DISA STIG Oracle 11 Installation v9r1 Linux

Audit Details

Name: DISA STIG Oracle 11 Installation v9r1 Linux

Updated: 4/25/2022

Authority: DISA STIG

Plugin: Unix

Revision: 1.1

Estimated Item Count: 113

File Details

Filename: DISA_Oracle_11g_Installation_v9r1_OS_Linux.audit

Size: 203 kB

MD5: 90c9c1a5096fb918658d00cd0162dd3f
SHA256: ba4eb071fd6d3928df2a156c8fce16bb19d0022aa4c9999102beadb49501c474

Audit Items

DescriptionCategories
DG0001-ORACLE11 - Vendor supported software is evaluated and patched against newly found vulnerabilities.

SYSTEM AND INFORMATION INTEGRITY

DG0003-ORACLE11 - The latest security patches should be installed.

SYSTEM AND INFORMATION INTEGRITY

DG0005-ORACLE11 - Only necessary privileges to the host system should be granted to DBA OS accounts - 'DBA user group members'

ACCESS CONTROL

DG0005-ORACLE11 - Only necessary privileges to the host system should be granted to DBA OS accounts - 'No dba account is a member of the root group'

ACCESS CONTROL

DG0005-ORACLE11 - Only necessary privileges to the host system should be granted to DBA OS accounts - 'root is not a member of dba groups'

ACCESS CONTROL

DG0007-ORACLE11 - The database should be secured in accordance with DoD, vendor and/or commercially accepted practices where applicable.

CONFIGURATION MANAGEMENT

DG0009-ORACLE11 - Access to DBMS software files and directories should not be granted to unauthorized users - '/etc/profile umask < 022'

ACCESS CONTROL

DG0009-ORACLE11 - Access to DBMS software files and directories should not be granted to unauthorized users - 'umask < 0022'

ACCESS CONTROL

DG0010-ORACLE11 - Database executable and configuration files should be monitored for unauthorized modifications.

AUDIT AND ACCOUNTABILITY

DG0011-ORACLE11 - Configuration management procedures should be defined and implemented for database software modifications.

CONFIGURATION MANAGEMENT

DG0012-ORACLE11 - Database software directories including DBMS configuration files are stored in dedicated directories separate from the host OS and other applications - 'No unauthorized directories exist in $ORACLE_BASE'

CONFIGURATION MANAGEMENT

DG0013-ORACLE11 - Database backup procedures should be defined, documented and implemented.

CONTINGENCY PLANNING

DG0016-ORACLE11 - Unused database components, database application software, and database objects should be removed from the DBMS system.

CONFIGURATION MANAGEMENT

DG0017-ORACLE11 - A production DBMS installation should not coexist on the same DBMS host with other, non-production DBMS installations.

CONFIGURATION MANAGEMENT

DG0019-ORACLE11 - Application software should be owned by a Software Application account.

CONFIGURATION MANAGEMENT

DG0020-ORACLE11 - Backup and recovery procedures should be developed, documented, implemented and periodically tested.

CONTINGENCY PLANNING

DG0021-ORACLE11 - A baseline of database application software should be documented and maintained.

CONFIGURATION MANAGEMENT

DG0025-ORACLE11 - DBMS cryptography must be NIST FIPS 140-2 validated - '$ORACLE_HOME/network/admin/sqlnet.ora SQLNET.SSLFIPS_140 = true'

SYSTEM AND COMMUNICATIONS PROTECTION

DG0025-ORACLE11 - DBMS cryptography must be NIST FIPS 140-2 validated - '$ORACLE_HOME/network/admin/sqlnet.ora SSL_CIPHER_SUITES is configured'

SYSTEM AND COMMUNICATIONS PROTECTION

DG0025-ORACLE11 - DBMS cryptography must be NIST FIPS 140-2 validated.

SYSTEM AND COMMUNICATIONS PROTECTION

DG0040-ORACLE11 - The DBMS software installation account should be restricted to authorized users - '$ORACLE_BASE owner, group and permissions are configured'

CONFIGURATION MANAGEMENT

DG0040-ORACLE11 - The DBMS software installation account should be restricted to authorized users - '$ORACLE_HOME owner, group and permissions are configured'

CONFIGURATION MANAGEMENT

DG0040-ORACLE11 - The DBMS software installation account should be restricted to authorized users - 'Oracle install account is disabled'

ACCESS CONTROL

DG0041-ORACLE11 - Use of the DBMS installation account should be logged.

AUDIT AND ACCOUNTABILITY

DG0042-ORACLE11 - Use of the DBMS software installation account should be restricted to DBMS software installation, upgrade and maintenance actions.

ACCESS CONTROL

DG0050-ORACLE11 - Database software, applications and configuration files should be monitored to discover unauthorized changes.

AUDIT AND ACCOUNTABILITY

DG0052-ORACLE11 - All applications that access the database should be logged in the audit trail.

AUDIT AND ACCOUNTABILITY

DG0053-ORACLE11 - A single database connection configuration file should not be used to configure all database clients.

CONFIGURATION MANAGEMENT

DG0054-ORACLE11 - The audit logs should be periodically monitored to discover DBMS access using unauthorized applications.

AUDIT AND ACCOUNTABILITY

DG0063-ORACLE11 - DBMS privileges to restore database data or other DBMS configurations, features, or objects should be restricted to authorized DBMS accounts.

ACCESS CONTROL

DG0064-ORACLE11 - DBMS backup and restoration files should be protected from unauthorized access.

CONTINGENCY PLANNING

DG0066-ORACLE11 - Procedures for establishing temporary passwords that meet DoD password requirements for new accounts should be defined, documented and implemented.

IDENTIFICATION AND AUTHENTICATION

DG0067-ORACLE11 - Database account passwords should be stored in encoded or encrypted format whether stored in database objects, external host files, environment variables or any other storage locations.

IDENTIFICATION AND AUTHENTICATION

DG0068-ORACLE11 - DBMS tools or applications that echo or require a password entry in clear text should be protected from password display.

CONFIGURATION MANAGEMENT

DG0069-ORACLE11 - Procedures and restrictions for import of production data to development databases should be documented, implemented and followed.

CONFIGURATION MANAGEMENT

DG0083-ORACLE11 - Automated notification of suspicious activity detected in the audit trail should be implemented.

AUDIT AND ACCOUNTABILITY

DG0086-ORACLE11 - DBA roles should be periodically monitored to detect assignment of unauthorized or excess privileges.

ACCESS CONTROL

DG0088-ORACLE11 - The DBMS should be periodically tested for vulnerability management and IA compliance.

RISK ASSESSMENT

DG0090-ORACLE11 - Sensitive information stored in the database should be protected by encryption.

SYSTEM AND COMMUNICATIONS PROTECTION

DG0092-ORACLE11 - Database data files containing sensitive information should be encrypted.

SYSTEM AND COMMUNICATIONS PROTECTION

DG0093-ORACLE11 - Remote adminstrative connections to the database should be encrypted - '$ORACLE_HOME/ldap/admin/fips.ora SSLFIPS_140 = true'

SYSTEM AND COMMUNICATIONS PROTECTION

DG0093-ORACLE11 - Remote adminstrative connections to the database should be encrypted - 'Remote admin connections are encrypted'

ACCESS CONTROL

DG0095-ORACLE11 - Audit trail data should be reviewed daily or more frequently.

AUDIT AND ACCOUNTABILITY

DG0096-ORACLE11 - The DBMS IA policies and procedures should be reviewed annually or more frequently.

IDENTIFICATION AND AUTHENTICATION

DG0097-ORACLE11 - Plans and procedures for testing DBMS installations, upgrades and patches should be defined and followed prior to production implementation.

CONFIGURATION MANAGEMENT

DG0099-ORACLE11 - Access to external DBMS executables should be disabled or restricted - '$ORACLE_HOME/bin/extproc does not exist'

CONFIGURATION MANAGEMENT

DG0099-ORACLE11 - Access to external DBMS executables should be disabled or restricted - '$ORACLE_HOME/network/admin/listener.ora PROGRAM=EXTPROC does not exist'

CONFIGURATION MANAGEMENT

DG0099-ORACLE11 - Access to external DBMS executables should be disabled or restricted - '$ORACLE_HOME/network/admin/tnsnames.ora EXTPROC PROTOCOL=IPC'

CONFIGURATION MANAGEMENT

DG0099-ORACLE11 - Access to external DBMS executables should be disabled or restricted - '$ORACLE_HOME/network/admin/tnsnames.ora KEY=EXTPROC does not exist'

CONFIGURATION MANAGEMENT

DG0099-ORACLE11 - Access to external DBMS executables should be disabled or restricted - '$ORACLE_HOME/rdbms/admin/externaljob.ora run_group = nobody'

CONFIGURATION MANAGEMENT