Oracle Database 11.2g Security Technical Implementation Guide

Fixed user and public database links must be authorized for use.

A minimum of two Oracle control files must be defined and configured to be stored on separate, archived disks (physical or virtual) or archived partitions on a RAID device.

Execute permission must be revoked from PUBLIC for restricted Oracle packages.

The Oracle SQL92_SECURITY parameter must be set to TRUE.

System Privileges must not be granted to PUBLIC.

Object permissions granted to PUBLIC must be restricted.

Unauthorized database links must not be defined and active.

Application object owner accounts must be disabled when not performing installation or maintenance actions.

Network access to the DBMS must be restricted to authorized personnel.

Changes to configuration options must be audited.

The /diag subdirectory under the directory assigned to the DIAGNOSTIC_DEST parameter must be protected from unauthorized access.

The DBMS, when using PKI-based authentication, must enforce authorized access to the corresponding private key.

The DBMS must enforce approved authorizations for logical access to the system in accordance with applicable policy.

The DBMS must provide audit record generation capability for organization-defined auditable events within the database.

The DBMS must produce audit records containing sufficient information to establish when (date and time) the events occurred.

The DBMS must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject.

The DBMS must protect audit information from any type of unauthorized access.

The DBMS must protect audit tools from unauthorized access.

Default demonstration and sample databases, database objects, and applications must be removed.

Unused database components, DBMS software, and database objects must be removed.

Access to external executables must be disabled or restricted.

The DBMS must support the organizational requirements to specifically prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services.

The DBMS must ensure that PKI-based authentication maps the authenticated identity to the user account.

Processes (services, applications, etc.) that connect to the DBMS independently of individual users, must use valid, current DoD-issued PKI certificates for authentication to the DBMS.

The DBMS must terminate user sessions upon user logout or any other organization or policy-defined session termination events, such as idle time limit exceeded.

The DBMS must preserve any organization-defined system state information in the event of a system failure.

The DBMS must only generate error messages that provide information necessary for corrective actions without revealing organization-defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.

When using command-line tools such as Oracle SQL*Plus, which can accept a plain-text password, users must use an alternative login method that does not expose the password.

Logic modules within the database (to include packages, procedures, functions and triggers) must be monitored to discover unauthorized changes.

The DBMS software installation account must be restricted to authorized users.

The DBMS must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).

The DBMS must separate user functionality (including user interface services) from database management functionality.

Vendor-supported software must be evaluated and patched against newly found vulnerabilities.

DBMS default accounts must be assigned custom passwords.

The DBMS must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission unless the transmitted data is otherwise protected by alternative physical measures.

The DBMS must enforce Discretionary Access Control (DAC) policy allowing users to specify and control sharing by named individuals, groups of individuals, or by both, limiting propagation of access rights and includes or excludes access to the granularity of a single user.

The DBMS must be protected from unauthorized access by developers on shared production/development host systems.

Administrators must utilize a separate, distinct administrative account when performing administrative activities, accessing database security functions, or accessing security-relevant information.

The DBA role must not be assigned excessive or unauthorized privileges.

OS accounts utilized to run external procedures called by the DBMS must have limited privileges.

The DBMS must have the capability to limit the number of failed login attempts based upon an organization-defined number of consecutive invalid attempts occurring within an organization-defined time period.

Databases utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights.

The DBMS itself, or the logging or alerting mechanism the application utilizes, must provide a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity.

The DBMS must provide a real-time alert when organization-defined audit failure events occur.

Database backup procedures must be defined, documented, and implemented.

DBMS backup and restoration files must be protected from unauthorized access.

The DBMS must disable user accounts after 35 days of inactivity.

The DBMS must support organizational requirements to enforce minimum password length.

The DBMS must support organizational requirements to enforce password complexity by the number of lower-case characters used.

The DBMS must support organizational requirements to enforce password complexity by the number of special characters used.