Oracle Database 11.2g Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Access to external executables must be disabled or restricted.
The Oracle external procedure capability provides use of the Oracle process account outside the operation of the DBMS process. You can use it to submit and execute applications stored externally fr...Rule Medium Severity -
The DBMS must support the organizational requirements to specifically prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services.
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizatio...Rule Medium Severity -
The DBMS must ensure that PKI-based authentication maps the authenticated identity to the user account.
The cornerstone of the PKI is the private key used to encrypt or digitally sign information. The key by itself is a cryptographic value that does not contain specific user information. When includ...Rule Medium Severity -
Processes (services, applications, etc.) that connect to the DBMS independently of individual users, must use valid, current DoD-issued PKI certificates for authentication to the DBMS.
Just as individual users must be authenticated, and just as they must use PKI-based authentication, so must any processes that connect to the DBMS. The DoD standard for authentication of a process...Rule Medium Severity -
The DBMS must terminate user sessions upon user logout or any other organization or policy-defined session termination events, such as idle time limit exceeded.
This requirement focuses on communications protection at the application session, versus network packet, level. Session IDs are tokens generated by web applications to uniquely identify an applic...Rule Medium Severity -
The DBMS must preserve any organization-defined system state information in the event of a system failure.
Failure in a known state can address safety or security in accordance with the mission/business needs of the organization. Failure in a known secure state helps prevent a loss of confidentiality, i...Rule Medium Severity -
The DBMS must only generate error messages that provide information necessary for corrective actions without revealing organization-defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.
Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and c...Rule Medium Severity -
When using command-line tools such as Oracle SQL*Plus, which can accept a plain-text password, users must use an alternative login method that does not expose the password.
The SRG states: "To prevent the compromise of authentication information, such as passwords, during the authentication process, the feedback from the information system shall not provide any infor...Rule High Severity -
Logic modules within the database (to include packages, procedures, functions and triggers) must be monitored to discover unauthorized changes.
Any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. This ...Rule Medium Severity -
The DBMS software installation account must be restricted to authorized users.
When dealing with change control issues, it should be noted, any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have sign...Rule Medium Severity -
The DBMS must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
Non-organizational users include all information system users other than organizational users which include organizational employees or individuals the organization deems to have equivalent status ...Rule Medium Severity -
The DBMS must separate user functionality (including user interface services) from database management functionality.
Information system management functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The ...Rule Medium Severity -
Vendor-supported software must be evaluated and patched against newly found vulnerabilities.
Security faults with software applications and operating systems are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabiliti...Rule High Severity -
DBMS default accounts must be assigned custom passwords.
Password maximum lifetime is the maximum period of time, (typically in days) a user's password may be in effect before the user is forced to change it. Passwords need to be changed at specific po...Rule High Severity -
The DBMS must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission unless the transmitted data is otherwise protected by alternative physical measures.
Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission....Rule High Severity -
The DBMS must enforce Discretionary Access Control (DAC) policy allowing users to specify and control sharing by named individuals, groups of individuals, or by both, limiting propagation of access rights and includes or excludes access to the granularity of a single user.
Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, crypto...Rule Medium Severity -
The DBMS must be protected from unauthorized access by developers on shared production/development host systems.
Applications employ the concept of least privilege for specific duties and information systems (including specific functions, ports, protocols, and services). The concept of least privilege is also...Rule Medium Severity -
Administrators must utilize a separate, distinct administrative account when performing administrative activities, accessing database security functions, or accessing security-relevant information.
This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address those situations where an access control polic...Rule Medium Severity -
The DBA role must not be assigned excessive or unauthorized privileges.
This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address those situations where an access control polic...Rule Medium Severity -
OS accounts utilized to run external procedures called by the DBMS must have limited privileges.
This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of role is intended to address those situations where an access control polic...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.