Skip to content

I - Mission Critical Classified

Rules and Groups employed by this XCCDF Profile

  • SRG-APP-000133-DB-000362

    <GroupDescription></GroupDescription>
    Group
  • Administrative privileges must be assigned to database accounts via database roles.

    &lt;VulnDiscussion&gt;Applications employ the concept of least privilege for specific duties and information systems (including specific functions,...
    Rule Medium Severity
  • SRG-APP-000233-DB-000124

    <GroupDescription></GroupDescription>
    Group
  • Administrators must utilize a separate, distinct administrative account when performing administrative activities, accessing database security functions, or accessing security-relevant information.

    &lt;VulnDiscussion&gt;This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of ro...
    Rule Medium Severity
  • SRG-APP-000141-DB-000093

    <GroupDescription></GroupDescription>
    Group
  • OS accounts utilized to run external procedures called by the DBMS must have limited privileges.

    &lt;VulnDiscussion&gt;This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of ro...
    Rule Medium Severity
  • SRG-APP-000516-DB-000363

    <GroupDescription></GroupDescription>
    Group
  • The DBMS must verify account lockouts persist until reset by an administrator.

    &lt;VulnDiscussion&gt;Anytime an authentication method is exposed, to allow for the utilization of an application, there is a risk that attempts wi...
    Rule Medium Severity
  • SRG-APP-000516-DB-000363

    <GroupDescription></GroupDescription>
    Group
  • The DBMS must set the maximum number of consecutive invalid logon attempts to three.

    &lt;VulnDiscussion&gt;Anytime an authentication method is exposed, to allow for the utilization of an application, there is a risk that attempts w...
    Rule Medium Severity
  • SRG-APP-000328-DB-000301

    <GroupDescription></GroupDescription>
    Group
  • Databases utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights.

    &lt;VulnDiscussion&gt;Discretionary Access Control (DAC) is based on the premise that individual users are "owners" of objects and therefore have d...
    Rule Medium Severity
  • SRG-APP-000328-DB-000301

    <GroupDescription></GroupDescription>
    Group
  • A DBMS utilizing Discretionary Access Control (DAC) must enforce a policy that includes or excludes access to the granularity of a single user.

    &lt;VulnDiscussion&gt;DAC is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be aut...
    Rule Medium Severity
  • SRG-APP-000359-DB-000319

    <GroupDescription></GroupDescription>
    Group
  • The DBMS itself, or the logging or alerting mechanism the application utilizes, must provide a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity.

    &lt;VulnDiscussion&gt;It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required....
    Rule Medium Severity
  • SRG-APP-000360-DB-000320

    <GroupDescription></GroupDescription>
    Group
  • The system must provide a real-time alert when organization-defined audit failure events occur.

    &lt;VulnDiscussion&gt;It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required....
    Rule Medium Severity
  • SRG-APP-000380-DB-000360

    <GroupDescription></GroupDescription>
    Group
  • The DBMS must support enforcement of logical access restrictions associated with changes to the DBMS configuration and to the database itself.

    &lt;VulnDiscussion&gt;When dealing with access restrictions pertaining to change control, it should be noted any changes to the hardware, software,...
    Rule Medium Severity
  • SRG-APP-000516-DB-000363

    <GroupDescription></GroupDescription>
    Group
  • Database backup procedures must be defined, documented, and implemented.

    &lt;VulnDiscussion&gt;Information system backup is a critical step in maintaining data assurance and availability. User-level information is data ...
    Rule Medium Severity
  • SRG-APP-000516-DB-000363

    <GroupDescription></GroupDescription>
    Group
  • Database recovery procedures must be developed, documented, implemented, and periodically tested.

    &lt;VulnDiscussion&gt;Information system backup is a critical step in maintaining data assurance and availability. User-level information is data ...
    Rule Medium Severity
  • SRG-APP-000243-DB-000374

    <GroupDescription></GroupDescription>
    Group
  • DBMS backup and restoration files must be protected from unauthorized access.

    &lt;VulnDiscussion&gt;Information system backup is a critical step in maintaining data assurance and availability. User-level information is data ...
    Rule Medium Severity
  • SRG-APP-000023-DB-000001

    <GroupDescription></GroupDescription>
    Group
  • The DBMS must use multifactor authentication for access to user accounts.

    &lt;VulnDiscussion&gt;Multifactor authentication is defined as using two or more factors to achieve authentication. Factors include: (i) Somethin...
    Rule High Severity
  • SRG-APP-000148-DB-000103

    <GroupDescription></GroupDescription>
    Group
  • The DBMS must ensure users are authenticated with an individual authenticator prior to using a shared authenticator.

    &lt;VulnDiscussion&gt;To assure individual accountability and prevent unauthorized access, application users (and any processes acting on behalf of...
    Rule Medium Severity
  • SRG-APP-000516-DB-000363

    <GroupDescription></GroupDescription>
    Group
  • The DBMS must disable user accounts after 35 days of inactivity.

    &lt;VulnDiscussion&gt;Attackers that are able to exploit an inactive DBMS account can potentially obtain and maintain undetected access to the data...
    Rule Medium Severity
  • SRG-APP-000164-DB-000401

    <GroupDescription></GroupDescription>
    Group
  • The DBMS must support organizational requirements to enforce minimum password length.

    &lt;VulnDiscussion&gt;Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute...
    Rule Medium Severity
  • SRG-APP-000164-DB-000401

    <GroupDescription></GroupDescription>
    Group
  • The DBMS must support organizational requirements to prohibit password reuse for the organization-defined number of generations.

    &lt;VulnDiscussion&gt;Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute...
    Rule Medium Severity
  • SRG-APP-000164-DB-000401

    <GroupDescription></GroupDescription>
    Group
  • The DBMS must support organizational requirements to enforce password complexity by the number of upper-case characters used.

    &lt;VulnDiscussion&gt;Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-f...
    Rule Medium Severity
  • SRG-APP-000164-DB-000401

    <GroupDescription></GroupDescription>
    Group
  • The DBMS must support organizational requirements to enforce password complexity by the number of lower-case characters used.

    &lt;VulnDiscussion&gt;Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-f...
    Rule Medium Severity
  • SRG-APP-000164-DB-000401

    <GroupDescription></GroupDescription>
    Group
  • The DBMS must support organizational requirements to enforce password complexity by the number of numeric characters used.

    &lt;VulnDiscussion&gt;Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-f...
    Rule Medium Severity
  • SRG-APP-000164-DB-000401

    <GroupDescription></GroupDescription>
    Group
  • The DBMS must support organizational requirements to enforce password complexity by the number of special characters used.

    &lt;VulnDiscussion&gt;Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-f...
    Rule Medium Severity
  • SRG-APP-000164-DB-000401

    <GroupDescription></GroupDescription>
    Group
  • The DBMS must support organizational requirements to enforce the number of characters that get changed when passwords are changed.

    &lt;VulnDiscussion&gt;Passwords need to be changed at specific policy-based intervals. If the information system or application allows the user to...
    Rule Medium Severity
  • SRG-APP-000164-DB-000401

    <GroupDescription></GroupDescription>
    Group
  • Procedures for establishing temporary passwords that meet DoD password requirements for new accounts must be defined, documented, and implemented.

    &lt;VulnDiscussion&gt;Password maximum lifetime is the maximum period of time, (typically in days) a user's password may be in effect before the u...
    Rule Medium Severity
  • SRG-APP-000516-DB-000363

    <GroupDescription></GroupDescription>
    Group
  • DBMS passwords must not be stored in compiled, encoded, or encrypted batch jobs or compiled, encoded, or encrypted application source code.

    &lt;VulnDiscussion&gt;Password maximum lifetime is the maximum period of time, (typically in days) a user's password may be in effect before the u...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules