O121-C2-012900 - The DBMS must use multifactor authentication for access to user accounts - SSL_CLIENT_AUTHENTICATION

Information

Multifactor authentication is defined as using two or more factors to achieve authentication.

Factors include:
(i) Something a user knows (e.g., password/PIN);
(ii) Something a user has (e.g., cryptographic identification device, token); or
(iii) Something a user is (e.g., biometric).

The DBMS must be configured to automatically utilize organization-level account management functions, and these functions must immediately enforce the organization's current account policy.

The lack of multifactor authentication makes it much easier for an attacker to gain unauthorized access to a system.

Transport Layer Security (TLS) is the successor protocol to Secure Sockets Layer (SSL). Although the Oracle configuration parameters have names that include 'SSL', such as SSL_VERSION and SSL_CIPHER_SUITES, they refer to TLS.
Use authentication to prove the identities of users who are attempting to log on to the database. Oracle Database enables strong authentication with Oracle authentication adapters that support various third-party authentication services, including TLS with digital certificates, as well as Smart Cards (CAC, PIV).

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure DBMS, OS and/or enterprise-level authentication/access mechanism to require multifactor authentication for user accounts.

If appropriate, enable support for Transport Layer Security (TLS) protocols and multifactor authentication through the use of Smart Cards (CAC/PIV).
Oracle Database is capable of being configured to integrate users with an enterprise-level authentication/access mechanism.

The directions are in the Oracle Database Security Guide, Section 6:

https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/database-security-guide.pdf

This section will give detailed step-by-step directions to configure authentication using PKI Certificates for centrally managed users by configuring Secure Sockets Layer in the Oracle database and integrating with LDAP.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_12c_V2R4_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), 800-53|IA-2(2), 800-53|IA-2(3), 800-53|IA-2(4), CAT|I, CCI|CCI-000765, CCI|CCI-000766, CCI|CCI-000767, CCI|CCI-000768, Rule-ID|SV-237723r822488_rule, STIG-ID|O121-C2-012900, STIG-Legacy|SV-76193, STIG-Legacy|V-61703, Vuln-ID|V-237723

Plugin: Unix

Control ID: 62cbcb9117607612ba99c49d06f7f29ad2fa669d158c7ec1fde5a1a319f26bda