| O19C-00-000100 - Oracle Database must limit the number of concurrent sessions for each system account to an organization-defined number of sessions. | ACCESS CONTROL |
| O19C-00-000300 - Oracle Database must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect. | ACCESS CONTROL |
| O19C-00-000500 - Oracle Database must associate organization-defined types of security labels having organization-defined security label values with information in storage. | ACCESS CONTROL |
| O19C-00-000800 - Oracle Database must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals. | ACCESS CONTROL |
| O19C-00-001000 - Oracle Database must enforce approved authorizations for logical access to the system in accordance with applicable policy. | ACCESS CONTROL |
| O19C-00-001700 - Oracle Database must protect against an individual who uses a shared account falsely denying having performed a particular action. | AUDIT AND ACCOUNTABILITY |
| O19C-00-001800 - Oracle Database must provide audit record generation capability for organization-defined auditable events within the database. | AUDIT AND ACCOUNTABILITY |
| O19C-00-001900 - Oracle Database must allow designated organizational personnel to select which auditable events are to be audited by the database. | AUDIT AND ACCOUNTABILITY |
| O19C-00-002000 - Oracle Database must generate audit records for the DOD-selected list of auditable events, when successfully accessed, added, modified, or deleted, to the extent such information is available. | AUDIT AND ACCOUNTABILITY |
| O19C-00-005600 - Oracle Database must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject. | AUDIT AND ACCOUNTABILITY |
| O19C-00-005700 - Oracle Database must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements. | AUDIT AND ACCOUNTABILITY |
| O19C-00-005800 - Oracle Database must off-load audit data to a separate log management facility; this must be continuous and in near-real-time for systems with a network connection to the storage facility, and weekly or more often for stand-alone systems. | AUDIT AND ACCOUNTABILITY |
| O19C-00-005900 - The Oracle Database, or the logging or alerting mechanism the application uses, must provide a warning when allocated audit record storage volume record storage volume reaches 75 percent of maximum audit record storage capacity. | AUDIT AND ACCOUNTABILITY |
| O19C-00-006600 - The audit information produced by the Oracle Database must be protected from unauthorized access, modification, or deletion. | AUDIT AND ACCOUNTABILITY |
| O19C-00-006900 - The system must protect audit tools from unauthorized access, modification, or deletion. | AUDIT AND ACCOUNTABILITY |
| O19C-00-007400 - Oracle Database products must be a version supported by the vendor. | SYSTEM AND SERVICES ACQUISITION |
| O19C-00-007700 - Database software, applications, and configuration files must be monitored to discover unauthorized changes. | CONFIGURATION MANAGEMENT |
| O19C-00-007900 - The OS must limit privileges to change the database management system (DBMS) software resident within software libraries (including privileged programs). | CONFIGURATION MANAGEMENT |
| O19C-00-008000 - The Oracle Database software installation account must be restricted to authorized users. | CONFIGURATION MANAGEMENT |
| O19C-00-008100 - Database software directories, including database management system (DBMS) configuration files, must be stored in dedicated directories, or DASD pools, separate from the host OS and other applications. | CONFIGURATION MANAGEMENT |
| O19C-00-008200 - Database objects must be owned by accounts authorized for ownership. | CONFIGURATION MANAGEMENT |
| O19C-00-008300 - The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to the DBMS, etc.) must be restricted to authorized users. | CONFIGURATION MANAGEMENT |
| O19C-00-008400 - Oracle Database must be configured in accordance with the security configuration settings based on DOD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, DTMs, and IAVMs. | CONFIGURATION MANAGEMENT |
| O19C-00-008600 - Oracle instance names must not contain Oracle version numbers. | CONFIGURATION MANAGEMENT |
| O19C-00-008700 - Database links must be authorized for use. | CONFIGURATION MANAGEMENT |
| O19C-00-009000 - The Oracle WITH GRANT OPTION privilege must not be granted to nondatabase administrator (DBA) or nonapplication administrator user accounts. | CONFIGURATION MANAGEMENT |
| O19C-00-009200 - The Oracle REMOTE_OS_ROLES parameter must be set to FALSE. | CONFIGURATION MANAGEMENT |
| O19C-00-009300 - The Oracle SQL92_SECURITY parameter must be set to TRUE. | CONFIGURATION MANAGEMENT |
| O19C-00-009400 - The Oracle password file ownership and permissions should be limited and the REMOTE_LOGIN_PASSWORDFILE parameter must be set to EXCLUSIVE or NONE. | CONFIGURATION MANAGEMENT |
| O19C-00-009500 - System privileges granted using the WITH ADMIN OPTION must not be granted to unauthorized user accounts. | CONFIGURATION MANAGEMENT |
| O19C-00-009600 - System Privileges must not be granted to PUBLIC. | CONFIGURATION MANAGEMENT |
| O19C-00-009700 - Oracle roles granted using the WITH ADMIN OPTION must not be granted to unauthorized accounts. | CONFIGURATION MANAGEMENT |
| O19C-00-009800 - Object permissions granted to PUBLIC must be restricted. | CONFIGURATION MANAGEMENT |
| O19C-00-010000 - Application role permissions must not be assigned to the Oracle PUBLIC role. | CONFIGURATION MANAGEMENT |
| O19C-00-010100 - Oracle application administration roles must be disabled if not required and authorized. | CONFIGURATION MANAGEMENT |
| O19C-00-010400 - The directories assigned to the LOG_ARCHIVE_DEST* parameters must be protected from unauthorized access. | CONFIGURATION MANAGEMENT |
| O19C-00-010500 - The Oracle _TRACE_FILES_PUBLIC parameter if present must be set to FALSE. | CONFIGURATION MANAGEMENT |
| O19C-00-010600 - Oracle Database production application and data directories must be protected from developers on shared production/development database management system (DBMS) host systems. | CONFIGURATION MANAGEMENT |
| O19C-00-010700 - Use of the Oracle Database installation account must be logged. | CONFIGURATION MANAGEMENT |
| O19C-00-010800 - The Oracle Database data files, transaction logs and audit files must be stored in dedicated directories or disk partitions separate from software or other application files. | CONFIGURATION MANAGEMENT |
| O19C-00-011300 - Changes to configuration options must be audited. | CONFIGURATION MANAGEMENT |
| O19C-00-011500 - The /diag subdirectory under the directory assigned to the DIAGNOSTIC_DEST parameter must be protected from unauthorized access. | CONFIGURATION MANAGEMENT |
| O19C-00-011900 - Oracle Database default accounts must be assigned custom passwords. | CONFIGURATION MANAGEMENT |
| O19C-00-012000 - Oracle Database must provide a mechanism to automatically identify accounts designated as temporary or emergency accounts. | CONFIGURATION MANAGEMENT |
| O19C-00-012100 - Oracle Database must provide a mechanism to automatically remove or disable temporary user accounts after 72 hours. | CONFIGURATION MANAGEMENT |
| O19C-00-012200 - Oracle Database must be protected from unauthorized access by developers on shared production/development host systems. | CONFIGURATION MANAGEMENT |
| O19C-00-012300 - Oracle Database must verify account lockouts persist until reset by an administrator. | CONFIGURATION MANAGEMENT |
| O19C-00-012400 - Oracle Database must set the maximum number of consecutive invalid logon attempts to three. | CONFIGURATION MANAGEMENT |
| O19C-00-012500 - Oracle Database must disable user accounts after 35 days of inactivity. | CONFIGURATION MANAGEMENT |
| O19C-00-012900 - Oracle Database default demonstration and sample databases, database objects, and applications must be removed. | CONFIGURATION MANAGEMENT |
