DISA STIG Oracle 11.2g v2r2 Linux

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG Oracle 11.2g v2r2 Linux

Updated: 5/27/2022

Authority: Operating Systems and Applications

Plugin: Unix

Revision: 1.2

Estimated Item Count: 49

File Details

Filename: DISA_STIG_Oracle_Database_11.2g_v2r2_OS_Linux.audit

Size: 136 kB

MD5: c8cf0a916ad25131db800c91b36b5acd
SHA256: 8f664f1cde979d4b4d3edb2988229b466860a0caa05c0d1ed49f9db74557b916

Audit Items

DescriptionCategories
O112-BP-022200 - The Oracle password file ownership and permissions should be limited and the REMOTE_LOGIN_PASSWORDFILE parameter must be set to EXCLUSIVE or NONE.

CONFIGURATION MANAGEMENT

O112-BP-022700 - The Oracle Listener must be configured to require administration authentication.

ACCESS CONTROL

O112-BP-025101 - The directory assigned to the AUDIT_FILE_DEST parameter must be protected from unauthorized access and must be stored in a dedicated directory or disk partition separate from software or other application files - 'AUDIT_FILE_DEST not in ORACLEHOME'

AUDIT AND ACCOUNTABILITY

O112-BP-025101 - The directory assigned to the AUDIT_FILE_DEST parameter must be protected from unauthorized access and must be stored in a dedicated directory or disk partition separate from software or other application files - 'AUDIT_FILE_DEST Permissions'

CONFIGURATION MANAGEMENT

O112-BP-025400 - Access to DBMS software files and directories must not be granted to unauthorized users - '/etc/profile umask < 022'

ACCESS CONTROL

O112-BP-025400 - Access to DBMS software files and directories must not be granted to unauthorized users - 'umask < 0022'

ACCESS CONTROL

O112-BP-025600 - Network access to the DBMS must be restricted to authorized personnel - TCP.INVITED_NODES

SYSTEM AND COMMUNICATIONS PROTECTION

O112-BP-025600 - Network access to the DBMS must be restricted to authorized personnel - TCP.VALIDNODE_CHECKING

SYSTEM AND COMMUNICATIONS PROTECTION

O112-BP-026400 - The /diag subdirectory under the directory assigned to the DIAGNOSTIC_DEST parameter must be protected from unauthorized access - Ownership

CONFIGURATION MANAGEMENT

O112-BP-026400 - The /diag subdirectory under the directory assigned to the DIAGNOSTIC_DEST parameter must be protected from unauthorized access - Permissions

CONFIGURATION MANAGEMENT

O112-BP-026500 - Remote administration must be disabled for the Oracle connection manager.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

O112-BP-026600 - The SQLNet SQLNET.ALLOWED_LOGON_VERSION parameter must be set to a value of 12 or higher.

CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

O112-C1-004500 - DBA OS accounts must be granted only those host system privileges necessary for the administration of the DBMS - DBA group

ACCESS CONTROL

O112-C1-004500 - DBA OS accounts must be granted only those host system privileges necessary for the administration of the DBMS - Root group

ACCESS CONTROL

O112-C1-011100 - Vendor-supported software must be evaluated and patched against newly found vulnerabilities.

SYSTEM AND INFORMATION INTEGRITY

O112-C1-015400 - The DBMS, when using PKI-based authentication, must enforce authorized access to the corresponding private key - SSL_CIPHER_SUITES

IDENTIFICATION AND AUTHENTICATION

O112-C1-015400 - The DBMS, when using PKI-based authentication, must enforce authorized access to the corresponding private key - SSL_CLIENT_AUTHENTICATION

IDENTIFICATION AND AUTHENTICATION

O112-C1-015400 - The DBMS, when using PKI-based authentication, must enforce authorized access to the corresponding private key - SSL_VERSION

IDENTIFICATION AND AUTHENTICATION

O112-C1-019700 - The DBMS must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission unless the transmitted data is otherwise protected by alternative physical measures - SQLNET.CRYPTO_CHECKSUM_CLIENT

SYSTEM AND COMMUNICATIONS PROTECTION

O112-C1-019700 - The DBMS must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission unless the transmitted data is otherwise protected by alternative physical measures - SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT

SYSTEM AND COMMUNICATIONS PROTECTION

O112-C1-019700 - The DBMS must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission unless the transmitted data is otherwise protected by alternative physical measures - SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER

SYSTEM AND COMMUNICATIONS PROTECTION

O112-C1-019700 - The DBMS must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission unless the transmitted data is otherwise protected by alternative physical measures - SQLNET.ENCRYPTION_TYPES_CLIENT

SYSTEM AND COMMUNICATIONS PROTECTION

O112-C1-019700 - The DBMS must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission unless the transmitted data is otherwise protected by alternative physical measures - SQLNET.ENCRYPTION_TYPES_SERVER

SYSTEM AND COMMUNICATIONS PROTECTION

O112-C1-019700 - The DBMS must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission unless the transmitted data is otherwise protected by alternative physical measures.

SYSTEM AND COMMUNICATIONS PROTECTION

O112-C2-001700 - The DBMS must support the disabling of network protocols deemed by the organization to be non-secure.

CONFIGURATION MANAGEMENT

O112-C2-004400 - OS accounts utilized to run external procedures called by the DBMS must have limited privileges.
O112-C2-011810 - Access to external executables must be disabled or restricted - 'extproc does not exist'

CONFIGURATION MANAGEMENT

O112-C2-011810 - Access to external executables must be disabled or restricted - 'extproc.ora EXTPROC_DLLS=ANY does not exist'

CONFIGURATION MANAGEMENT

O112-C2-011810 - Access to external executables must be disabled or restricted - 'listener.ora EXTPROC is not in use'

CONFIGURATION MANAGEMENT

O112-C2-011810 - Access to external executables must be disabled or restricted - 'listener.ora EXTPROC_DLLS=ANY does not exist'

CONFIGURATION MANAGEMENT

O112-C2-011810 - Access to external executables must be disabled or restricted - 'ORACLE_HOME/hs/admin/extproc.ora exists'

CONFIGURATION MANAGEMENT

O112-C2-011810 - Access to external executables must be disabled or restricted - 'run_group=nobody'

CONFIGURATION MANAGEMENT

O112-C2-011810 - Access to external executables must be disabled or restricted - 'run_user=nobody'

CONFIGURATION MANAGEMENT

O112-C2-011900 - The DBMS must support the organizational requirements to specifically prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services.
O112-C2-012900 - The DBMS must use multifactor authentication for access to user accounts - SQLNET.AUTHENTICATION_SERVICES

IDENTIFICATION AND AUTHENTICATION

O112-C2-012900 - The DBMS must use multifactor authentication for access to user accounts - SSL_CIPHER_SUITES

IDENTIFICATION AND AUTHENTICATION

O112-C2-012900 - The DBMS must use multifactor authentication for access to user accounts - SSL_CLIENT_AUTHENTICATION

IDENTIFICATION AND AUTHENTICATION

O112-C2-012900 - The DBMS must use multifactor authentication for access to user accounts - SSL_VERSION

IDENTIFICATION AND AUTHENTICATION

O112-C2-014600 - The DBMS must support organizational requirements to enforce password encryption for storage.
O112-C2-015100 - DBMS passwords must not be stored in compiled, encoded, or encrypted batch jobs or compiled, encoded, or encrypted application source code.
O112-C2-015300 - The DBMS, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor - SSL_CIPHER_SUITES

IDENTIFICATION AND AUTHENTICATION

O112-C2-015300 - The DBMS, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor - SSL_CLIENT_AUTHENTICATION

IDENTIFICATION AND AUTHENTICATION

O112-C2-015300 - The DBMS, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor - SSL_VERSION

IDENTIFICATION AND AUTHENTICATION

O112-C2-015500 - The DBMS must ensure that PKI-based authentication maps the authenticated identity to the user account - SSL_CIPHER_SUITES

IDENTIFICATION AND AUTHENTICATION

O112-C2-015500 - The DBMS must ensure that PKI-based authentication maps the authenticated identity to the user account - SSL_CLIENT_AUTHENTICATION

IDENTIFICATION AND AUTHENTICATION

O112-C2-015500 - The DBMS must ensure that PKI-based authentication maps the authenticated identity to the user account - SSL_VERSION

IDENTIFICATION AND AUTHENTICATION

O112-C2-015700 - The DBMS must use NIST-validated FIPS 140-2-compliant cryptography for authentication mechanisms.

SYSTEM AND COMMUNICATIONS PROTECTION

O112-C2-019100 - The DBMS must protect against or limit the effects of the organization-defined types of Denial of Service (DoS) attacks.

SYSTEM AND COMMUNICATIONS PROTECTION

O112-N1-015602 - When using command-line tools such as Oracle SQL*Plus, which can accept a plain-text password, users must use an alternative login method that does not expose the password.