DG0004-ORACLE11 - Application object owner accounts should be disabled when not performing installation or maintenance actions. | CONFIGURATION MANAGEMENT |
DG0008-ORACLE11 - Application objects should be owned by accounts authorized for ownership. | ACCESS CONTROL |
DG0014-ORACLE11 - Default demonstration and sample database objects and applications should be removed - 'No demo or sample users exist' | CONFIGURATION MANAGEMENT |
DG0015-ORACLE11 - Database applications should be restricted from using static DDL statements to modify the application schema. | ACCESS CONTROL |
DG0029-ORACLE11 - Required auditing parameters for database auditing should be set - 'audit_trail != none' | AUDIT AND ACCOUNTABILITY |
DG0030-ORACLE11 - Audit trail data should be retained for one year. | |
DG0031-ORACLE11 - Transaction logs should be periodically reviewed for unauthorized modification of data. | |
DG0032-ORACLE11 - Audit records should be restricted to authorized individuals - 'AUD$ table access is restricted' | AUDIT AND ACCOUNTABILITY |
DG0032-ORACLE11 - Audit records should be restricted to authorized individuals - 'audit_trail = db or db_extended' | AUDIT AND ACCOUNTABILITY |
DG0051-ORACLE11 - Database job/batch queues should be reviewed regularly to detect unauthorized database job submissions - 'job_queue_processes limit is set' | ACCESS CONTROL |
DG0051-ORACLE11 - Database job/batch queues should be reviewed regularly to detect unauthorized database job submissions - 'max_job_slave_processes limit is set' | ACCESS CONTROL |
DG0051-ORACLE11 - Database job/batch queues should be reviewed regularly to detect unauthorized database job submissions - 'No unknown jobs exist in the dba_jobs queue' | ACCESS CONTROL |
DG0051-ORACLE11 - Database job/batch queues should be reviewed regularly to detect unauthorized database job submissions - 'No unknown jobs exist in the dba_scheduler_jobs queue' | ACCESS CONTROL |
DG0060-ORACLE11 - All database non-interactive, n-tier connection, and shared accounts that exist should be documented and approved by the IAO. | ACCESS CONTROL |
DG0065-ORACLE11 - DBMS authentication should require use of a DoD PKI certificate. | ACCESS CONTROL |
DG0070-ORACLE11 - Unauthorized user accounts should not exist. | ACCESS CONTROL |
DG0071-ORACLE11 - New passwords must be required to differ from old passwords by more than four characters - 'PASSWORD_VERIFY_FUNCTION is not set to NULL or DEFAULT' | IDENTIFICATION AND AUTHENTICATION |
DG0073-ORACLE11 - Database accounts should not specify account lock times less than the site-approved minimum - 'Account lockout is < 3' | ACCESS CONTROL |
DG0074-ORACLE11 - Unapproved inactive or expired database accounts should not be found on the database. | |
DG0075-ORACLE11 - Unauthorized database links should not be defined and active - 'No external database links exist' | ACCESS CONTROL |
DG0076-ORACLE11 - Sensitive information from production database exports must be modified before import to a development database. | |
DG0077-ORACLE11 - Production databases should be protected from unauthorized access by developers on shared production/development host systems. | ACCESS CONTROL |
DG0078-ORACLE11 - Each database user, application or process should have an individually assigned account. | |
DG0079-ORACLE11 - DBMS login accounts require passwords to meet complexity requirements. | IDENTIFICATION AND AUTHENTICATION |
DG0080-ORACLE11 - Application user privilege assignment should be reviewed monthly or more frequently to ensure compliance with least privilege and documented policy. | |
DG0085-ORACLE11 - The DBA role should not be assigned excessive or unauthorized privileges. | ACCESS CONTROL |
DG0087-ORACLE11 - Sensitive data should be labeled. | ACCESS CONTROL |
DG0089-ORACLE11 - Developers should not be assigned excessive privileges on production databases. | ACCESS CONTROL |
DG0091-ORACLE11 - Custom and GOTS application source code stored in the database should be protected with encryption or encoding. | SYSTEM AND COMMUNICATIONS PROTECTION |
DG0098-ORACLE11 - ccess to external objects should be disabled if not required and authorized - 'utl_file_dir does not include *' | CONFIGURATION MANAGEMENT |
DG0100-ORACLE11 - Replication accounts should not be granted DBA privileges. | |
DG0105-ORACLE11 - DBMS application user roles should not be assigned unauthorized privileges. | |
DG0112-ORACLE11 - DBMS system data files should be stored in dedicated disk directories. | ACCESS CONTROL |
DG0116-ORACLE11 - Database privileged role assignments should be restricted to IAO-authorized DBMS accounts. | ACCESS CONTROL |
DG0117-ORACLE11 - Administrative privileges should be assigned to database accounts via database roles. | ACCESS CONTROL |
DG0119-ORACLE11 - DBMS application users should not be granted administrative privileges to the DBMS. | ACCESS CONTROL |
DG0121-ORACLE11 - Application users privileges should be restricted to assignment using application user roles. | ACCESS CONTROL |
DG0122-ORACLE11 - Access to sensitive data should be restricted to authorized users identified by the Information Owner - 'controlfile' | CONFIGURATION MANAGEMENT |
DG0122-ORACLE11 - Access to sensitive data should be restricted to authorized users identified by the Information Owner - 'datafile' | ACCESS CONTROL |
DG0122-ORACLE11 - Access to sensitive data should be restricted to authorized users identified by the Information Owner - 'logfile' | ACCESS CONTROL |
DG0122-ORACLE11 - Access to sensitive data should be restricted to authorized users identified by the Information Owner - 'spfile' | ACCESS CONTROL |
DG0123-ORACLE11 - Access to DBMS system tables and other configuration or metadata should be restricted to DBAs. | ACCESS CONTROL |
DG0124-ORACLE11 - Use of DBA accounts should be restricted to administrative activities. | |
DG0125-ORACLE11 - DBMS account passwords should be set to expire every 60 days or more frequently - 'Database password expiration < 60 days' | IDENTIFICATION AND AUTHENTICATION |
DG0126-ORACLE11 - Password reuse should be prevented where supported by the DBMS - 'No unlimited REUSE_MAX or REUSE_TIME for DEFAULT profile' | IDENTIFICATION AND AUTHENTICATION |
DG0126-ORACLE11 - Password reuse should be prevented where supported by the DBMS - 'No unlimited REUSE_MAX or REUSE_TIME for non DEFAULT profiles' | IDENTIFICATION AND AUTHENTICATION |
DG0127-ORACLE11 - DBMS account passwords should not be set to easily guessed words or values - 'limit' | IDENTIFICATION AND AUTHENTICATION |
DG0127-ORACLE11 - DBMS account passwords should not be set to easily guessed words or values - 'name' | IDENTIFICATION AND AUTHENTICATION |
DG0127-ORACLE11 - DBMS account passwords should not be set to easily guessed words or values - 'profile' | IDENTIFICATION AND AUTHENTICATION |
DG0128-ORACLE11 - DBMS default accounts should be assigned custom passwords - 'No default accounts are OPEN' | IDENTIFICATION AND AUTHENTICATION |