oracle SQLNET.EXPIRE_TIME parameter

Description: The SQLNET.EXPIRE_TIME parameter defines a limit for the frequency of active connection verification of a client connection. This prevents indefinite open connections to the database where client connections have not been terminated properly. Indefinite open connections could lead to an exhaustion of system resources or leave an open connection available for compromise. Check:

View the SQLNET.ORA file to verify if a SQLNET.EXPIRE_TIME has been set to the value greater than 0. If it does not exist or is set to 0, this is a Finding.

Fix: Using a text editor or administrative tool, modify the SQLNET.ORA file on the database host server to include a limit for connection request timeouts for the listener. Example entry (value unit is in seconds): SQLNET.EXPIRE_TIME=3 NOTE: Use the lowest number possible that does not generate so much network traffic that performance becomes unacceptable. The lower the number, the less likely an exhaustion of resources will occur. Set the value to the lowest number greater than 0 that is supported by the target system environment.



IA Control: ECLO Check Type: Manual


Responsibility: DBA

Documentable: False




UNCLASSIFIED

10-209 V8R1.3 Mar 2009

10.25 DO3630: Oracle listener authentication

Description: Oracle listener authentication helps prevent unauthorized administration of the Oracle listener. Unauthorized administration of the listener could lead to DoS exploits; loss of connection audit data, unauthorized reconfiguration or other unauthorized access. This is a Category I finding because privileged access to the listener is not restricted to authorized users. Unauthorized access can result in stopping of the listener (DoS) and overwriting of listener audit logs. Check:

If a listener is not running on the local database host server, this check is NA. NOTE: This check needs to be done only once per host system and once per listener. Multiple listeners may be defined on a single host system. They must all be reviewed, but need not be reviewed once per database review. For subsequent database home reviews on the same host system, mark this check as NA. Determine all Listeners running on the host. For Windows hosts, view all Windows services with TNSListener embedded in the service name - For 10.1 to 11.1 the service name format is: Oracle[ORACLE_HOME_NAME]TNSListener - For 9.2 and earlier the service name format is: [ORACLE_HOME_NAME]TNSListener For UNIX hosts, the Oracle Listener process will indicate the TNSLSNR executable At a command prompt, issue the command: ps -ef | grep -i tnslsnr | grep –v grep The alias for the listener follows tnslsnr in the command output. For Oracle versions 10.1 and later, you must be logged on the host system using the account that owns the tnslsnr executable (UNIX). If the account is denied local login, have the system SA assist you in this task by 'su' to the listener account from the root account. On Windows platforms, log in using an account with administrator privileges to complete the check. Listener versions 10.1 and later require the use of the listener control utility to access and configure the listener be restricted to users authenticated by the operating system. The listener "Security" setting displayed by the LSNRCTL STATUS command returns the current administration authentication setting. If listener administrative access authentication is set to a value other than Local OS authentication, this is a Finding.


UNCLASSIFIED

10-210 V8R1.3 Mar 2009

To view the listener administration authentication setting: - From a system command prompt, execute the listener control utility: lsnrctl NOTE: for listeners prior to version 10.1 that are password-protected, you will need to use the SET CURRENT_LISTENER command to access a listener with a name other than LISTENER, followed by the SET PASSWORD command and password entry in order to use the STATUS command. If you receive the error "TNS-01169: The listener has not recognized the password", then the listener is password-protected. At the LSNRCTL> prompt, enter: status [listener name] <Enter> If error messages are displayed, then the Listener is not running, is not configured properly, or the password must be provided. See NOTE below. Sample output: Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=net))) STATUS of the LISTENER ------------------------ Alias EXTOLS Version TNSLSNR for Linux: Version 10.2.0.4.0 - Production Start Date 10-JUN-2007 11:03:00 Uptime 40 days 3 hr. 35 min. 46 sec Trace Level user Security ON: Local OS Authentication SNMP OFF Listener Parameter File /oracle/network/admin/listener.ora Listener Log File /oracle/network/log/listener.log Listener Trace File /oracle/network/trace/listener.trc Listening Endpoints Summary... (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=net))) Services Summary... Service "ORCL" has 1 instance(s). Instance "ORCL", status UNKNOWN 1 handler(s) for this service... The command completed successfully -------------------------------- Review the results for the value of Security. If Security OFF is displayed, this is a Finding.


UNCLASSIFIED

10-211 V8R1.3 Mar 2009

If Security ON: Local OS Authentication is displayed, this is not a Finding (Oracle versions 10.1 and higher). If Security ON: Password or Local OS Authentication, this is a Finding (do not set a password on Oracle versions 10.1 and higher. Instead, use Local OS Authentication). Type exit, to exit the lsnrctl utility For listener versions earlier than 10.1: Review of the LISTENER.ORA file: Repeat for each listener listed in the LISTENER.ORA file and/or each listener_name. View the contents of the LISTENER.ORA file. Use the MORE command to view path/listener.ora where path/listener.ora is the value displayed from LSNRCTL above. Look for an entry beginning with PASSWORDS_[listener_name] where listener_name is the name of the listener. If no value is specified after the parameter, this is a Finding. If an unencrypted password is listed, this is a Finding. NOTE: listener passwords must meet all DoD requirements for passwords including complexity and 60-day renewal. The listener password is not an application password and must meet interactive user password requirements.

Fix: Configure the listener to use Local OS Authentication for Oracle versions 10.1 and higher. This setting prevents remote administration of the listener, restricts management to the Oracle listener owner account (UNIX) and accounts with administrator privileges (WIN). Remote administration of the listener should not be permitted. If listener administration from a remote system is required, granting secure remote access to the Oracle DBMS server and performing local administration is preferred. Authorize and document this requirement in the System Security Plan. Use the lsnrctl utility to set a password for the listener in Oracle versions that do not support Local OS authentication. See the Oracle Security Guide and Oracle Net Services Administrators Guides for detailed instruction on configuring a SSL


UNCLASSIFIED

10-212 V8R1.3 Mar 2009

connection. Use of Oracle Advanced Security is required as well as Oracle Internet Directory to support future DoD PKI requirements. To set a password on listener versions earlier than 10.1, do the following four steps from the LSNRCTL prompt: LSNRCTL> set password (enter the current password when prompted) LSNRCTL> change_password (enter the old and new passwords when prompted) LSNRCTL> set password (enter the new password when prompted) LSNRCTL> save_config





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0157: CAT II) The DBA will ensure remote administration of the database is not enabled or configured unless mission and/or operationally required and authorized by the IAO.


UNCLASSIFIED

10-213 V8R1.3 Mar 2009

10.26 DO6740: Oracle listener ADMIN_RESTRICTIONS parameter

Description: The Oracle listener process can be dynamically configured. By connecting to the listener process directly, usually through the Oracle LSNRCTL utility, a user may change any of the parameters available through the set command. This vulnerability has been used to overwrite the listener log and trace files. The ADMIN_RESTRICTIONS parameter, set in the listener.ora file, prohibits dynamic listener configuration changes and protects the configuration using host operating system security controls. Check:

If a listener is not running on the local database host server, this check is NA. Use the LSNRCTL utility and issue the STATUS [listener-name] command to locate the listener.ora file. Open the listener.ora file in a text editor or viewer. Locate the line with ADMIN_RESTRICTIONS_[listener-name] = ON where listener-name is the alias of the listener supplied by the DBA. If no such line is found, this is a Finding. Repeat for each listener listed in the LISTENER.ORA file.

Fix: Edit the listener.ora file and add the following line for each listener in use on the system: ADMIN_RESTRICTIONS_[listener-name]=ON Restart the listener to activate the setting.





Responsibility: DBA

Documentable: False




UNCLASSIFIED

10-214 V8R1.3 Mar 2009

10.27 DO6746: Oracle Listener host references

Description: The use of IP address in place of host names helps to protect against malicious corruption or spoofing of host names. Use of static IP addresses is considered more stable and reliable than use of hostnames or Fully Qualified Domain Names (FQDN). Check:

If a listener is not running on the local database host server, this check is NA. Review all listener.ora files for the HOST =. Verify the HOST = value specifies an IP address for all occurrences of the HOST = setting. Sample: (ADDRESS= (PROTOCOL=TCP) (HOST= [host IP address]) (PORT=1521)) If any addresses specify a host name in place of an IP or other network address, this is a Finding. NOTE: If a host name is used, ensure it can be locally resolved to an IP address on the DBMS system using a host table, however, if a hostname is used, it is still a Finding.

Fix: Edit the listener.ora file and replace any HOST= [hostname or domain name] to static IP addresses for the host. The listener.ora file is by default located in the ORACLE_HOME/network/admin directory or the directory specified in the TNS_ADMIN environment variable for the listener service or process owner account.





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0103: CAT II) The DBA will ensure database and host system listeners that provide configuration of network restrictions are configured to restrict network connections to the database to authorized network addresses and protocols.


UNCLASSIFIED

10-215 V8R1.3 Mar 2009

10.28 DO6747: Connection Manager remote administration

Description: Remote administration provides a potential opportunity for malicious users to make unauthorized changes to the Connection Manager configuration or interrupt its service. Check:

View the cman.ora file in the ORACLE_HOME/network/admin directory. If the file does not exist, the database is not accessed via Oracle Connection Manager and this check is NA. If the entry and value for REMOTE_ADMIN is not listed or is not set to a value of NO (REMOTE_ADMIN = NO), this is a Finding.

Fix: View the cman.ora file in the ORACLE_HOME/network/admin directory of the Connection Manager. Include the following line in the file: REMOTE_ADMIN=NO





Responsibility: DBA

Documentable: False




UNCLASSIFIED

10-216 V8R1.3 Mar 2009

10.29 DO6751: SQLNET.ALLOWED_LOGON_VERSION

Description: Unsupported Oracle network client installations may introduce vulnerabilities to the database. Restriction to use of supported versions helps to protect the database and helps to enforce newer, more robust security controls. Check:

If the database version is earlier than 10.1, this check is NA. View the SQLNET.ORA file in the ORACLE_HOME/network/admin directory or the directory specified in the TNS_ADMIN environment variable. Locate the following entry: SQLNET.ALLOWED_LOGON_VERSION = 10 If the parameter does not exist nor is it set to match the value shown above, this is a Finding. NOTE: It has been reported that the there is an Oracle bug (6051243) that prevents connections to the DBMS using JDBC THIN drivers when this parameter is set. The fix is available as patch 6779501.

Fix: For Oracle database versions 10.1 and later, edit the SQLNET.ORA file to add or edit the entry: SQLNET.ALLOWED_LOGON_VERSION = 10



IA Control: VIVM Check Type: Manual


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0001: CAT I) The IAO will ensure unsupported DBMS software is removed or upgraded prior to a vendor dropping support.


UNCLASSIFIED

10-217 V8R1.3 Mar 2009

10.30 DG0005: DBMS administration OS accounts

Description: Database administration accounts are frequently granted more permissions to the local host system than are necessary. This allows inadvertent or malicious changes to the host operating system. Check:

Review host system privileges assigned to the Oracle DBA group and all individual Oracle DBA accounts. NOTE: do not include the Oracle software installation account in any results for this check. For UNIX systems (as root): cat /etc/group | grep -i dba groups root If "root" is returned in the first list, this is a Finding. If any accounts listed in the first list are also listed in the second list, this is a Finding. Investigate any user account group memberships other than DBA or root groups that are returned by the following command (also as root): groups [dba user account] Replace [dba user account] with the user account name of each DBA account. If individual DBA accounts are assigned to groups that grant access or privileges for purposes other than DBA responsibilities, this is a Finding. For Windows Systems (click or select): Start / Settings / Control Panel / Administrative Tools / Computer Management / Local Users and Groups / Groups / ORA_DBA Start / Settings / Control Panel / Administrative Tools / Computer Management / Local Users and Groups / Groups / ORA_[SID]_DBA (if present) NOTE: Users assigned DBA privileges on a Windows host are granted membership in the ORA_DBA and/or ORA_[SID]_DBA groups. The ORA_DBA group grants DBA privileges to any database on the system. The ORA_[SID]_DBA groups grant DBA privileges to specific Oracle instances only. Make a note of each user listed. For each user (click or select): Start / Settings / Control Panel / Administrative Tools / Computer Management / Local Users and Groups / Users / [DBA user name] / Member of


UNCLASSIFIED

10-218 V8R1.3 Mar 2009

If DBA users belong to any groups other than DBA groups and the Windows Users group, this is a Finding. Examine User Rights assigned to DBA groups or group members: Start / Settings / Control Panel / Administrative Tools / Local Security Policy / Security Settings / Local Policies / User Rights Assignments If any User Rights are assigned directly to the DBA group(s) or DBA user accounts, this is a Finding.

Fix: Revoke all host system privileges from the DBA group accounts and DBA user accounts not required for DBMS administration. Revoke all OS group memberships that assign excessive privileges to the DBA group accounts and DBA user accounts. Remove any directly applied permissions or user rights from the DBA group accounts and DBA user accounts. Document all DBA group accounts and individual DBA account assigned privileges in the System Security Plan.



IA Control: ECLP Check Type: Manual


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0005: CAT II) The SA/DBA will ensure database administration OS accounts required for operation and maintenance of the DBMS are assigned the minimum OS privileges required by the specific DBMS to perform DBA functions.


UNCLASSIFIED

10-219 V8R1.3 Mar 2009

10.31 DO0120: Oracle process account host system privileges

Description: A compromise of the Oracle database process could be used to gain access to the host operating system under the security account of the process owner. Limitation of the privileges assigned to the process account can help contain access to other processes and host system resources. This can in turn help to limit any resulting malicious activity. Check:

Review the Oracle process/owner account. For UNIX Systems:

Log into the Oracle installation account and from a system prompt enter: groups If root is returned in the list, this is a Finding.

For Windows Systems:

Log in using an account with administrator privileges. Open the Services snap-in. If the OracleService* services are not assigned a custom created account used for the Oracle software installation (view the Log on As tab), this is a Finding. If the account is assigned group membership to other than the local administrator account and Oracle DBA groups, this is a Finding. View user rights assigned to the service accounts. If Deny Logon Locally is not assigned to all of the Oracle service accounts, this is a Finding. If the service account is a domain rather than local user account, confirm with the DBA that domain resources are required and that the account is not assigned to any domain groups not required for Oracle operation (e.g. the domain users or domain administrators groups). If the service account is a domain account and the account is assigned to domain groups not required for Oracle operations, this is a Finding.

Fix:

Remove root privileges from the Oracle software owner account on UNIX systems. On Windows systems, restrict Oracle service accounts to local administrator and Oracle DBA privileges and assign the Deny Logon Locally user right.


UNCLASSIFIED

10-220 V8R1.3 Mar 2009





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0102: CAT II) The DBA will ensure each database service or process runs under a custom, dedicated OS account that is assigned the minimum privileges required for operation where applicable.


UNCLASSIFIED

10-221 V8R1.3 Mar 2009

10.32 DO0121: Oracle service and process dedicated accounts

Description: Shared accounts do not provide separation of duties nor allow for assignment of least privileges for use by database processes and services. Without separation and least privilege, the exploit of one service or process is more likely to be able to compromise another or all other services. Check:

For UNIX Systems (enter at command prompt): ps ef | grep -i pmon | grep –v grep (all database processes) ps ef | grep -i tns | grep –v grep (all listener processes) ps ef | grep -i dbsnmp | grep –v grep (Oracle Intelligent Agents) Sample output (database processes): oracle 5593 1 0 08:15 ? 00:00:00 ora_pmon_oraprod1 Sample output (listener processes): oratns 5505 1 0 08:15 ? 00:00:00 /var/opt/oracle/product/10.2.0/db_1/bin/tnslsnr LISTENER –inherit Sample output (listener processes): oracle 1734 1 0 08:16 ? 00:00:00 /var/opt/oracle/product/10.2.0/db_1/bin/dbsnmp In the above samples, the occurrence of “oracle” and "oratns” indicate the user account that owns the process If a listener is running on the local database host and the Oracle Listener account uses the same account as the Oracle Processes, this is a Finding. If a listener is not running on the local database host server, this check is NA.

For Windows Systems:

Log in using account with administrator privileges. Open the Services snap-in. Review the Oracle processes. The Oracle Listener process should be run (Log On As) by a dedicated OS account separate from that used for all other Oracle services. All other Oracle services should be run by a dedicated windows account (Oracle Owner account) and not as LocalSystem. If any Oracle service is run as LocalSystem, this is a Finding. If the Oracle Listener and Oracle service services share the same dedicated account, this is a Finding.

Fix:

Create and assign a custom account for the Oracle Listener. Create and assign a custom account for other Oracle services (Windows) or ensure Oracle Process Owner account is used (UNIX).


UNCLASSIFIED

10-222 V8R1.3 Mar 2009

The Oracle SNMP agent (Intelligent or Management Agent) is required (by Oracle Corp per MetaLink Note 548928.1) to use the Oracle Process owner account. Assign read-only permissions to the custom listener account in the ORACLE_HOME/network directory and ownership of listener configuration and log files to the listener accounts.





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0102: CAT II) The DBA will ensure each database service or process runs under a custom, dedicated OS account that is assigned the minimum privileges required for operation where applicable.


UNCLASSIFIED

10-223 V8R1.3 Mar 2009

10.33 DO0279: Oracle software owner umask setting

Description: The UNIX umask sets the user file creation mask for files created or updated during process operations. If the umask setting is not set to the most secure and authorized setting, then Oracle data, log, and other critical files are not protected from unauthorized access. Check:

If the DBMS host system is not a UNIX system, this check is NA. Log in using the Oracle software owner account and enter the command: umask If the value returned is 022 or more restrictive, this is not a Finding. If the value returned is less restrictive than 022, this is a Finding. The first number sets the mask for user/owner file permissions. The second number sets the mask for group file permissions. The third number sets file permission mask for other users. The list below shows the available settings:

0 = read/write/execute 1 = read/write 2 = read/execute 3 = read 4 = write/execute 5 = write 6 = execute 7 = no permissions

Setting the umask to 022 effectively sets files for user/owner to read/write, group to read and other to read. Directories are set for user/owner to read/write/execute, group to read/execute and other to read/execute.

Fix: Set the umask of the Oracle software owner account to 022. Determine the shell being used for the Oracle software owner account: env | grep -i shell Startup files for each shell are as follows (located in users $HOME directory): C-Shell (CSH) = .cshrc Bourne Shell (SH) = .profile Korn Shell (KSH) = .kshrc


UNCLASSIFIED

10-224 V8R1.3 Mar 2009

TC Shell (TCS) = .tcshrc BASH Shell = .bash_profile or .bashrc Edit the shell startup file for the account and add or modify the line: umask 022 Log off and login, then enter the umask command to confirm the setting. NOTE: To effect this change for all Oracle processes, a reboot of the DBMS server may be required.



IA Control: DCSL Check Type: Manual


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0009: CAT II) The SA/DBA will ensure access to DBMS software is restricted to authorized OS accounts.


UNCLASSIFIED

10-225 V8R1.3 Mar 2009

10.34 DG0016: DBMS unused components

Description: Unused and/or unnecessary DBMS components increase the attack vector for the DBMS by introducing additional targets for attack. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced. Check:

Use the Oracle Universal Installer or OPATCH utility to display the list of installed products. Review the list of installed products with the DBA and verify any installed products listed below are required and licensed. If any are installed and are not required or not licensed, this is a Finding. From Command Prompt: $ORACLE_HOME/OPatch/opatch lsinventory –detail | more (UNIX) %ORACLE_HOME%/OPatch/opatch lsinventory –detail | more (Windows) Data Mining Database Workspace Manager [Enterprise] Manager, Agent OR Intelligent Agent iSQL*Plus Configuration Manager Connection Manager interMedia Internet Directory LDAP Spatial Text Wallet Manager XML Development Sample SCHEMA HTTP Server NOTE: This list does not take into account product dependencies that when selected for de-install, remove required database software. A custom installation without selection of unnecessary components is required to ensure a clean install of only required and licensed products. The list of product dependencies may be subject to change by Oracle and is not addressed here.

Fix: Review the list of installed products available for the DBMS install. If any are required and licensed for operation of applications that will be accessing the DBMS, then include them in the application design specification and list them in the System Security Plan. If any are not, but have been installed, then uninstall them and remove any database SCHEMA, objects and applications that exclusively support them.


UNCLASSIFIED

10-226 V8R1.3 Mar 2009





Responsibility: DBA

Documentable: False




UNCLASSIFIED

10-227 V8R1.3 Mar 2009

10.35 DO6754: Oracle Configuration Manager

Description: Oracle Configuration Manager (OCM) is a function of the Oracle Software Configuration Manager (SCM). OCM collects system configuration data used for automated upload to systems owned and managed by Oracle to assist in providing customer support. The configuration information about the server that the OCM collects includes IP addresses, hostname, database username, location of datafiles, etc. Check:

NOTE: The collection does not include application or custom data within the database. If released to unauthorized persons, system configuration data may be used by malicious persons to gain additional unauthorized access to the database or other systems. On UNIX Systems: ls $ORACLE_HOME/ccr On Windows Systems (From Windows Explorer): Browse to the ORACLE_HOME directory. If the directory ORACLE_HOME\ccr does not exist, this is not a Finding. If the ccr directory exists, confirm if any of the Oracle databases have been configured for OCM: From SQL*Plus: select username from dba_users where username='ORACLE_OCM'; If the account exists, OCM has been installed (on this database) and is a Finding.

Fix: Remove Oracle Configuration Manager. Details for removal are provided in Oracle MetaLink Note 369111.1 or in MetaLink Note 728989.1 for a link to the OCM Installation and Administration Guide.



IA Control: ECAN Check Type: Manual


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0076: CAT II) The DBA will ensure sensitive application data exported from the database for import to remote databases or applications is not provided to personnel or applications not authorized or approved by the Information Owner.


UNCLASSIFIED

10-228 V8R1.3 Mar 2009

10.36 DG0104: DBMS service identification

Description: Network services that do not employ unique or clearly identifiable targets can lead to inadvertent or unauthorized connections. Check:

Review the Oracle instance names on the DBMS host: On UNIX platforms: Solaris: cat /var/opt/oracle/oratab Other UNIX: cat /etc/oratab The format of lines in the oratab file is: sid:oracle_home_directory:Y or N The instance name is the sid. On Windows platforms: Go to Start / Administrative Tools / Services View service names that begin with "OracleService". The remainder of the service name is the instance name. Example: OracleServicesalesDB -- where salesDB is the instance name If instance names are listed and do not clearly identify the use of the instance or clearly differentiate individual instances, this is a Finding. An example of instance naming that meets the requirement: prdinv01 (Production Inventory Database #1), dvsales02 (Development Sales Database #2), orfindb1 (Oracle Financials Database #1). Examples of instance naming that do not meet the requirement: Instance1, MyInstance, orcl, 10gdb1 Interview the DBA to get an understanding of the naming scheme used to determine if the names are clear differentiations.

Fix: Follow the instructions in Oracle Doc ID: 15390.1 to change the SID without re-creating the database. Set the value so that it does not identify the Oracle version and clearly identifies its purpose.


UNCLASSIFIED

10-229 V8R1.3 Mar 2009





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0104: CAT III) The DBA will ensure all local and network-advertised named database services are uniquely and clearly identified.


UNCLASSIFIED

10-230 V8R1.3 Mar 2009

10.37 DG0106: Database data encryption configuration

Description: Access to sensitive data may not always be sufficiently protected by authorizations and require encryption. In some cases, the required encryption may be provided by the application accessing the database. In others, the DBMS may be configured to provide the data encryption. When the DBMS provides the encryption, the requirement must be implemented as identified by the Information Owner to prevent unauthorized disclosure or access. Check:

Review the System Security Plan and note sensitive data identified by the Information Owner as requiring encryption using DBMS features administered by the DBA. If no sensitive data is present or encryption of sensitive data is not required by the Information Owner, this check is NA. Review the encryption configuration against the System Security Plan specification. If the specified encryption is not configured, this is a Finding.

Fix: Configure DBMS encryption features and functions as required by the System Security Plan. Discrepancies between what features are and are not available should be resolved with the Information Owner, Application Developer and DBA as overseen by the IAO.





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0106: CAT II) The DBA will ensure security requirements specific to the use of the database are configured as identified in the System Security Plan.


UNCLASSIFIED

10-231 V8R1.3 Mar 2009

10.38 DO0280: Oracle external procedure access

Description: The Oracle external procedure capability provides use of the Oracle process account outside the operation of the DBMS process. You can use it to submit and execute applications stored externally from the database under operating system controls. The external procedure process is the subject of frequent and successful attacks as it allows unauthenticated use of the Oracle process account on the operating system. As of Oracle version 11.1, the external procedure agent may be run directly from the database and not require use of the Oracle listener. This reduces the risk of unauthorized access to the procedure from outside of the database process. Check:

Review the System Security Plan to determine if the use of the external procedure agent is authorized. Review the ORACLE_HOME/bin directory or search the ORACLE_BASE path for the executable extproc (UNIX) or extproc.exe (Windows). If external procedure agent is not authorized for use in the System Security Plan and the executable file exists, this is a Finding. If use of the external procedure agent is authorized, ensure extproc is restricted to execution of authorized applications. External jobs are run using the account nobody by default. Review the contents of the file ORACLE_HOME/rdbms/admin/externaljob.ora for the lines run_user= and run_group=. If the user assigned to these parameters is not "nobody", this is a Finding.

For versions 11.1 and later:

NOTE: The external procedure agent (extproc executable) is available directly from the database and does not require definition in the listener.ora file for use. Review the contents of the file ORACLE_HOME/hs/admin/extproc.ora. If the file does not exist, this is a Finding. If the following entry does not appear in the file, this is a Finding: EXTPROC_DLLS=ONLY:[dll full file name1]:[dll full file name2]:.. [dll full file name] represents a full path and file name. This list of file names is separated by ":". NOTE: If "ONLY" is specified, then the list is restricted to allow execution of only the DLLs specified in the list and is not a Finding. If "ANY" is specified, then there are no restrictions for execution except what is controlled by operating system permissions and is a Finding. If no specification is made, any files located in the %ORACLE_HOME%\bin directory on Windows systems or $ORACLE_HOME/lib directory on UNIX systems can be executed (the default) and is a Finding.


UNCLASSIFIED

10-232 V8R1.3 Mar 2009

Ensure that EXTPROC is not accessible from the listener. Review the listener.ora file. If any entries reference "extproc", this is a Finding. NOTE: Bug 7560049 may cause external procedures in 11g not to work on certain platforms. Fix will be in Oracle 11g Release 2. If external procedures are required and you are experiencing this bug, then follow instructions for configuring external procedures for versions earlier than 11.1 and document as authorized in the System Security Plan.

For versions earlier than 11.1:

Determine if the external procedure agent is in use: Review the listener.ora file. If any entries reference "extproc", then the agent is in use. If external procedure agent is not authorized for use in the System Security Plan and references to "extproc" exist, this is a Finding. Sample listener.ora entries with extproc included: LISTENER = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = 127.0.0.1)(PORT = 1521)) ) EXTLSNR = (DESCRIPTION = (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC)) ) SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (GLOBAL_DBNAME = ORCL) (ORACLE_HOME = /home/oracle/app/oracle/product/10.2.0/db_1) (SID_NAME = ORCL) ) ) SID_LIST_EXTLSNR = (SID_LIST = (SID_DESC = (PROGRAM = extproc) (SID_NAME = PLSExtProc) (ORACLE_HOME = /home/oracle/app/oracle/product/10.2.0/db_1) (ENVS="EXTPROC_DLLS=ONLY:/home/app1/app1lib.so:/home/app2/app2lib.so, LD_LIBRARY_PATH=/private/app2/lib:/private/app1, MYPATH=/usr/fso:/usr/local/packages") ) )


UNCLASSIFIED

10-233 V8R1.3 Mar 2009

Sample tnsnames.ora entries with extproc included: ORCL = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = 127.0.0.1)(PORT = 1521)) ) (CONNECT_DATA = (SERVICE_NAME = ORCL) ) ) EXTPROC_CONNECTION_DATA = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = IPC)(KEY = extproc)) ) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = PLSExtProc) ) )

If EXTPROC is in use, confirm that a listener is dedicated to serving the external procedure agent (as shown above). View the protocols configured for the listener. For the listener to be dedicated, the only entries will be to specify extproc. If there is not a dedicated listener in use for the external procedure agent, this is a Finding. If the PROTOCOL= specified is other than IPC, this is a Finding. Verify the dedicated listener uses an unprivileged account. View group memberships for the dedicated listener Windows service account or UNIX file owner account. If the account is a member of any DBA group or group that has been granted access other than read-only to the listener.ora file, the ORACLE_HOME/bin directory, and any directories that contain executables authorized for the agent to use, this is a Finding. Write access may be granted to a log file directory dedicated to use by this listener (no other listener logs or other files not used by the dedicated listener). The account requires only the user right to log in as a batch job on Windows. Verify and ensure extproc is restricted executing authorized external applications only and extproc is restricted to execution of authorized applications. Review the listener.ora file. If the following entry does not exist, this is a Finding: EXTPROC_DLLS=ONLY:[dll full file name1]:[dll full file name2]:...


UNCLASSIFIED

10-234 V8R1.3 Mar 2009

NOTE: [dll full file name] represents a full path and file name. This list of file names is separated by ":". NOTE: If "ONLY" is specified, then the list is restricted to allow execution of only the DLLs specified in the list and is not a Finding. If "ANY" is specified, then there are no restrictions for execution except what is controlled by operating system permissions and is a Finding. If no specification is made, any files located in the %ORACLE_HOME%\bin directory on Windows systems or $ORACLE_HOME/lib directory on UNIX systems can be executed (the default) and is a Finding. View the listener.ora file (usually in ORACLE_HOME/network/admin or directory specified by the TNS_ADMIN environment variable). If multiple listener processes are running, then the listener.ora file for each must be viewed. For each process, determine the directory specified in the ORACLE_HOME or TNS_ADMIN environment variable defined for the process account to locate the listener.ora file.

Fix:

If the use of external processes is required, then authorize and document the requirement in the System Security Plan. For versions 11.1 and later, if the external procedure agent must be accessible to the Oracle listener, then specify this and authorize it in the System Security Plan. If use of the Oracle External Procedure agent is not required, delete the Oracle extproc or extproc.exe executable. - Stop the Oracle Listener process - Remove all references to extproc in the listener.ora and tnsnames.ora files - Delete the extproc executable from the ORACLE_HOME/bin directory If required: - Restrict extproc execution to only authorized applications. Specify EXTPROC_DLLS=ONLY:[list of authorized DLLS] in the extproc.ora (11.1 only) and the listener.ora files - Create a separate, dedicated listener and process account for use by the external procedure agent - Use a minimally privileged account for extproc execution. Assign minimal privileges and permissions to the dedicated listener Windows service account or UNIX file owner account. The account requires: -- Read-only access to the listener.ora file (do not grant write privileges to this account) -- Execute access to the ORACLE_HOME/bin directory, and any directories that contain executables authorized for the agent to use -- Write access may be granted to a log file directory dedicated to use by this listener (no other listener logs or other files not used by the dedicated listener)


UNCLASSIFIED

10-235 V8R1.3 Mar 2009

-- The account requires the user right to log in as a service on Windows Please see the Oracle Net Services Administrators Guides, External Procedures section for detailed configuration information.



IA Control: DFCA Check Type: Manual


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0099: CAT II) The DBA will disable use of external procedures by the database unless mission and/or operationally required and documented in the AIS functional architecture documentation.


UNCLASSIFIED

10-236 V8R1.3 Mar 2009

10.39 DO5036: Oracle Net TRACE_LEVEL

Description: The network listener provided by Oracle may be subject to unauthorized access attempts to the database or the host system. Log files provide a means to detect and research suspicious or unauthorized connections. Check:

Review the listener.ora file. If the following line is not listed in the file nor is it set to one of the allowed values listed below, this is a Finding. TRACE_LEVEL_[listener-name] = Allowed Values: user OR 4 admin OR 6 support OR 16 NOTE: The lines below are optional and may add value to auditing and connection troubleshooting, but will generate a very large number of files. Set the following parameters to support troubleshooting or provide enhanced auditing provided there is a documented requirement to do so. Review the sqlnet.ora file. Add the following lines and restart the listener: TRACE_LEVEL_SERVER = server TRACE_FILE_SERVER = sqlnet TRACE_DIRECTORY_SERVER = [directory on a volume with enough free space] LOG_FILE_SERVER = sqlnet LOG_DIRECTORY_SERVER = [directory on a volume with enough free space]

Fix:

Enable trace file logging for the Oracle Net listener and client. Add the following line to the listener.ora file and specify one of the allowed values listed, and then restart the listener service/process: TRACE_LEVEL_[listener-name] = Allowed Values: user OR 4 (provides minimal tracing information) admin OR 6 (provides medial tracing information) support OR 16 (provides maximum tracing information) Document this setting in the System Security Plan.


UNCLASSIFIED

10-237 V8R1.3 Mar 2009



IA Control: ECAR Check Type: Manual


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0141: CAT II) The DBA will ensure all database logons, account locking events, blocking or disabling of a database account or logon source location, or any attempt to circumvent access controls is audited.


UNCLASSIFIED

11-238 V8R1.3 Mar 2009

11. Oracle Home Verify Check Procedures

11.1 DG0051: Database job/batch queue monitoring

Description: Unauthorized users may bypass security mechanisms by submitting jobs to job queues managed by the database. These jobs run under a more privileged security context of the database or host system. These queues should be monitored regularly to detect any such unauthorized job submissions. Check:

The DBMS_JOB PL/SQL package has been replaced by DBMS_SCHEDULER in Oracle versions 10.1 and higher, though it continues to be supported for backward compatibility. From SQL*Plus: select value from v$parameter where name='job_queue_processes'; select value from all_scheduler_global_attribute where ATTRIBUTE_NAME='MAX_JOB_SLAVE_PROCESSES'; To understand the relationship between these settings, review:

http://download.oracle.com/docs/cd/B28359_01/server.111/b28310/appendix_a003.htm

Review documented and implemented procedures for monitoring the Oracle DBMS job/batch queues for unauthorized submissions. If procedures for job queue review are not defined, documented or evidence of implementation does not exist, this is a Finding. Job queue information is available from the DBA_JOBS view. The following command lists jobs submitted to the queue. DBMS_JOB does not generate a 'history' of previous job executions. From SQL*Plus: select job, next_date, next_sec, failures, broken from dba_jobs; Scheduler queue information is available from the DBA_SCHEDULER_JOBS view. The following command lists jobs submitted to the queue. From SQL*Plus:

select owner, job_name, state, job_class, job_type, job_action from dba_scheduler_jobs;

Scheduled task execution history information is available from the DBA_SCHEDULER_JOB_LOG view. The following command shows a high-level view of scheduled task execution history.


UNCLASSIFIED

11-239 V8R1.3 Mar 2009

From SQL*Plus: select log_id, log_date, owner, job_name, status from dba_scheduler_job_log;

Fix:

Develop, document and implement procedures to monitor the database job queues for unauthorized job submissions. Develop, document and implement a formal migration plan to convert jobs using DBMS_JOB to use DBMS_SCHEDULER instead. Set the value of the job_queue_processes parameter to a low value to restrict concurrent DBMS_JOB executions. For Oracle versions earlier than 10.1, use auditing to capture use of the DBMS_JOB package in the audit trail. Review the audit trail for unauthorized use of the DBMS_JOB package.





Responsibility: DBA

Documentable: False


STIG Requirement: (DG0051: CAT II) The DBA will monitor database batch and job queues to ensure no unauthorized jobs are accessing the database.


UNCLASSIFIED

11-240 V8R1.3 Mar 2009

11.2 DG0090: Sensitive data identification and encryption

Description: Sensitive data stored in unencrypted format within the database is vulnerable to unauthorized viewing. Check:

If no data is identified as being sensitive or classified in the System Security Plan or if no sensitive or classified data is identified as requiring encryption by the Information Owner in the System Security Plan, this check is NA. Review sensitive data stored in the database as identified in the System Security Plan using select statements. Note in the System Security Plan if the data is encrypted by column or by transparent encryption. Transparent data encryption is available only in Oracle versions 10.2 and later using Oracle Advanced Security. If transparent data encryption is specified, then verify it is enabled. By data columns: From SQL*Plus (Oracle 10.2 and higher): select owner, table_name, column_name from dba_encrypted_columns; By tablespace: From SQL*Plus (Oracle 11.1 and higher): select tablespace_name from dba_tablespaces where encrypted='YES'; If columns within tables, tables and/or tablespaces listed in the System Security Plan are required to be encrypted transparently are not listed above, this is a Finding. If the DBMS products are used to encrypt data, view the sensitive data fields required to be encrypted using select statements. If any data is displayed in human-readable format, this is a Finding. NOTE: This check result may be marked not a Finding and the requirement of encryption in the database waived where the database has only database administrative accounts and application accounts that have a need-to-know to the data. This waiver does not preclude any requirement for encryption of the associated database data file (see DG0092).

Fix: Identify all sensitive data and the method to be used to encrypt specified sensitive data in the System Security Plan.


UNCLASSIFIED

11-241 V8R1.3 Mar 2009

Use NIAP evaluated third-party tools, FIPS-validated encryption modules within the application, or native DBMS features to encrypt sensitive or classified data stored in the database. Configure DBMS encryption features where specified to use FIPS 140-2 compliant algorithms. Oracle transparent data encryption (available in Oracle version 10.2 and later) requires Oracle Advanced Security. See the chapter on Transparent Data Encryption in the Oracle Database Advanced Security Guide Administrator's Guide for details on using and configuring transparent data encryption. Document acceptance of risk by the Information Owner where sensitive or classified data is not encrypted. Have the Information Owner document assurance that the unencrypted sensitive or classified information is otherwise inaccessible to those without need-to-know access to the data. Developers should consider using a record-specific encryption method to protect individual records. For example, by employing the session username or other individualized element as part of the encryption key, then decryption of a data element is only possible by that user or other data accessible only by that user. Consider applying additional auditing of access to any unencrypted sensitive or classified data when accessed by unauthorized users (without need-to-know).



IA Control: ECCR Check Type: Verify


Responsibility: IAO

Documentable: False


STIG Requirement: (DG0090: CAT II) The IAO/DBA will ensure sensitive data is encrypted within the database where required by the Information Owner.


UNCLASSIFIED

11-242 V8R1.3 Mar 2009

11.3 DO0360: DBMS mid-tier application account access

Description: Database connections by mid-tier systems are not protected, encrypted and authenticated according to database, network and web requirements. Multi-tier systems may be configured with the database and connecting middle-tier system located on an internal network, with the database located on an internal network behind a firewall and the middle-tier system located in a DMZ, or with the database and middle-tier system located in the DMZ. In cases where either or both systems are located in the DMZ, network communications between both systems must be encrypted. In all cases, the application account requires PKI authentication. IP address restriction to the backend database system, under a separate requirement, provides an additional level of protection. Check:

Review the System Security Plan for remote applications that access and use the database. If none of the applications accessing the database uses a single account for access by multiple persons or processes, this check is NA. Verify that the application account uses PKI authentication: From SQL*Plus:

select external_name from dba_users where username='[application user name]';

If the external_name indicates a directory name, then verify that the directory name is authenticated using PKI. You may require the DBA or directory server administrator to display the username definition in the directory service to you. If the external_name does not specify a certificate or PKI-authenticated user account, this is a Finding.

Fix: Configure PKI authentication to help protect access to the shared account. PKI authentication may be accomplished using Oracle Advanced Security on most platforms. On a Windows host, user authentication using PKI may be used with Active Directory or NTS authentication using the DoD CAC. On UNIX and other hosts, Oracle Advanced Security may used to authenticate via LDAP or SSL. The application may require storage of the authentication certificate in the Oracle Wallet or on a hardware security module (HSM) to authenticate. Please see the Oracle Security Guides and the Oracle Advanced Security Guides for instructions on configuring PKI authentication.


UNCLASSIFIED

11-243 V8R1.3 Mar 2009



IA Control: IAGA Check Type: Verify


Responsibility: IAO

Documentable: False




UNCLASSIFIED

11-244 V8R1.3 Mar 2009

11.4 DG0002: DBMS version upgrade plan

Description: Unsupported software versions are not patched by vendors to address newly discovered security versions. An unpatched version is vulnerable to attack. Developing and implementing an upgrade plan prior to a lapse in support helps to protect against published vulnerabilities. Check:

From SQL*Plus: select substr(version,1,4) from v$instance; If the Oracle version is 10.2 or higher, this check is NA. If the Oracle version is less than 10.2, review evidence that Oracle Extended Support has been purchased for continued support. If Extended Support has not been purchased or proof of Oracle Extended Support is not documented, this is a Finding. If Extended Support will expire within 6 months, review evidence that an upgrade to a supported version or an extension for Oracle Extended Support is in progress. If it is not, this is a Finding. For any version where Extended Support ends within 6 months, review evidence than an upgrade to a supported version is in progress. If it is not, this is a Finding. Product: Oracle Database Highest Supported Version: 11.1 (See Oracle MetaLink Note 161818.1 for Oracle RDBMS Release support status) Product versions / Premier Support Ends / Extended Support Ends: 11.1.0.X / Aug 2012 / Aug 2015

10.2.0.X / Jul 2010 / Jul 2013

10.1.0.X / Jan 2009 / Jan 2012 (NOTE: 10.1.0.5 is terminal patch set)

9.2.0.X / Jul 2007 / Jul 2010 (NOTE: 9.2.0.8 is terminal patch set)

Fix:

Create and implement an upgrade/migration plan for obsolete or expiring Oracle versions. Use the table above as a guideline for Oracle version support. The cost of the version upgrade should be budgeted including any additional testing and development required supporting the version upgrade. A plan for testing the version upgrade should also be scheduled. Any other steps for the version upgrade should be included in the plan and the plan for the version upgrade should be scheduled for completion prior to expiration of the current Oracle database server product.


UNCLASSIFIED

11-245 V8R1.3 Mar 2009



IA Control: VIVM Check Type: Verify


Responsibility: IAO

Documentable: False


STIG Requirement: (DG0002: CAT I) The IAO will ensure the site has a formal migration plan for removing or upgrading DBMS systems 6 months prior to the date the vendor drops security patch support.


UNCLASSIFIED

11-246 V8R1.3 Mar 2009

11.5 DO6753: Oracle Application Express

Description: The Oracle Application Express, formerly called HTML DB, is an application development component installed by default with Oracle database 11.1. Unauthorized application development can introduce a variety of vulnerabilities to the database. Check:

If the database is a shared development/production system, then confirm that Oracle Application Express is authorized for development use. If it is, this check is NA. From SQL*Plus: select count(*) from dba_users where username like 'FLOWS_%'; If the value returned is not 0, this is a Finding.

Fix: If this is a production system, remove Application Express using the instruction found in Oracle MetaLink Note 558340.1. For new installations, select custom installation and de-select Application Express from the selectable options if available.



IA Control: ECSD Check Type: Verify


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0017: CAT II) The DBA will ensure software development on a production system is separated through the use of separate and uniquely identified data and application file storage partitions and processes/services.


UNCLASSIFIED

11-247 V8R1.3 Mar 2009

11.6 DG0179: DBMS warning banner

Description: Without sufficient warning of monitoring and access restrictions of a system, legal prosecution to assign responsibility for unauthorized or malicious access may not succeed. A warning message provides legal support for such prosecution. Access to the DBMS or the applications used to access the DBMS require this warning to help assign responsibility for database activities. Check:

A warning banner displayed as a function of an Operating System or application login for applications that use the database makes this check NA for all supported versions of Oracle. For Oracle 11.1, view the sqlnet.ora file. If the following lines do not exist, this is a Finding (requires application code to display the warning banner, which is not covered in this check):

SEC_USER_AUDIT_ACTION_BANNER = path/filename with banner text SEC_USER_UNAUTHORIZED_ACCESS_BANNER = path/filename with banner text

For other supported versions of Oracle, this requirement can be fulfilled programmatically and is not covered in this check; however, if required and not performed, this is a Finding. For Oracle 11.1, view the files specified. If they do not contain the following text as written below, this is a Finding:

[A. Use this banner for desktops, laptops, and other devices accommodating banners of 1300 characters. The banner shall be implemented as a click-through banner at logon (to the extent permitted by the operating system), meaning it prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK."] You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS.


UNCLASSIFIED

11-248 V8R1.3 Mar 2009

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

OK

[B. For Blackberries and other PDAs/PEDs with severe character limitations:] I've read & consent to terms in IS user agreem't.

This User Agreement conforms to DoD Standard Notice and Consent Banner and User Agreement – JTF-GNO CTO 08-008A, May 9, 2008.

Fix: For Oracle database versions 11.1 and later, add the following lines to the sqlnet.ora file: SEC_USER_AUDIT_ACTION_BANNER = [banner file] SEC_USER_UNAUTHORIZED_ACCESS_BANNER = [banner file] Replace [banner file] with the path and file name to a TEXT file containing the banner text as shown above. NOTE: Defining these parameters and this text makes the banner available to applications. It is not displayed unless the application is designed to display the text using OCI calls. For all versions of Oracle, this requirement can be fulfilled where the database user receives the warning message when authenticating or connecting to a front-end system that includes or covers the Oracle DBMS. Mark this check as a Finding if the display of a warning banner (not necessarily this specific warning banner) cannot be confirmed. The banner text listed in the Check section above supersedes that referenced in the STIG requirement below.


UNCLASSIFIED

11-249 V8R1.3 Mar 2009



IA Control: ECWM Check Type: Verify


Responsibility: DBA

Documentable: False


STIG Requirement: (DG0179: CAT II) Where available, the DBA will ensure the DBMS is configured to display a warning message upon interactive user connection to the DBMS that complies with Chairman of the Joint Chiefs of Staff Memorandum (CJCSM) 6510.01 Defense in Depth: Information Assurance (IA) and Computer Network Defense (CND), current as of 14 August 2006. This requirement may be fulfilled where the database user receives the warning message when authenticating or connecting to a front-end system that includes or covers the DBMS.


UNCLASSIFIED

11-250 V8R1.3 Mar 2009

11.7 DO0430: Oracle management agent use

Description: The Oracle Management Agent (Oracle Intelligent Agent in earlier versions) provides the mechanism for local and/or remote management of the local Oracle Database by Oracle Enterprise Manager or other SNMP management platforms. Because it provides access to operating system and database functions, it should be disabled if not in use. Check:

Determine if the Oracle Management Agent is enabled: From SQL*Plus: select username, account_status from dba_users where lower(username)='dbsnmp'; If no rows are returned, this is not a Finding. If the DBSNMP account exists and the account_status is OPEN, then verify in the System Security Plan that operation and use of the Oracle Enterprise Manager Management Agent or another SNMP management program is documented and authorized. If it is not documented in the System Security Plan as being required, this is a Finding. If the DBSNMP account exists and the account_status is not OPEN, schedule the FIX action below then mark as not a Finding. Despite any justification or authorization, if a Management Agent is installed on a server that is in a DMZ and Internet facing, this is a Finding.

Fix: Use the ORACLE_HOME/rdbms/admin/catnsnmp.sql script to remove all Oracle SNMP management agent objects in the database. Delete the executable file ORACLE_HOME/bin/dbsnmp or dbsnmp.exe if it exists from any Oracle Home not authorized for SNMP management. Uninstall any SNMP management agents installed on Oracle database servers installed in a DMZ that serve applications to Internet users. Uninstall any SNMP management agents that have not been authorized and documented in the System Security Plan. Document any authorized use of the SNMP management agent on database servers that do not support Internet applications in a DMZ in the System Security Plan. NOTE: Removal of SNMP management objects will prevent the ability to generate database statistics within Oracle Enterprise Manager.


UNCLASSIFIED

11-251 V8R1.3 Mar 2009





Responsibility: DBA

Documentable: False




UNCLASSIFIED

12-252 V8R1.3 Mar 2009

12. Appendix A – IAVM Bulletin Compliance

As of this date, IAVM compliance for Oracle-related notices are maintained in the UNIX, Windows, and other operating system host STIGs. Please refer to those STIGs for IAVM compliance information on Oracle products.


UNCLASSIFIED

13-253 V8R1.3 Mar 2009

13. Appendix B – Record of Changes

This is a new checklist based on the Database STIG V8R1. Changes to previous STIG IDs and additions are listed below:

Added: Removed: DG0003 DG0096 DG0166 DG0018 DG0005 DG0097 DG0167 DG0065 DG0012 DG0100 DG0172 DG0073 DG0013 DG0103 DG0175 DG0094 DG0020 DG0104 DG0176 DO0276 DG0025 DG0106 DG0179 DO0291 DG0031 DG0107 DG0186 DO0370 DG0041 DG0108 DG0187 DO0410 DG0042 DG0109 DG0194 DO3621 DG0054 DG0110 DG0195 DO3673 DG0064 DG0112 DG0198 DG0069 DG0117 DO0233 DG0071 DG0118 DO5036 DG0072 DG0127 DO6746 DG0074 DG0133 DO6747 DG0076 DG0135 DO6748 DG0083 DG0138 DO6749 DG0086 DG0140 DO6750 DG0087 DG0154 DO6751 DG0088 DG0159 DO6752 DG0089 DG0161 DO6753 DG0090 DG0165 DO6754 DG0092

Many checks that were removed were consolidated under other checks.


UNCLASSIFIED

14-254 V8R1.3 Mar 2009

14. Appendix C – VMS SRR Process Guide for Oracle DB Server

14.1 VMS Terminology

Following is a list of VMS terms and how they are used within these instructions. Asset – This is the host system for the DBMS being reviewed. It is typically defined using the domain\computer name, the IP address and/or the MAC address. Installation Posture – This is the DBMS instance or installation as defined in VMS for the DBMS under review. It is defined as a VMS posture on the host asset. For Oracle database Servers, the installation posture is referred to as an Oracle Home and the name assigned to the Oracle Home at installation time is referred to as the Oracle Home Name. It is recommended that the Oracle Home Name as identified on the host be used also to identify the Oracle Home within VMS. Database Posture – This database as defined in VMS exists within the DBMS under review. It is defined as a VMS posture on the host asset. An Oracle database posture is a single occurrence of an Oracle database instance associated with the Oracle Home (there could be more than one Oracle instance per Oracle Home). VMS requires that each database posture include a reference to a DBMS instance or installation. The Oracle Home posture must be defined prior to the creation of the database posture. Target – The word “target” is used within an SRR script XML import file to designate a specific installation or database posture assigned to an asset defined in VMS. (XML import files are not available for generic DBMS reviews.) Compliance or “Finding” results included in the XML import file update the status of the security item within VMS for the “target” database/installation posture. Typically, installation “targets” must include the DBMS installation name to update the vulnerability statuses of the installation under review. Database “targets” must include the both the installation posture identifier as well as the database name to correctly update the vulnerability status for the database under review. Element - The word “element” is used within a VMS XML import file to create an installation or database posture for the asset specified in the same import file. The DBMS installation element must include the DBMS installation identifier. The DBMS database element must include the database identifier and reference the DBMS installation identifier. Vulnerability – The word “vulnerability” is an item of security significance in VMS. Vulnerabilities are assigned directly to assets or to the asset’s postures. DBMS vulnerabilities are assigned to installation and database postures defined for an asset. Identifier - The identifier is a name assigned to the database posture. It is recommended that the database identifier match and DBMS database name configured for the DBMS.


UNCLASSIFIED

14-255 V8R1.3 Mar 2009

Parent Identifier – In the case of DBMS postures/targets, a parent identifier exists only for databases. The parent identifier is the DBMS installation identifier that supports the database being identified. This indicates a “dependent relationship” of the database to the instance.

14.2 Database VMS Maintenance

Identify the VMS DBMS Host Asset and DBMS postures Each DBMS to be tracked within VMS requires assignment to a host asset. The host asset is identified by name, IP address and MAC address. The host asset, operating system and database postures must be created before entering SRR results into VMS. As mentioned above under VMS terminology, each DBMS defined within VMS requires a minimum of two posture definitions. These postures are the DBMS installation and DBMS database postures. Two postures are necessary to provide the level of granularity required for tracking vulnerabilities. For example, vulnerabilities defined at the installation level (e.g., file permissions) occur only once per installation. Vulnerabilities defined at the database level (e.g., database role membership) occur once per defined database. VMS requires that an identifier be defined for each of the DBMS postures. When you create generic database postures, make sure that you assign the correct installation identifier. NOTE: For the import to work correctly, the Oracle Home ([SID]-dbsrr-itf-I.xml) file must be imported before the Oracle Database file. This is required to assign the Oracle Database to Oracle Home database postures correctly. If the Oracle Home database posture is not created first, the database XML import file will fail. When you are creating DBMS database postures, specify the same database identifier as defined within the DBMS. Database postures must also include the DBMS installation name as the “parent identifier” to identify the database as belonging to a specific installation. To view/confirm the DBMS host asset and confirm/create DBMS postures: 1. Collect from the database host system, the following information:

− All IP and MAC addresses defined for the host (ipconfig /all for Windows; ifconfig –a for UNIX)

− Host name (%computername% for Windows; hostname for UNIX)

2. In VMS, select the host asset supporting the DBMS

− For System Administrators:


UNCLASSIFIED

14-256 V8R1.3 Mar 2009

o From the left navigation frame on VMS 6, expand Asset Finding Maint[enance]

o From the expanded list, select Assets / Findings o Under Navigation on the Asset and Finding Maintenance screen,

expand By Location, expand the location where the asset resides, expand Computing, and select the asset where the DBMS is installed

− For Reviewers: o From the left navigation frame on VMS 6, expand Asset Finding

Maint[enance] o From the expanded list, select Assets / Findings o Under Navigation on the Asset and Finding Maintenance screen,

expand Visit, expand the location where the asset resides, expand Computing, and select the asset where the DBMS is installed

3. Verify the host name (under the General tab) matches the data collected 4. Verify the IP Address (under the Asset Identification tab) matches the data collected 5. Verify the MAC Address (under the Asset Identification tab) matches the data

collected 6. Select the Asset Posture tab 7. Verify that the appropriate Operating System has been selected 8. Under Selected, expand the asset name, expand Application, expand Database,

expand Oracle, expand or select Oracle Home or Oracle Database 9. View/note any product version and identifiers (in parentheses to the right of the

version) 10. To add an Oracle Home posture to the Asset posture:

− Follow steps 6 and 7 under Available

− Expand Oracle Home Installation, select the Oracle Home version number and click the >> button to move the selections under Selected

− When prompted for an identifier, enter the Oracle Home name

− Save the posture (until the Oracle Home postures is saved, database posture creations assigned to this Oracle Home will fail)

11. To add an Oracle Database posture to the Asset posture:

− Follow steps 6 and 8 under Available

− Expand Oracle Database, select the Oracle Database version and click the >> button to move the selections under Selected

− When prompted for a parent identifier, enter the Oracle Home name

− When prompted for an identifier, enter the Oracle database name; or click on the add hyperlink icon to add the identifier, and enter the Oracle database name

− Repeat for each database defined for the Oracle Home

− Save the posture (Click on the Save icon in the middle of the bottom of the screen)


UNCLASSIFIED

14-257 V8R1.3 Mar 2009

Importing results produced by the automated scripts.

The SRR script for Oracle produces two XML files: one contains the security review results for the Oracle Home ([SID]-dbsrr-itf-I.xml) and the Oracle Database ([SID]-dbsrr-itf-D.xml). The files include data that identifies the Oracle asset and the Oracle VMS postures if postures for the specified database or home already exist. To import an XML file, complete the following: 1. In the left navigation frame, expand Asset Finding Maint. 2. Select FSO Tool Import 3. Click on the Reviewer or System Admin button 4. For System Admin:

a. Select the site where the database host asset is registered and click the Submit button

b. Enter the path and filename of the script results xml file to be imported or click the Browse… button to navigate to the XML files being imported

c. Click on the Submit button d. If the results will not import or do not import all findings, Print or save the

resulting screen and see the troubleshooting section later in this document e. Manually review vulnerability statuses to ensure the results were correctly and

completely imported. Any vulnerability displaying a Not Reviewed (NR) status requires a manual review

5. For Reviewer: a. Select the Visit to update b. Select the Asset posture under Summary c. Select the organization d. Select the Asset Type e. Next to the Computing folder, click on the blue XML arrow f. Enter the path and filename of the script results xml file to be imported or

click the Browse… button to navigate to the XML files being imported g. Click on the Submit button h. If the results will not import or do not import all findings, Print or save the

resulting screen and see the troubleshooting section later in this document i. Manually review vulnerability statuses to ensure the results were correctly and

completely imported. Any vulnerability displaying a Not Reviewed (NR) status requires a manual review

NOTE: VMS 6 imports finding data for all check results. The reviewer may want to consider completing a manual review of checks with a status of NR prior to import to determine if some findings are Open and the finding status in the XML file marked accordingly, i.e. <FINDING_STATUS>NR</FINDING_STATUS>, in order to preserve the additional data provided by the script. The XML file may be edited with any text editor. Special care should be taken when editing the XML file to prevent the introduction of XML format errors that would prevent the script from importing successfully.


UNCLASSIFIED

14-258 V8R1.3 Mar 2009

Manually entering review results into VMS (For System Administrators):

− From the left navigation frame on VMS 6, expand Asset Finding Maint.

− From the expanded list, select Assets / Findings

− System Administrators: Under Navigation expand By Location

− Reviewers: Under Navigation expand Visit

− Expand the location where the asset resides

− Expand Computing

− Expand the asset where the target database is installed

− Expand the database engine or installation

− For each vulnerability listed, select the vulnerability and enter the review results, and click Save


UNCLASSIFIED

15-259 V8R1.3 Mar 2009

15. Appendix D – VMS KEY and STIGID Cross Reference and Index

Sort By VMS Key Sort by STIGID

VMS Key STIGID Page STIGID VMS Key Page

V0002420 DG0010 9-143 DG0002 V0004758 11-244

V0002422 DG0040 9-172 DG0003 V0005659 8-138

V0002423 DG0050 9-148 DG0005 V0006756 10-217

V0002424 DG0060 6-76 DG0010 V0002420 9-143

V0002507 DG0030 5-67 DG0011 V0003726 9-144

V0002508 DG0070 6-77 DG0012 V0004754 10-184

V0002509 DO0100 8-141 DG0013 V0015126 9-145

V0002511 DO0140 5-73 DG0015 V0003727 7-97

V0002512 DO0150 7-104 DG0016 V0003728 10-225

V0002513 DO0160 7-119 DG0017 V0003803 10-175

V0002514 DO0170 4-36 DG0019 V0003805 10-185

V0002515 DO0190 7-106 DG0020 V0015129 9-147

V0002516 DO0210 7-121 DG0021 V0003806 10-177

V0002517 DO0220 7-133 DG0025 V0015610 10-197

V0002519 DO0240 4-8 DG0030 V0002507 5-67

V0002520 DO0250 7-135 DG0031 V0015133 5-74

V0002521 DO0260 7-136 DG0040 V0002422 9-172

V0002522 DO0270 4-62 DG0041 V0015110 9-173

V0002523 DO3413 4-12 DG0042 V0015111 9-174

V0002527 DO3440 7-112 DG0050 V0002423 9-148

V0002529 DO3445 4-44 DG0051 V0003808 11-238

V0002530 DO3446 7-110 DG0052 V0003807 10-178

V0002531 DO3447 4-13 DG0053 V0003809 9-150

V0002533 DO3451 4-28 DG0054 V0015611 10-179

V0002537 DO3473 4-31 DG0060 V0002424 6-76

V0002539 DO3475 4-32 DG0064 V0015120 9-170

V0002541 DO3487 4-52 DG0066 V0003811 9-151

V0002543 DO3504 4-54 DG0067 V0003812 9-152

V0002552 DO3536 7-124 DG0068 V0003813 9-153

V0002553 DO3537 4-60 DG0069 V0015140 9-154

V0002554 DO3538 4-14 DG0070 V0002508 6-77

V0002555 DO3539 4-15 DG0071 V0003815 7-113

V0002556 DO3540 4-16 DG0072 V0015612 7-115

V0002558 DO3546 4-17 DG0074 V0015130 5-72

V0002559 DO3547 4-18 DG0075 V0003818 7-127

V0002561 DO3609 4-29 DG0076 V0003819 5-68

V0002562 DO3610 4-63 DG0077 V0003820 7-102

V0002564 DO3612 4-30 DG0080 V0003821 5-69

V0002574 DO3622 7-101 DG0083 V0015102 9-155

V0002586 DO3685 4-19 DG0086 V0015106 9-156

V0002587 DO3686 4-34 DG0087 V0015616 7-129

V0002589 DO3689 4-35 DG0088 V0015112 9-157

V0002592 DO3692 4-65 DG0089 V0015114 6-78

V0002593 DO3696 4-20 DG0090 V0015131 11-240


UNCLASSIFIED

15-260 V8R1.3 Mar 2009



V0002595 DO3698 4-21 DG0091 V0003823 7-130

V0002596 DO3709 4-39 DG0092 V0015132 10-187

V0002607 DO3847 10-191 DG0093 V0003825 10-199

V0002608 DO3630 10-209 DG0095 V0003827 9-158

V0002609 DO3485 7-122 DG0096 V0015138 9-159

V0002612 DO5037 10-192 DG0097 V0015139 9-160

V0002841 DO0280 10-231 DG0100 V0015619 6-79

V0003436 DO0310 7-108 DG0103 V0015621 10-201

V0003437 DO0320 4-38 DG0104 V0015622 10-228

V0003438 DO0340 7-111 DG0106 V0015143 10-230

V0003439 DO0350 7-99 DG0107 V0015144 9-161

V0003440 DO0360 11-242 DG0108 V0015145 9-162

V0003442 DO0380 7-126 DG0109 V0015146 10-180

V0003444 DO0400 4-42 DG0110 V0015179 9-163

V0003497 DO6740 10-213 DG0112 V0015623 7-94

V0003726 DG0011 9-144 DG0117 V0015627 4-26

V0003727 DG0015 7-97 DG0118 V0015127 9-171

V0003728 DG0016 10-225 DG0127 V0015634 7-117

V0003803 DG0017 10-175 DG0133 V0015639 4-41

V0003805 DG0019 10-185 DG0135 V0015641 5-75

V0003806 DG0021 10-177 DG0138 V0015642 5-71

V0003807 DG0052 10-178 DG0140 V0015643 10-195

V0003808 DG0051 11-238 DG0154 V0015150 9-164

V0003809 DG0053 9-150 DG0159 V0015118 9-165

V0003811 DG0066 9-151 DG0161 V0015103 9-166

V0003812 DG0067 9-152 DG0165 V0015654 5-70

V0003813 DG0068 9-153 DG0166 V0015142 7-80

V0003815 DG0071 7-113 DG0167 V0015104 10-203

V0003818 DG0075 7-127 DG0172 V0015657 7-132

V0003819 DG0076 5-68 DG0175 V0015116 10-182

V0003820 DG0077 7-102 DG0176 V0015117 10-183

V0003821 DG0080 5-69 DG0179 V0015658 11-247

V0003823 DG0091 7-130 DG0186 V0015122 9-167

V0003825 DG0093 10-199 DG0187 V0015121 9-168

V0003827 DG0095 9-158 DG0194 V0015108 9-169

V0003842 DO0120 10-219 DG0195 V0015109 10-188

V0003843 DO0121 10-221 DG0198 V0015662 10-204

V0003844 DO0133 10-189 DO0100 V0002509 8-141

V0003845 DO0145 10-196 DO0120 V0003842 10-219

V0003846 DO0155 4-27 DO0121 V0003843 10-221

V0003847 DO0157 7-98 DO0133 V0003844 10-189

V0003848 DO0221 7-134 DO0140 V0002511 5-73

V0003849 DO0231 7-107 DO0145 V0003845 10-196

V0003850 DO0234 7-84 DO0150 V0002512 7-104

V0003851 DO0235 7-86 DO0155 V0003846 4-27

V0003852 DO0236 7-88 DO0157 V0003847 7-98

V0003853 DO0237 7-90 DO0160 V0002513 7-119

V0003854 DO0238 7-92 DO0170 V0002514 4-36


UNCLASSIFIED

15-261 V8R1.3 Mar 2009



V0003855 DO0241 4-9 DO0190 V0002515 7-106

V0003856 DO0242 4-10 DO0210 V0002516 7-121

V0003857 DO0243 4-11 DO0220 V0002517 7-133

V0003858 DO0275 7-95 DO0221 V0003848 7-134

V0003860 DO0279 10-223 DO0231 V0003849 7-107

V0003861 DO0285 10-205 DO0233 V0015747 7-82

V0003862 DO0286 10-206 DO0234 V0003850 7-84

V0003863 DO0287 10-208 DO0235 V0003851 7-86

V0003865 DO0420 7-137 DO0236 V0003852 7-88

V0003866 DO0430 11-250 DO0237 V0003853 7-90

V0004754 DG0012 10-184 DO0238 V0003854 7-92

V0004758 DG0002 11-244 DO0240 V0002519 4-8

V0005659 DG0003 8-138 DO0241 V0003855 4-9

V0006756 DG0005 10-217 DO0242 V0003856 4-10

V0015102 DG0083 9-155 DO0243 V0003857 4-11

V0015103 DG0161 9-166 DO0250 V0002520 7-135

V0015104 DG0167 10-203 DO0260 V0002521 7-136

V0015106 DG0086 9-156 DO0270 V0002522 4-62

V0015108 DG0194 9-169 DO0275 V0003858 7-95

V0015109 DG0195 10-188 DO0279 V0003860 10-223

V0015110 DG0041 9-173 DO0280 V0002841 10-231

V0015111 DG0042 9-174 DO0285 V0003861 10-205

V0015112 DG0088 9-157 DO0286 V0003862 10-206

V0015114 DG0089 6-78 DO0287 V0003863 10-208

V0015116 DG0175 10-182 DO0310 V0003436 7-108

V0015117 DG0176 10-183 DO0320 V0003437 4-38

V0015118 DG0159 9-165 DO0340 V0003438 7-111

V0015120 DG0064 9-170 DO0350 V0003439 7-99

V0015121 DG0187 9-168 DO0360 V0003440 11-242

V0015122 DG0186 9-167 DO0380 V0003442 7-126

V0015126 DG0013 9-145 DO0400 V0003444 4-42

V0015127 DG0118 9-171 DO0420 V0003865 7-137

V0015129 DG0020 9-147 DO0430 V0003866 11-250

V0015130 DG0074 5-72 DO3413 V0002523 4-12

V0015131 DG0090 11-240 DO3440 V0002527 7-112

V0015132 DG0092 10-187 DO3445 V0002529 4-44

V0015133 DG0031 5-74 DO3446 V0002530 7-110

V0015138 DG0096 9-159 DO3447 V0002531 4-13

V0015139 DG0097 9-160 DO3451 V0002533 4-28

V0015140 DG0069 9-154 DO3473 V0002537 4-31

V0015142 DG0166 7-80 DO3475 V0002539 4-32

V0015143 DG0106 10-230 DO3485 V0002609 7-122

V0015144 DG0107 9-161 DO3487 V0002541 4-52

V0015145 DG0108 9-162 DO3504 V0002543 4-54

V0015146 DG0109 10-180 DO3536 V0002552 7-124

V0015150 DG0154 9-164 DO3537 V0002553 4-60

V0015179 DG0110 9-163 DO3538 V0002554 4-14

V0015610 DG0025 10-197 DO3539 V0002555 4-15


UNCLASSIFIED

15-262 V8R1.3 Mar 2009



V0015611 DG0054 10-179 DO3540 V0002556 4-16

V0015612 DG0072 7-115 DO3546 V0002558 4-17

V0015616 DG0087 7-129 DO3547 V0002559 4-18

V0015619 DG0100 6-79 DO3609 V0002561 4-29

V0015621 DG0103 10-201 DO3610 V0002562 4-63

V0015622 DG0104 10-228 DO3612 V0002564 4-30

V0015623 DG0112 7-94 DO3622 V0002574 7-101

V0015627 DG0117 4-26 DO3630 V0002608 10-209

V0015634 DG0127 7-117 DO3685 V0002586 4-19

V0015639 DG0133 4-41 DO3686 V0002587 4-34

V0015641 DG0135 5-75 DO3689 V0002589 4-35

V0015642 DG0138 5-71 DO3692 V0002592 4-65

V0015643 DG0140 10-195 DO3696 V0002593 4-20

V0015654 DG0165 5-70 DO3698 V0002595 4-21

V0015657 DG0172 7-132 DO3709 V0002596 4-39

V0015658 DG0179 11-247 DO3847 V0002607 10-191

V0015662 DG0198 10-204 DO5036 V0016049 10-236

V0015747 DO0233 7-82 DO5037 V0002612 10-192

V0016031 DO6746 10-214 DO6740 V0003497 10-213

V0016032 DO6747 10-215 DO6746 V0016031 10-214

V0016033 DO6748 4-22 DO6747 V0016032 10-215

V0016035 DO6749 4-23 DO6748 V0016033 4-22

V0016049 DO5036 10-236 DO6749 V0016035 4-23

V0016053 DO6750 4-24 DO6750 V0016053 4-24

V0016054 DO6752 4-25 DO6751 V0016057 10-216

V0016055 DO6753 11-246 DO6752 V0016054 4-25

V0016056 DO6754 10-227 DO6753 V0016055 11-246

V0016057 DO6751 10-216 DO6754 V0016056 10-227


UNCLASSIFIED

16-263 V8R1.3 Mar 2009

16. Appendix E – STIG STIGID / Checklist Discrepancy List

Below is a list of general requirements listed in the Database STIG that are not directly addressed in this checklist. The Database STIG provides general guidance for all database management systems and may not relate well to a single configuration or documentation requirement for a specific product.

Database STIG Requirement Disposition

(DG0065: CAT II) The IAO will ensure a DoD

PKI class 3 or 4 certificate and an approved

hardware security token (DoD CAC for DoD

employees or contractors) or an NSA-certified

product is used for identification and

authentication to the database.

This is not currently included due to the complexity and variety of implementation. It is, however, still required but not enforced until procedures for verification can be determined.

(DG0073: CAT II) The DBA will configure the

DBMS to lock database accounts after three or

an IAO-specified number of consecutive

unsuccessful connection attempts within a 60-

minute period. The counter may be reset to 0 if a

third failed logon attempt does not occur before

reset. Where this requirement is not compatible

with the operation of a front-end application, the

unsuccessful logon count and time will be

specified and the operational need documented

in the System Security Plan.

This is included under check DO3537.

(DG0084: CAT III) The DBA will ensure DBMS

resource controls are enabled to clear residual

data from released object stores.

This feature is not configurable in Oracle. It is included by default.

(DG0101: CAT II) The DBA will ensure OS

accounts used for execution of external database

procedures have the minimum OS privileges

required assigned to them.



DBMS to use only authorized software, data files,

or other critical files during recovery.

This is not configurable under Oracle.

(DG0120: CAT II) The DBA will ensure database

application user roles are not granted

unauthorized access to external database objects.


(DG0124: CAT II) The IAO will ensure

privileged database accounts are used only for

privileged database job functions. The IAO will

ensure non-privileged database accounts are

used to perform non-privileged job functions.



UNCLASSIFIED

16-264 V8R1.3 Mar 2009


DG0130: CAT II) The DBA/IAO will ensure

database account passwords are not stored in

batch jobs or application source code.


(DG0131: CAT III) The DBA will change or

delete default account usernames where

supported.

Oracle does not support changing default user names.

(DG0145: CAT II) The DBA will ensure audit

records contain the user ID, date and time of the

audited event, and the type of the event

This is included under the Oracle audit configuration checks.

(DG0146: CAT II) The DBA will ensure audit

records include the reason for any blocking or

blacklisting of database accounts or connection

source locations.


(DG0151: CAT II) The SA/DBA will ensure

random port assignment to network connections

is disabled when traversing network firewalls.

This is included under DO0285.

(DG0155: CAT II) The DBA will ensure all

applicable DBMS settings are configured to use

trusted files, functions, features, or other

components during startup, shutdown, aborts or

other unplanned interruptions.

This is not configurable under Oracle.

(DG0156: CAT III) The IAM will assign and

authorize IAO responsibilities for the DBMS.

This is checked under an Enclave review. The IAM is not expected to be available for a DB review.

(DG0158: CAT II) The DBA will configure

auditing of all actions taken by database

administrators during remote sessions.


(DG0160: CAT III) The DBA will ensure

database connection attempts are limited to a

specific number of times within a specific time as

specified in the System Security Plan. The limit

will not be set to unlimited.

This is covered under separate Oracle checks.


DBMS to enable transaction rollback and

transaction journaling or their technical

equivalent to maintain data consistency and

recovery during operational cancellations,

failures, or other interruptions.

This is not configurable in Oracle and is operational by default.

(DG0171: CAT II) The DBA will ensure

interconnections between databases or other

applications operating at different classification

levels are identified and their communications

configured to comply with the interface controls

specified in the System Security Plan.

This is included under check DG0075.


UNCLASSIFIED

16-265 V8R1.3 Mar 2009


(DG0190: CAT II) The DBA will ensure use of

credentials used to access remote databases or

other applications are restricted to authorized

database accounts and used only for mission

and/or operationally required and documented

purposes.


(DG0193: CAT II) The DBA will set expiration

times for non-interactive database application

account passwords to 365 days or less where

supported by the DBMS.


Updated by: Stephen W. Price, CISSP on 15 April 2009