I - Mission Critical Public
Rules and Groups employed by this XCCDF Profile
-
SRG-APP-000099-DB-000043
Group -
The DBMS must produce audit records containing sufficient information to establish the outcome (success or failure) of the events.
Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, but is not limited...Rule Medium Severity -
SRG-APP-000100-DB-000201
Group -
The DBMS must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event.
Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes: timestamps, sourc...Rule Medium Severity -
SRG-APP-000101-DB-000044
Group -
The DBMS must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject.
Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes: timestamps, sourc...Rule Medium Severity -
SRG-APP-000118-DB-000059
Group -
The DBMS must protect audit information from any type of unauthorized access.
If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In ...Rule Medium Severity -
SRG-APP-000119-DB-000060
Group -
The DBMS must protect audit information from unauthorized modification.
If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veraci...Rule Medium Severity -
SRG-APP-000120-DB-000061
Group -
The DBMS must protect audit information from unauthorized deletion.
If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veraci...Rule Medium Severity -
SRG-APP-000121-DB-000202
Group -
The DBMS must protect audit tools from unauthorized access.
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may ...Rule Medium Severity -
SRG-APP-000122-DB-000203
Group -
The DBMS must protect audit tools from unauthorized modification.
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may ...Rule Medium Severity -
SRG-APP-000123-DB-000204
Group -
The DBMS must protect audit tools from unauthorized deletion.
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may ...Rule Medium Severity -
SRG-APP-000133-DB-000200
Group -
Database objects must be owned by accounts authorized for ownership.
Within the database, object ownership implies full privileges to the owned object including the privilege to assign access to the owned objects to other subjects. Unmanaged or uncontrolled ownershi...Rule Medium Severity -
SRG-APP-000141-DB-000090
Group -
Default demonstration and sample databases, database objects, and applications must be removed.
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizatio...Rule Medium Severity -
SRG-APP-000141-DB-000091
Group -
Unused database components, DBMS software, and database objects must be removed.
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizatio...Rule Medium Severity -
SRG-APP-000141-DB-000092
Group -
Unused database components that are integrated in the DBMS and cannot be uninstalled must be disabled.
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizatio...Rule Medium Severity -
SRG-APP-000141-DB-000093
Group -
Use of external executables must be authorized.
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizatio...Rule Medium Severity -
SRG-APP-000141-DB-000093
Group -
Access to external executables must be disabled or restricted.
The Oracle external procedure capability provides use of the Oracle process account outside the operation of the DBMS process. You can use it to submit and execute applications stored externally fr...Rule Medium Severity -
SRG-APP-000142-DB-000094
Group -
The DBMS must support the organizational requirements to specifically prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services.
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizatio...Rule Medium Severity -
SRG-APP-000171-DB-000074
Group -
The DBMS must support organizational requirements to enforce password encryption for storage.
Applications must enforce password encryption when storing passwords. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are n...Rule Medium Severity -
SRG-APP-000175-DB-000067
Group -
The DBMS, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor.
A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. When t...Rule Medium Severity -
SRG-APP-000177-DB-000069
Group -
The DBMS must ensure that PKI-based authentication maps the authenticated identity to the user account.
The cornerstone of the PKI is the private key used to encrypt or digitally sign information. The key by itself is a cryptographic value that does not contain specific user information. When includ...Rule Medium Severity -
SRG-APP-000177-DB-000069
Group -
Processes (services, applications, etc.) that connect to the DBMS independently of individual users, must use valid, current DoD-issued PKI certificates for authentication to the DBMS.
Just as individual users must be authenticated, and just as they must use PKI-based authentication, so must any processes that connect to the DBMS. The DoD standard for authentication of a process...Rule Medium Severity -
SRG-APP-000179-DB-000114
Group -
The DBMS must use NIST-validated FIPS 140-2-compliant cryptography for authentication mechanisms.
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and D...Rule Medium Severity -
SRG-APP-000220-DB-000149
Group -
The DBMS must terminate user sessions upon user logout or any other organization or policy-defined session termination events, such as idle time limit exceeded.
This requirement focuses on communications protection at the application session, versus network packet, level. Session IDs are tokens generated by web applications to uniquely identify an applic...Rule Medium Severity -
SRG-APP-000226-DB-000147
Group -
The DBMS must preserve any organization-defined system state information in the event of a system failure.
Failure in a known state can address safety or security in accordance with the mission/business needs of the organization. Failure in a known secure state helps prevent a loss of confidentiality, i...Rule Medium Severity -
SRG-APP-000231-DB-000154
Group -
The DBMS must take needed steps to protect data at rest and ensure confidentiality and integrity of application data.
This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to ...Rule Medium Severity -
SRG-APP-000233-DB-000124
Group -
The DBMS must isolate security functions from non-security functions by means of separate security domains.
Security functions are defined as "the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and da...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.