Oracle Database 11.2g Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
DBMS production application and data directories must be protected from developers on shared production/development DBMS host systems.
Developer roles should not be assigned DBMS administrative privileges to production DBMS application and data directories. The separation of production DBA and developer roles helps protect the pro...Rule Medium Severity -
SRG-APP-000516-DB-000363
Group -
Use of the DBMS installation account must be logged.
The DBMS installation account may be used by any authorized user to perform DBMS installation or maintenance. Without logging, accountability for actions attributed to the account is lost.Rule Medium Severity -
SRG-APP-000516-DB-000363
Group -
The directory assigned to the AUDIT_FILE_DEST parameter must be protected from unauthorized access and must be stored in a dedicated directory or disk partition separate from software or other application files.
The AUDIT_FILE_DEST parameter specifies the directory where the database audit trail file is stored (when AUDIT_TRAIL parameter is set to ‘OS’, ‘xml’ or ‘xml, extended’ where supported by the DBMS)...Rule Medium Severity -
SRG-APP-000516-DB-000363
Group -
Access to DBMS software files and directories must not be granted to unauthorized users.
The DBMS software libraries contain the executables used by the DBMS to operate. Unauthorized access to the libraries can result in malicious alteration or planting of operational executables. This...Rule Medium Severity -
SRG-APP-000516-DB-000363
Group -
Replication accounts must not be granted DBA privileges.
Replication accounts may be used to access databases defined for the replication architecture. An exploit of a replication on one database could lead to the compromise of any database participating...Rule Medium Severity -
SRG-APP-000516-DB-000363
Group -
SRG-APP-000516-DB-000363
Group -
SRG-APP-000516-DB-000363
Group -
Changes to DBMS security labels must be audited.
Some DBMS systems provide the feature to assign security labels to data elements. If labeling is required, implementation options include the Oracle Label Security package, or a third-party product...Rule Medium Severity -
SRG-APP-000516-DB-000363
Group -
Remote database or other external access must use fully-qualified names.
The Oracle GLOBAL_NAMES parameter is used to set the requirement for database link names to be the same name as the remote database whose connection they define. By using the same name for both, am...Rule Medium Severity -
SRG-APP-000516-DB-000363
Group -
SRG-APP-000516-DB-000363
Group -
Remote administration must be disabled for the Oracle connection manager.
Remote administration provides a potential opportunity for malicious users to make unauthorized changes to the Connection Manager configuration or interrupt its service.Rule Medium Severity -
SRG-APP-000516-DB-000363
Group -
The SQLNet SQLNET.ALLOWED_LOGON_VERSION parameter must be set to a value of 12 or higher.
Unsupported Oracle network client installations may introduce vulnerabilities to the database. Restriction to use of supported versions helps to protect the database and helps to enforce newer, mor...Rule Medium Severity -
SRG-APP-000176-DB-000068
Group -
SRG-APP-000001-DB-000031
Group -
The DBMS must limit the number of concurrent sessions for each system account to an organization-defined number of sessions.
Application management includes the ability to control the number of users and user sessions utilizing an application. Limiting the number of allowed users, and sessions per user, is helpful in lim...Rule Medium Severity -
SRG-APP-000023-DB-000001
Group -
The system must employ automated mechanisms for supporting Oracle user account management.
A comprehensive application account management process that includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed. Examples include,...Rule Medium Severity -
SRG-APP-000033-DB-000084
Group -
SRG-APP-000089-DB-000064
Group -
SRG-APP-000090-DB-000065
Group -
The DBMS must allow designated organizational personnel to select which auditable events are to be audited by the database.
The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generatin...Rule Medium Severity -
SRG-APP-000091-DB-000066
Group -
The DBMS must generate audit records for the DoD-selected list of auditable events, to the extent such information is available.
Audit records can be generated from various components within the information system, such as network interfaces, hard disks, modems, etc. From an application perspective, certain specific applicat...Rule Medium Severity -
SRG-APP-000095-DB-000039
Group -
The DBMS must produce audit records containing sufficient information to establish what type of events occurred.
Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes: timestamps, sourc...Rule Medium Severity -
SRG-APP-000096-DB-000040
Group -
SRG-APP-000097-DB-000041
Group -
The DBMS must produce audit records containing sufficient information to establish where the events occurred.
Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes: timestamps, sourc...Rule Medium Severity -
SRG-APP-000098-DB-000042
Group -
The DBMS must produce audit records containing sufficient information to establish the sources (origins) of the events.
Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes, but is not limite...Rule Medium Severity -
SRG-APP-000099-DB-000043
Group -
The DBMS must produce audit records containing sufficient information to establish the outcome (success or failure) of the events.
Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, but is not limited...Rule Medium Severity -
SRG-APP-000100-DB-000201
Group -
The DBMS must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event.
Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes: timestamps, sourc...Rule Medium Severity -
SRG-APP-000101-DB-000044
Group -
SRG-APP-000118-DB-000059
Group -
SRG-APP-000119-DB-000060
Group -
The DBMS must protect audit information from unauthorized modification.
If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veraci...Rule Medium Severity -
SRG-APP-000120-DB-000061
Group -
The DBMS must protect audit information from unauthorized deletion.
If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veraci...Rule Medium Severity -
SRG-APP-000121-DB-000202
Group -
SRG-APP-000122-DB-000203
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.