Oracle Database 12c Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The DBMS must use NIST-validated FIPS 140-2 or 140-3 compliant cryptography for authentication mechanisms.
Use of weak or not validated cryptographic algorithms undermines the purposes of utilizing encryption and digital signatures to protect data. Weak algorithms can be easily broken and not validated ...Rule High Severity -
The DBMS must preserve any organization-defined system state information in the event of a system failure.
Failure in a known state can address safety or security in accordance with the mission/business needs of the organization. Failure in a known secure state helps prevent a loss of confidentiality, i...Rule Medium Severity -
The DBMS must take needed steps to protect data at rest and ensure confidentiality and integrity of application data.
This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to ...Rule High Severity -
The DBMS must isolate security functions from nonsecurity functions by means of separate security domains.
Security functions are defined as "the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and da...Rule Medium Severity -
The DBMS must prevent unauthorized and unintended information transfer via shared system resources.
The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf...Rule Medium Severity -
The DBMS must only generate error messages that provide information necessary for corrective actions without revealing organization-defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.
Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and c...Rule Medium Severity -
Database software, applications, and configuration files must be monitored to discover unauthorized changes.
Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. If th...Rule Medium Severity -
The DBMS must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
To assure accountability and prevent unauthorized access, organizational users shall be identified and authenticated. Organizational users include organizational employees or individuals the organ...Rule Medium Severity -
DBA OS accounts must be granted only those host system privileges necessary for the administration of the DBMS.
This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address those situations where an access control polic...Rule High Severity -
The DBMS must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission unless the transmitted data is otherwise protected by alternative physical measures.
Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission....Rule High Severity -
The DBMS must support the disabling of network protocols deemed by the organization to be nonsecure.
This requirement is related to remote access, but more specifically to the networking protocols allowing systems to communicate. Remote access is any access to an organizational information system ...Rule Medium Severity -
The DBMS must provide a mechanism to automatically remove or disable temporary user accounts after 72 hours.
Temporary application accounts could ostensibly be used in the event of a vendor support visit where a support representative requires a temporary unique account in order to perform diagnostic test...Rule Medium Severity -
A single database connection configuration file must not be used to configure all database clients.
Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is also...Rule Medium Severity -
Administrative privileges must be assigned to database accounts via database roles.
Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is also...Rule Medium Severity -
The DBMS must verify account lockouts persist until reset by an administrator.
Anytime an authentication method is exposed, to allow for the utilization of an application, there is a risk that attempts will be made to obtain unauthorized access. To defeat these attempts, org...Rule Medium Severity -
The DBMS must set the maximum number of consecutive invalid logon attempts to three.
Anytime an authentication method is exposed, to allow for the utilization of an application, there is a risk that attempts will be made to obtain unauthorized access. To defeat these attempts, or...Rule Medium Severity -
Databases utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights.
Discretionary Access Control (DAC) is based on the premise that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in whic...Rule Medium Severity -
A DBMS utilizing Discretionary Access Control (DAC) must enforce a policy that includes or excludes access to the granularity of a single user.
DAC is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ow...Rule Medium Severity -
The DBMS must support enforcement of logical access restrictions associated with changes to the DBMS configuration and to the database itself.
When dealing with access restrictions pertaining to change control, it should be noted any changes to the hardware, software, and/or firmware components of the information system and/or application...Rule Medium Severity -
Database backup procedures must be defined, documented, and implemented.
Information system backup is a critical step in maintaining data assurance and availability. User-level information is data generated by information system and/or application users. In order to as...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.