Database Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The DBMS must for password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash.
The DOD standard for authentication is DOD-approved PKI certificates. Authentication based on user ID and password may be used only when it is not possible to employ a PKI certificate, and require...Rule High Severity -
SRG-APP-000172
Group -
If passwords are used for authentication, the DBMS must transmit only encrypted representations of passwords.
The DoD standard for authentication is DoD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and require...Rule High Severity -
SRG-APP-000175
Group -
SRG-APP-000176
Group -
SRG-APP-000177
Group -
SRG-APP-000178
Group -
SRG-APP-000179
Group -
SRG-APP-000180
Group -
SRG-APP-000211
Group -
SRG-APP-000220
Group -
SRG-APP-000223
Group -
SRG-APP-000224
Group -
SRG-APP-000225
Group -
The DBMS must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.
Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality,...Rule Medium Severity -
SRG-APP-000226
Group -
SRG-APP-000231
Group -
The DBMS must protect the confidentiality and integrity of all information at rest.
This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to ...Rule High Severity -
SRG-APP-000233
Group -
SRG-APP-000243
Group -
SRG-APP-000243
Group -
The DBMS must prevent unauthorized and unintended information transfer via shared system resources.
The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf...Rule Medium Severity -
SRG-APP-000243
Group -
Access to database files must be limited to relevant processes and to authorized, administrative users.
Applications, including DBMSs, must prevent unauthorized and unintended information transfer via shared system resources. Permitting only DBMS processes and authorized, administrative users to have...Rule Medium Severity -
SRG-APP-000251
Group -
SRG-APP-000251
Group -
SRG-APP-000251
Group -
The DBMS and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
With respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of the dynamic execution capabilities of various pr...Rule Medium Severity -
SRG-APP-000266
Group -
SRG-APP-000267
Group -
SRG-APP-000295
Group -
The DBMS must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect.
This addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). ...Rule Medium Severity -
SRG-APP-000296
Group -
The DBMS must provide logout functionality to allow the user to manually terminate a session initiated by that user.
If a user cannot explicitly end a DBMS session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Such logout may be explicit or implicit. Examp...Rule Medium Severity -
SRG-APP-000311
Group -
SRG-APP-000313
Group -
SRG-APP-000314
Group -
The DBMS must associate organization-defined types of security labels having organization-defined security label values with information in transmission.
Without the association of security labels to information, there is no basis for the DBMS to make security-related access-control decisions. Security labels are abstractions representing the basic...Rule Medium Severity -
SRG-APP-000328
Group -
SRG-APP-000340
Group -
The DBMS must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. System ...Rule Medium Severity -
SRG-APP-000342
Group -
Execution of software modules (to include stored procedures, functions, and triggers) with elevated privileges must be restricted to necessary cases only.
In certain situations, to provide required functionality, a DBMS needs to execute internal logic (stored procedures, functions, triggers, etc.) and/or external code modules with elevated privileges...Rule Medium Severity -
SRG-APP-000357
Group -
The DBMS must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
In order to ensure sufficient storage capacity for the audit logs, the DBMS must be able to allocate audit record storage capacity. Although another requirement (SRG-APP-000515-DB-000318) mandates ...Rule Medium Severity -
SRG-APP-000359
Group -
SRG-APP-000360
Group -
SRG-APP-000374
Group -
SRG-APP-000375
Group -
The DBMS must generate time stamps, for audit records and application data, with a minimum granularity of one second.
Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. Time stamps generated by the DBMS must include date and time. Granula...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.