II - Mission Support Public
Rules and Groups employed by this XCCDF Profile
-
SRG-APP-000100-DB-000201
<GroupDescription></GroupDescription>Group -
The DBMS must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event.
<VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary...Rule Medium Severity -
SRG-APP-000101-DB-000044
<GroupDescription></GroupDescription>Group -
The DBMS must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject.
<VulnDiscussion>Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary...Rule Medium Severity -
SRG-APP-000118-DB-000059
<GroupDescription></GroupDescription>Group -
The system must protect audit information from any type of unauthorized access.
<VulnDiscussion>If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially ma...Rule Medium Severity -
SRG-APP-000119-DB-000060
<GroupDescription></GroupDescription>Group -
The system must protect audit information from unauthorized modification.
<VulnDiscussion>If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially ma...Rule Medium Severity -
SRG-APP-000120-DB-000061
<GroupDescription></GroupDescription>Group -
The system must protect audit information from unauthorized deletion.
<VulnDiscussion>If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially ma...Rule Medium Severity -
SRG-APP-000121-DB-000202
<GroupDescription></GroupDescription>Group -
The system must protect audit tools from unauthorized access.
<VulnDiscussion>Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upo...Rule Medium Severity -
SRG-APP-000122-DB-000203
<GroupDescription></GroupDescription>Group -
The system must protect audit tools from unauthorized modification.
<VulnDiscussion>Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upo...Rule Medium Severity -
SRG-APP-000123-DB-000204
<GroupDescription></GroupDescription>Group -
The system must protect audit tools from unauthorized deletion.
<VulnDiscussion>Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upo...Rule Medium Severity -
SRG-APP-000133-DB-000200
<GroupDescription></GroupDescription>Group -
Database objects must be owned by accounts authorized for ownership.
<VulnDiscussion>Within the database, object ownership implies full privileges to the owned object including the privilege to assign access to...Rule Medium Severity -
SRG-APP-000141-DB-000090
<GroupDescription></GroupDescription>Group -
Default demonstration and sample databases, database objects, and applications must be removed.
<VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, pr...Rule Medium Severity -
SRG-APP-000141-DB-000091
<GroupDescription></GroupDescription>Group -
Unused database components, DBMS software, and database objects must be removed.
<VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, pr...Rule Medium Severity -
SRG-APP-000141-DB-000092
<GroupDescription></GroupDescription>Group -
Unused database components that are integrated in the DBMS and cannot be uninstalled must be disabled.
<VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, pr...Rule Medium Severity -
SRG-APP-000141-DB-000093
<GroupDescription></GroupDescription>Group -
Use of external executables must be authorized.
<VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, pr...Rule Medium Severity -
SRG-APP-000141-DB-000093
<GroupDescription></GroupDescription>Group -
Access to external executables must be disabled or restricted.
<VulnDiscussion>The Oracle external procedure capability provides use of the Oracle process account outside the operation of the DBMS process...Rule Medium Severity -
SRG-APP-000142-DB-000094
<GroupDescription></GroupDescription>Group -
The DBMS must support the organizational requirements to specifically prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services.
<VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, pr...Rule Medium Severity -
SRG-APP-000171-DB-000074
<GroupDescription></GroupDescription>Group -
The DBMS must support organizational requirements to enforce password encryption for storage.
<VulnDiscussion>Applications must enforce password encryption when storing passwords. Passwords need to be protected at all times, and encryp...Rule High Severity -
SRG-APP-000175-DB-000067
<GroupDescription></GroupDescription>Group -
The DBMS, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor.
<VulnDiscussion>A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of publ...Rule Medium Severity -
SRG-APP-000177-DB-000069
<GroupDescription></GroupDescription>Group -
Oracle Database must map the PKI-authenticated identity to an associated user account.
<VulnDiscussion>The DOD standard for authentication is DOD-approved PKI certificates. Once a PKI certificate has been validated, it must be m...Rule Medium Severity -
SRG-APP-000179-DB-000114
<GroupDescription></GroupDescription>Group -
The DBMS must use NIST-validated FIPS 140-2 or 140-3 compliant cryptography for authentication mechanisms.
<VulnDiscussion>Use of weak or not validated cryptographic algorithms undermines the purposes of utilizing encryption and digital signatures ...Rule High Severity -
SRG-APP-000220-DB-000149
<GroupDescription></GroupDescription>Group -
The DBMS must terminate user sessions upon user logoff or any other organization or policy-defined session termination events, such as idle time limit exceeded.
<VulnDiscussion>This requirement focuses on communications protection at the application session, versus network packet, level. Session IDs ...Rule Medium Severity -
SRG-APP-000226-DB-000147
<GroupDescription></GroupDescription>Group -
The DBMS must preserve any organization-defined system state information in the event of a system failure.
<VulnDiscussion>Failure in a known state can address safety or security in accordance with the mission/business needs of the organization. Fa...Rule Medium Severity -
SRG-APP-000231-DB-000154
<GroupDescription></GroupDescription>Group -
The DBMS must take needed steps to protect data at rest and ensure confidentiality and integrity of application data.
<VulnDiscussion>This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers...Rule High Severity -
SRG-APP-000233-DB-000124
<GroupDescription></GroupDescription>Group -
The DBMS must isolate security functions from nonsecurity functions by means of separate security domains.
<VulnDiscussion>Security functions are defined as "the hardware, software, and/or firmware of the information system responsible for enforcin...Rule Medium Severity -
SRG-APP-000243-DB-000128
<GroupDescription></GroupDescription>Group -
The DBMS must prevent unauthorized and unintended information transfer via shared system resources.
<VulnDiscussion>The purpose of this control is to prevent information, including encrypted representations of information, produced by the ac...Rule Medium Severity -
SRG-APP-000251-DB-000160
<GroupDescription></GroupDescription>Group -
The DBMS must check the validity of data inputs.
<VulnDiscussion>Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.