DISA STIG Oracle 11 Installation v9r1 Windows

Audit Details

Name: DISA STIG Oracle 11 Installation v9r1 Windows

Updated: 4/25/2022

Authority: DISA STIG

Plugin: Windows

Revision: 1.1

Estimated Item Count: 114

File Details

Filename: DISA_Oracle_11g_Installation_v9r1_OS_Windows.audit

Size: 212 kB

MD5: 44f4cc1099bc588ec41ac53d30d039fe
SHA256: 5b8dc19006d156b320f9a9d6ba096ce8a1c87c6d09c26fc5e2916cd7623d3803

Audit Items

DescriptionCategories
DG0001-ORACLE11 - Vendor supported software is evaluated and patched against newly found vulnerabilities.

SYSTEM AND INFORMATION INTEGRITY

DG0003-ORACLE11 - The latest security patches should be installed.

SYSTEM AND INFORMATION INTEGRITY

DG0005-ORACLE11 - Only necessary privileges to the host system should be granted to DBA OS accounts - 'ORA_{SID}_DBA Group has no unauthorized users'

ACCESS CONTROL

DG0005-ORACLE11 - Only necessary privileges to the host system should be granted to DBA OS accounts - 'ORA_DBA Group has no unauthorized users'

ACCESS CONTROL

DG0005-ORACLE11 - Only necessary privileges to the host system should be granted to DBA OS accounts - 'Oracle DBA is only a member of ORA_DBA and Users group'

ACCESS CONTROL

DG0005-ORACLE11 - Only necessary privileges to the host system should be granted to DBA OS accounts - 'Oracle instance DBA is only a member of ORA_{SID}_DBA and Users group'

ACCESS CONTROL

DG0007-ORACLE11 - The database should be secured in accordance with DoD, vendor and/or commercially accepted practices where applicable.

CONFIGURATION MANAGEMENT

DG0009-ORACLE11 - Access to DBMS software files and directories should not be granted to unauthorized users - '%ORACLE_HOME% permissions are configured correctly'

CONFIGURATION MANAGEMENT

DG0010-ORACLE11 - Database executable and configuration files should be monitored for unauthorized modifications.

AUDIT AND ACCOUNTABILITY

DG0011-ORACLE11 - Configuration management procedures should be defined and implemented for database software modifications.

CONFIGURATION MANAGEMENT

DG0012-ORACLE11 - Database software directories including DBMS configuration files are stored in dedicated directories separate from the host OS and other applications - 'ORACLE_BASE environment variable set'

CONFIGURATION MANAGEMENT

DG0012-ORACLE11 - Database software directories including DBMS configuration files are stored in dedicated directories separate from the host OS and other applications - 'ORACLE_HOME environment variable set'

CONFIGURATION MANAGEMENT

DG0013-ORACLE11 - Database backup procedures should be defined, documented and implemented.

CONTINGENCY PLANNING

DG0016-ORACLE11 - Unused database components, database application software, and database objects should be removed from the DBMS system.

CONFIGURATION MANAGEMENT

DG0017-ORACLE11 - A production DBMS installation should not coexist on the same DBMS host with other, non-production DBMS installations - 'All Oracle instances are documented and approved'

CONFIGURATION MANAGEMENT

DG0019-ORACLE11 - Application software should be owned by a Software Application account - 'Oracle base directory file permissions are correct'

CONFIGURATION MANAGEMENT

DG0019-ORACLE11 - Application software should be owned by a Software Application account - 'Oracle home directory file permissions are correct'

CONFIGURATION MANAGEMENT

DG0020-ORACLE11 - Backup and recovery procedures should be developed, documented, implemented and periodically tested.

CONTINGENCY PLANNING

DG0021-ORACLE11 - A baseline of database application software should be documented and maintained.

CONFIGURATION MANAGEMENT

DG0025-ORACLE11 - DBMS cryptography must be NIST FIPS 140-2 validated - '%ORACLE_HOME%\NETWORK\ADMIN\SQLNET.ora SQLNET.SSLFIPS_140 = TRUE'

SYSTEM AND COMMUNICATIONS PROTECTION

DG0025-ORACLE11 - DBMS cryptography must be NIST FIPS 140-2 validated - '%ORACLE_HOME%\NETWORK\ADMIN\SQLNET.ora SSL_CIPHER_SUITES set to valid cipher suite'

SYSTEM AND COMMUNICATIONS PROTECTION

DG0025-ORACLE11 - DBMS cryptography must be NIST FIPS 140-2 validated - 'Oracle Advanced Security is installed'

SYSTEM AND COMMUNICATIONS PROTECTION

DG0040-ORACLE11 - The DBMS software installation account should be restricted to authorized users - 'Oracle base directory file permissions are correct'

CONFIGURATION MANAGEMENT

DG0040-ORACLE11 - The DBMS software installation account should be restricted to authorized users - 'Oracle home directory file permissions are correct'

CONFIGURATION MANAGEMENT

DG0041-ORACLE11 - Use of the DBMS installation account should be logged.

AUDIT AND ACCOUNTABILITY

DG0042-ORACLE11 - Use of the DBMS software installation account should be restricted to DBMS software installation, upgrade and maintenance actions.

ACCESS CONTROL

DG0050-ORACLE11 - Database software, applications and configuration files should be monitored to discover unauthorized changes.

AUDIT AND ACCOUNTABILITY

DG0052-ORACLE11 - All applications that access the database should be logged in the audit trail.

AUDIT AND ACCOUNTABILITY

DG0053-ORACLE11 - A single database connection configuration file should not be used to configure all database clients.

CONFIGURATION MANAGEMENT

DG0054-ORACLE11 - The audit logs should be periodically monitored to discover DBMS access using unauthorized applications.

AUDIT AND ACCOUNTABILITY

DG0063-ORACLE11 - DBMS privileges to restore database data or other DBMS configurations, features, or objects should be restricted to authorized DBMS accounts.

ACCESS CONTROL

DG0064-ORACLE11 - DBMS backup and restoration files should be protected from unauthorized access.

CONTINGENCY PLANNING

DG0066-ORACLE11 - Procedures for establishing temporary passwords that meet DoD password requirements for new accounts should be defined, documented and implemented.

IDENTIFICATION AND AUTHENTICATION

DG0067-ORACLE11 - Database account passwords should be stored in encoded or encrypted format whether stored in database objects, external host files, environment variables or any other storage locations.

IDENTIFICATION AND AUTHENTICATION

DG0068-ORACLE11 - DBMS tools or applications that echo or require a password entry in clear text should be protected from password display.

CONFIGURATION MANAGEMENT

DG0069-ORACLE11 - Procedures and restrictions for import of production data to development databases should be documented, implemented and followed.

CONFIGURATION MANAGEMENT

DG0083-ORACLE11 - Automated notification of suspicious activity detected in the audit trail should be implemented.

AUDIT AND ACCOUNTABILITY

DG0086-ORACLE11 - DBA roles should be periodically monitored to detect assignment of unauthorized or excess privileges.

ACCESS CONTROL

DG0088-ORACLE11 - The DBMS should be periodically tested for vulnerability management and IA compliance.

RISK ASSESSMENT

DG0090-ORACLE11 - Sensitive information stored in the database should be protected by encryption.

SYSTEM AND COMMUNICATIONS PROTECTION

DG0092-ORACLE11 - Database data files containing sensitive information should be encrypted.

SYSTEM AND COMMUNICATIONS PROTECTION

DG0093-ORACLE11 - Remote adminstrative connections to the database should be encrypted - '%ORACLE_HOME%\ldap\admin\fips.ora SSLFIPS_140 = TRUE'

SYSTEM AND COMMUNICATIONS PROTECTION

DG0093-ORACLE11 - Remote adminstrative connections to the database should be encrypted - all protocols use TCPS'

ACCESS CONTROL

DG0095-ORACLE11 - Audit trail data should be reviewed daily or more frequently.

AUDIT AND ACCOUNTABILITY

DG0096-ORACLE11 - The DBMS IA policies and procedures should be reviewed annually or more frequently.

IDENTIFICATION AND AUTHENTICATION

DG0097-ORACLE11 - Plans and procedures for testing DBMS installations, upgrades and patches should be defined and followed prior to production implementation.

CONFIGURATION MANAGEMENT

DG0099-ORACLE11 - Access to external DBMS executables should be disabled or restricted - '%ORACLE_HOME%\bin\extproc.exe does not exist'

CONFIGURATION MANAGEMENT

DG0099-ORACLE11 - Access to external DBMS executables should be disabled or restricted - '%ORACLE_HOME%\hs\admin\extproc.ora SET EXTPROC_DLLS = ONLY'

CONFIGURATION MANAGEMENT

DG0099-ORACLE11 - Access to external DBMS executables should be disabled or restricted - '%ORACLE_HOME%\hs\admin\extproc.ora SET EXTPROC_DLLS contains only valid paths'

CONFIGURATION MANAGEMENT

DG0099-ORACLE11 - Access to external DBMS executables should be disabled or restricted - '%ORACLE_HOME%\rdbms\admin\externaljob.ora run_group = nobody'

CONFIGURATION MANAGEMENT