Skip to content

I - Mission Critical Sensitive

Rules and Groups employed by this XCCDF Profile

  • SRG-APP-000516-DB-000363

    <GroupDescription></GroupDescription>
    Group
  • DBMS production application and data directories must be protected from developers on shared production/development DBMS host systems.

    &lt;VulnDiscussion&gt;Developer roles must not be assigned DBMS administrative privileges to production DBMS application and data directories. The ...
    Rule Medium Severity
  • SRG-APP-000516-DB-000363

    <GroupDescription></GroupDescription>
    Group
  • Use of the DBMS installation account must be logged.

    &lt;VulnDiscussion&gt;The DBMS installation account may be used by any authorized user to perform DBMS installation or maintenance. Without logging...
    Rule Medium Severity
  • SRG-APP-000516-DB-000363

    <GroupDescription></GroupDescription>
    Group
  • The DBMS data files, transaction logs and audit files must be stored in dedicated directories or disk partitions separate from software or other application files.

    &lt;VulnDiscussion&gt;Protection of DBMS data, transaction and audit data files stored by the host operating system is dependent on OS controls. Wh...
    Rule Medium Severity
  • SRG-APP-000516-DB-000363

    <GroupDescription></GroupDescription>
    Group
  • The directory assigned to the AUDIT_FILE_DEST parameter must be protected from unauthorized access and must be stored in a dedicated directory or disk partition separate from software or other application files.

    &lt;VulnDiscussion&gt;The AUDIT_FILE_DEST parameter specifies the directory where the database audit trail file is stored (when AUDIT_TRAIL paramet...
    Rule Medium Severity
  • SRG-APP-000516-DB-000363

    <GroupDescription></GroupDescription>
    Group
  • Access to DBMS software files and directories must not be granted to unauthorized users.

    &lt;VulnDiscussion&gt;The DBMS software libraries contain the executables used by the DBMS to operate. Unauthorized access to the libraries can res...
    Rule Medium Severity
  • SRG-APP-000516-DB-000363

    <GroupDescription></GroupDescription>
    Group
  • Replication accounts must not be granted DBA privileges.

    &lt;VulnDiscussion&gt;Replication accounts may be used to access databases defined for the replication architecture. An exploit of a replication on...
    Rule Medium Severity
  • SRG-APP-000516-DB-000363

    <GroupDescription></GroupDescription>
    Group
  • Network access to the DBMS must be restricted to authorized personnel.

    &lt;VulnDiscussion&gt;Restricting remote access to specific, trusted systems helps prevent access by unauthorized and potentially malicious users.&...
    Rule Medium Severity
  • SRG-APP-000516-DB-000363

    <GroupDescription></GroupDescription>
    Group
  • Changes to configuration options must be audited.

    &lt;VulnDiscussion&gt;When standard auditing is in use, the AUDIT_SYS_OPERATIONS parameter is used to enable auditing of actions taken by the user ...
    Rule Medium Severity
  • SRG-APP-000516-DB-000363

    <GroupDescription></GroupDescription>
    Group
  • Changes to DBMS security labels must be audited.

    &lt;VulnDiscussion&gt;Some DBMS systems provide the feature to assign security labels to data elements. If labeling is required, implementation opt...
    Rule Medium Severity
  • SRG-APP-000516-DB-000363

    <GroupDescription></GroupDescription>
    Group
  • Remote database or other external access must use fully-qualified names.

    &lt;VulnDiscussion&gt;The Oracle GLOBAL_NAMES parameter is used to set the requirement for database link names to be the same name as the remote da...
    Rule Medium Severity
  • SRG-APP-000516-DB-000363

    <GroupDescription></GroupDescription>
    Group
  • The /diag subdirectory under the directory assigned to the DIAGNOSTIC_DEST parameter must be protected from unauthorized access.

    &lt;VulnDiscussion&gt;&lt;DIAGNOSTIC_DEST&gt;/diag indicates the directory where trace, alert, core and incident directories and files are located....
    Rule Medium Severity
  • SRG-APP-000516-DB-000363

    <GroupDescription></GroupDescription>
    Group
  • Remote administration must be disabled for the Oracle connection manager.

    &lt;VulnDiscussion&gt;Remote administration provides a potential opportunity for malicious users to make unauthorized changes to the Connection Man...
    Rule Medium Severity
  • SRG-APP-000516-DB-000363

    <GroupDescription></GroupDescription>
    Group
  • Network client connections must be restricted to supported versions.

    &lt;VulnDiscussion&gt;Unsupported Oracle network client installations may introduce vulnerabilities to the database. Restriction to use of supporte...
    Rule Medium Severity
  • SRG-APP-000176-DB-000068

    <GroupDescription></GroupDescription>
    Group
  • The DBMS, when using PKI-based authentication, must enforce authorized access to the corresponding private key.

    &lt;VulnDiscussion&gt;The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, t...
    Rule High Severity
  • SRG-APP-000001-DB-000031

    <GroupDescription></GroupDescription>
    Group
  • The DBMS must limit the number of concurrent sessions for each system account to an organization-defined number of sessions.

    &lt;VulnDiscussion&gt;Application management includes the ability to control the number of users and user sessions utilizing an application. Limiti...
    Rule Medium Severity
  • SRG-APP-000023-DB-000001

    <GroupDescription></GroupDescription>
    Group
  • The system must employ automated mechanisms for supporting Oracle user account management.

    &lt;VulnDiscussion&gt;A comprehensive application account management process that includes automation helps to ensure accounts designated as requir...
    Rule High Severity
  • SRG-APP-000033-DB-000084

    <GroupDescription></GroupDescription>
    Group
  • The DBMS must enforce approved authorizations for logical access to the system in accordance with applicable policy.

    &lt;VulnDiscussion&gt;Strong access controls are critical to securing application data. Access control policies (e.g., identity-based policies, rol...
    Rule High Severity
  • SRG-APP-000089-DB-000064

    <GroupDescription></GroupDescription>
    Group
  • The DBMS must provide audit record generation capability for organization-defined auditable events within the database.

    &lt;VulnDiscussion&gt;Audit records can be generated from various components within the information system. (e.g., network interface, hard disk, mo...
    Rule Medium Severity
  • SRG-APP-000090-DB-000065

    <GroupDescription></GroupDescription>
    Group
  • The DBMS must allow designated organizational personnel to select which auditable events are to be audited by the database.

    &lt;VulnDiscussion&gt;The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subse...
    Rule Medium Severity
  • SRG-APP-000091-DB-000066

    <GroupDescription></GroupDescription>
    Group
  • The DBMS must generate audit records for the DoD-selected list of auditable events, to the extent such information is available.

    &lt;VulnDiscussion&gt;Audit records can be generated from various components within the information system, such as network interfaces, hard disks,...
    Rule Medium Severity
  • SRG-APP-000095-DB-000039

    <GroupDescription></GroupDescription>
    Group
  • The DBMS must produce audit records containing sufficient information to establish what type of events occurred.

    &lt;VulnDiscussion&gt;Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary...
    Rule Medium Severity
  • SRG-APP-000096-DB-000040

    <GroupDescription></GroupDescription>
    Group
  • The DBMS must produce audit records containing sufficient information to establish when (date and time) the events occurred.

    &lt;VulnDiscussion&gt;Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary...
    Rule Medium Severity
  • SRG-APP-000097-DB-000041

    <GroupDescription></GroupDescription>
    Group
  • The DBMS must produce audit records containing sufficient information to establish where the events occurred.

    &lt;VulnDiscussion&gt;Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary...
    Rule Medium Severity
  • SRG-APP-000098-DB-000042

    <GroupDescription></GroupDescription>
    Group
  • The DBMS must produce audit records containing sufficient information to establish the sources (origins) of the events.

    &lt;VulnDiscussion&gt;Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary...
    Rule Medium Severity
  • SRG-APP-000099-DB-000043

    <GroupDescription></GroupDescription>
    Group
  • The DBMS must produce audit records containing sufficient information to establish the outcome (success or failure) of the events.

    &lt;VulnDiscussion&gt;Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules