Oracle Database 12c Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Oracle Database must map the PKI-authenticated identity to an associated user account.
The DOD standard for authentication is DOD-approved PKI certificates. Once a PKI certificate has been validated, it must be mapped to a DBMS user account for the authenticated identity to be meanin...Rule Medium Severity -
SRG-APP-000179-DB-000114
Group -
SRG-APP-000220-DB-000149
Group -
The DBMS must terminate user sessions upon user logoff or any other organization or policy-defined session termination events, such as idle time limit exceeded.
This requirement focuses on communications protection at the application session, versus network packet, level. Session IDs are tokens generated by web applications to uniquely identify an applica...Rule Medium Severity -
SRG-APP-000226-DB-000147
Group -
SRG-APP-000231-DB-000154
Group -
SRG-APP-000233-DB-000124
Group -
SRG-APP-000243-DB-000128
Group -
SRG-APP-000251-DB-000160
Group -
The DBMS must check the validity of data inputs.
Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated applic...Rule Medium Severity -
SRG-APP-000266-DB-000162
Group -
SRG-APP-000267-DB-000163
Group -
The DBMS must restrict error messages so only authorized personnel may view them.
If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be caref...Rule Medium Severity -
SRG-APP-000178-DB-000083
Group -
Applications must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
To prevent the compromise of authentication information, such as passwords, during the authentication process, the feedback from the information system shall not provide any information that would ...Rule High Severity -
SRG-APP-000178-DB-000083
Group -
When using command-line tools such as Oracle SQL*Plus, which can accept a plain-text password, users must use an alternative logon method that does not expose the password.
The SRG states: "To prevent the compromise of authentication information, such as passwords, during the authentication process, the feedback from the information system shall not provide any infor...Rule High Severity -
SRG-APP-000109-DB-000049
Group -
The DBMS must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
In order to ensure sufficient storage capacity for the audit logs, the DBMS must be able to allocate audit record storage capacity. Although another requirement (SRG-APP-000515-DB-000318) mandates ...Rule Medium Severity -
SRG-APP-000133-DB-000179
Group -
SRG-APP-000133-DB-000179
Group -
Logic modules within the database (to include packages, procedures, functions and triggers) must be monitored to discover unauthorized changes.
Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. This ...Rule Medium Severity -
SRG-APP-000133-DB-000198
Group -
The DBMS software installation account must be restricted to authorized users.
When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have sign...Rule High Severity -
SRG-APP-000133-DB-000199
Group -
Database software directories, including DBMS configuration files, must be stored in dedicated directories, or DASD pools, separate from the host OS and other applications.
When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have sign...Rule Medium Severity -
SRG-APP-000148-DB-000103
Group -
SRG-APP-000180-DB-000115
Group -
The DBMS must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
Non-organizational users include all information system users other than organizational users which include organizational employees or individuals the organization deems to have equivalent status ...Rule Medium Severity -
SRG-APP-000211-DB-000122
Group -
The DBMS must separate user functionality (including user interface services) from database management functionality.
Information system management functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The s...Rule Medium Severity -
SRG-APP-000080-DB-000063
Group -
The DBMS must protect against an individual who uses a shared account falsely denying having performed a particular action.
Non-repudiation of actions taken is required in order to maintain application integrity. Examples of particular actions taken by individuals include creating information, sending a message, approvi...Rule Low Severity -
SRG-APP-000516-DB-000363
Group -
SRG-APP-000456-DB-000390
Group -
Oracle software must be evaluated and patched against newly found vulnerabilities.
Security faults with software applications and operating systems are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabiliti...Rule High Severity -
SRG-APP-000516-DB-000363
Group -
DBMS default accounts must be assigned custom passwords.
Password maximum lifetime is the maximum period of time, (typically in days) a user's password may be in effect before the user is forced to change it. Passwords need to be changed at specific po...Rule High Severity -
SRG-APP-000441-DB-000378
Group -
SRG-APP-000142-DB-000094
Group -
SRG-APP-000516-DB-000363
Group -
The DBMS must provide a mechanism to automatically identify accounts designated as temporary or emergency accounts.
Temporary application accounts could be used in the event of a vendor support visit where a support representative requires a temporary unique account in order to perform diagnostic testing or cond...Rule Medium Severity -
SRG-APP-000516-DB-000363
Group -
SRG-APP-000328-DB-000301
Group -
The DBMS must enforce Discretionary Access Control (DAC) policy allowing users to specify and control sharing by named individuals, groups of individuals, or by both, limiting propagation of access rights and including or excluding access to the granularity of a single user.
Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, crypto...Rule Medium Severity -
SRG-APP-000516-DB-000363
Group -
SRG-APP-000133-DB-000362
Group -
The DBMS must be protected from unauthorized access by developers.
Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is also...Rule Medium Severity -
SRG-APP-000516-DB-000363
Group -
The DBMS must be protected from unauthorized access by developers on shared production/development host systems.
Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is also...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.