Oracle Database 12c Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000133-DB-000179
Group -
The OS must limit privileges to change the DBMS software resident within software libraries (including privileged programs).
When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have sign...Rule Medium Severity -
SRG-APP-000515-DB-000318
Group -
SRG-APP-000456-DB-000400
Group -
Oracle database products must be a version supported by the vendor.
Unsupported commercial and database systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilit...Rule High Severity -
Access to default accounts used to support replication must be restricted to authorized DBAs.
Replication database accounts are used for database connections between databases. Replication requires the configuration of these accounts using the same username and password on all databases par...Rule Medium Severity -
The Oracle REMOTE_OS_AUTHENT parameter must be set to FALSE.
Setting this value to TRUE allows operating system authentication over an unsecured connection. Trusting remote operating systems can allow a user to impersonate another operating system user and c...Rule High Severity -
The Oracle SQL92_SECURITY parameter must be set to TRUE.
The configuration option SQL92_SECURITY specifies whether table-level SELECT privileges are required to execute an update or delete that references table column values. If this option is disabled (...Rule Medium Severity -
System Privileges must not be granted to PUBLIC.
System privileges can be granted to users and roles and to the user group PUBLIC. All privileges granted to PUBLIC are accessible to every user in the database. Many of these privileges convey cons...Rule Medium Severity -
Oracle application administration roles must be disabled if not required and authorized.
Application administration roles, which are assigned system or elevated application object privileges, must be protected from default activation. Application administration roles are determined by ...Rule Medium Severity -
Unauthorized database links must not be defined and active.
DBMS links provide a communication and data transfer path definition between two databases that may be used by malicious users to discover and obtain unauthorized access to remote systems. Database...Rule Medium Severity -
Application owner accounts must have a dedicated application tablespace.
Separation of tablespaces by application helps to protect the application from resource contention and unauthorized access that could result from storage space reuses or host system access controls...Rule Medium Severity -
The Oracle _TRACE_FILES_PUBLIC parameter if present must be set to FALSE.
The _TRACE_FILES_PUBLIC parameter is used to make trace files used for debugging database applications and events available to all database users. Use of this capability precludes the discrete assi...Rule Medium Severity -
DBMS production application and data directories must be protected from developers on shared production/development DBMS host systems.
Developer roles must not be assigned DBMS administrative privileges to production DBMS application and data directories. The separation of production DBA and developer roles helps protect the produ...Rule Medium Severity -
The DBMS data files, transaction logs and audit files must be stored in dedicated directories or disk partitions separate from software or other application files.
Protection of DBMS data, transaction and audit data files stored by the host operating system is dependent on OS controls. When different applications share the same database, resource contention a...Rule Medium Severity -
The directory assigned to the AUDIT_FILE_DEST parameter must be protected from unauthorized access and must be stored in a dedicated directory or disk partition separate from software or other application files.
The AUDIT_FILE_DEST parameter specifies the directory where the database audit trail file is stored (when AUDIT_TRAIL parameter is set to ‘OS’, ‘xml’ or ‘xml, extended’ where supported by the DBMS)...Rule Medium Severity -
Changes to DBMS security labels must be audited.
Some DBMS systems provide the feature to assign security labels to data elements. If labeling is required, implementation options include the Oracle Label Security package, or a third-party product...Rule Medium Severity -
The DBMS, when using PKI-based authentication, must enforce authorized access to the corresponding private key.
The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and non-repudiatio...Rule High Severity -
The DBMS must limit the number of concurrent sessions for each system account to an organization-defined number of sessions.
Application management includes the ability to control the number of users and user sessions utilizing an application. Limiting the number of allowed users, and sessions per user, is helpful in lim...Rule Medium Severity -
The system must employ automated mechanisms for supporting Oracle user account management.
A comprehensive application account management process that includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed. Examples include,...Rule High Severity -
The DBMS must allow designated organizational personnel to select which auditable events are to be audited by the database.
The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generatin...Rule Medium Severity -
The DBMS must generate audit records for the DoD-selected list of auditable events, to the extent such information is available.
Audit records can be generated from various components within the information system, such as network interfaces, hard disks, modems, etc. From an application perspective, certain specific applicat...Rule Medium Severity -
The DBMS must produce audit records containing sufficient information to establish what type of events occurred.
Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes: timestamps, sourc...Rule Medium Severity -
The DBMS must produce audit records containing sufficient information to establish when (date and time) the events occurred.
Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes: timestamps, sourc...Rule Medium Severity -
The DBMS must produce audit records containing sufficient information to establish where the events occurred.
Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes: timestamps, sourc...Rule Medium Severity -
The DBMS must produce audit records containing sufficient information to establish the outcome (success or failure) of the events.
Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, but is not limited...Rule Medium Severity -
The DBMS must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event.
Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes: timestamps, sourc...Rule Medium Severity -
The DBMS must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject.
Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes: timestamps, sourc...Rule Medium Severity -
The system must protect audit information from any type of unauthorized access.
If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In ...Rule Medium Severity -
The system must protect audit information from unauthorized deletion.
If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracit...Rule Medium Severity -
The system must protect audit tools from unauthorized access.
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may p...Rule Medium Severity -
The system must protect audit tools from unauthorized modification.
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may p...Rule Medium Severity -
The system must protect audit tools from unauthorized deletion.
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may p...Rule Medium Severity -
Database objects must be owned by accounts authorized for ownership.
Within the database, object ownership implies full privileges to the owned object including the privilege to assign access to the owned objects to other subjects. Unmanaged or uncontrolled ownershi...Rule Medium Severity -
Default demonstration and sample databases, database objects, and applications must be removed.
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizatio...Rule Medium Severity -
Unused database components that are integrated in the DBMS and cannot be uninstalled must be disabled.
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizatio...Rule Medium Severity -
Use of external executables must be authorized.
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizatio...Rule Medium Severity -
Access to external executables must be disabled or restricted.
The Oracle external procedure capability provides use of the Oracle process account outside the operation of the DBMS process. You can use it to submit and execute applications stored externally fr...Rule Medium Severity -
The DBMS must support the organizational requirements to specifically prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services.
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizatio...Rule Medium Severity -
The DBMS, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor.
A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. When th...Rule Medium Severity -
The DBMS must use NIST-validated FIPS 140-2 or 140-3 compliant cryptography for authentication mechanisms.
Use of weak or not validated cryptographic algorithms undermines the purposes of utilizing encryption and digital signatures to protect data. Weak algorithms can be easily broken and not validated ...Rule High Severity -
The DBMS must preserve any organization-defined system state information in the event of a system failure.
Failure in a known state can address safety or security in accordance with the mission/business needs of the organization. Failure in a known secure state helps prevent a loss of confidentiality, i...Rule Medium Severity -
The DBMS must take needed steps to protect data at rest and ensure confidentiality and integrity of application data.
This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to ...Rule High Severity -
The DBMS must isolate security functions from nonsecurity functions by means of separate security domains.
Security functions are defined as "the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and da...Rule Medium Severity -
The DBMS must prevent unauthorized and unintended information transfer via shared system resources.
The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf...Rule Medium Severity -
The DBMS must only generate error messages that provide information necessary for corrective actions without revealing organization-defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.
Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and c...Rule Medium Severity -
Database software, applications, and configuration files must be monitored to discover unauthorized changes.
Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. If th...Rule Medium Severity -
The DBMS must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
To assure accountability and prevent unauthorized access, organizational users shall be identified and authenticated. Organizational users include organizational employees or individuals the organ...Rule Medium Severity -
DBA OS accounts must be granted only those host system privileges necessary for the administration of the DBMS.
This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address those situations where an access control polic...Rule High Severity -
The DBMS must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission unless the transmitted data is otherwise protected by alternative physical measures.
Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission....Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.