{ "name": "stig_oracle_10_database_installation", "date": "2014-01-14", "description": "This STIG includes the Database Installation checks for an Oracle 10g Database installation.", "title": "Oracle 10 Database Installation STIG", "version": "8", "item_syntax": "^\\w-\\d+$", "section_separator": null, "items": [ { "id": "V-15102", "title": "Automated notification of suspicious activity detected in the audit trail should be implemented.", "description": "Audit record collection may quickly overwhelm storage resources and an auditor's ability to review it in a productive manner. Automated tools can provide the means to manage the audit data collected as well as present it to an auditor in an efficient way.", "severity": "medium" }, { "id": "V-15103", "title": "An automated tool that monitors audit data and immediately reports suspicious activity should be employed for the DBMS.", "description": "Audit logs only capture information on suspicious events. Without an automated monitoring and alerting tool, malicious activity may go undetected and without response until compromise of the database or data is severe.", "severity": "medium" }, { "id": "V-15104", "title": "Sensitive data served by the DBMS should be protected by encryption when transmitted across the network.", "description": "Sensitive data served by the DBMS and transmitted across the network in clear text is vulnerable to unauthorized capture and review.", "severity": "high" }, { "id": "V-15105", "title": "Unauthorized access to external database objects should be removed from application user roles.", "description": "Access to objects stored and/or executed outside of the DBMS security context may provide an avenue of attack to host system resources not controlled by the DBMS. Any access to external resources from the DBMS can lead to a compromise of the host system or its resources.", "severity": "medium" }, { "id": "V-15106", "title": "DBA roles should be periodically monitored to detect assignment of unauthorized or excess privileges.", "description": "Excess privilege assignment can lead to intentional or unintentional unauthorized actions. Such actions may compromise the operation or integrity of the DBMS and its data. Monitoring assigned privileges assists in the detection of unauthorized privilege assignment. The DBA role is assigned privileges that allow DBAs to modify privileges assigned to them. Ensure that the DBA Role is monitored for any unauthorized changes.", "severity": "medium" }, { "id": "V-15107", "title": "DBMS privileges to restore database data or other DBMS configurations, features or objects should be restricted to authorized DBMS accounts.", "description": "Unauthorized restoration of database data, objects, or other configuration or features can result in a loss of data integrity, unauthorized configuration, or other DBMS interruption or compromise.", "severity": "medium" }, { "id": "V-15108", "title": "Privileges assigned to developers on shared production and development DBMS hosts and the DBMS should be monitored every three months or more frequently for unauthorized changes.", "description": "The developer role does not include need-to-know or administrative privileges to production databases. Assigning excess privileges can lead to unauthorized access to sensitive data or compromise of database operations.", "severity": "medium" }, { "id": "V-15109", "title": "DBMS production application and data directories should be protected from developers on shared production/development DBMS host systems.", "description": "Developer roles should not be assigned DBMS administrative privileges to production DBMS application and data directories. The separation of production DBA and developer roles helps protect the production system from unauthorized, malicious or unintentional interruption due to development activities.", "severity": "medium" }, { "id": "V-15110", "title": "Use of the DBMS installation account should be logged.", "description": "The DBMS installation account may be used by any authorized user to perform DBMS installation or maintenance. Without logging, accountability for actions attributed to the account is lost.", "severity": "medium" }, { "id": "V-15111", "title": "Use of the DBMS software installation account should be restricted to DBMS software installation, upgrade and maintenance actions.", "description": "The DBMS software installation account is granted privileges not required for DBA or other functions. Use of accounts configured with excess privileges may result in unauthorized or unintentional compromise of the DBMS.", "severity": "medium" }, { "id": "V-15112", "title": "The DBMS should be periodically tested for vulnerability management and IA compliance.", "description": "The DBMS security configuration may be altered either intentionally or unintentionally over time. The DBMS may also be the subject of published vulnerabilities that require the installation of a security patch or a reconfiguration to mitigate the vulnerability. If the DBMS is not monitored for required or unintentional changes that render it not compliant with requirements, then it can be vulnerable to attack or compromise.", "severity": "low" }, { "id": "V-15116", "title": "The DBMS host platform and other dependent applications should be configured in compliance with applicable STIG requirements.", "description": "The security of the data stored in the DBMS is also vulnerable to attacks against the host platform, calling applications, and other application or optional components.", "severity": "medium" }, { "id": "V-15117", "title": "The DBMS audit logs should be included in backup operations.", "description": "DBMS audit logs are essential to the investigation and prosecution of unauthorized access to the DBMS data. Unless audit logs are available for review, the extent of data compromise may not be determined and the vulnerability exploited may not be discovered. Undiscovered vulnerabilities could lead to additional or prolonged compromise of the data.", "severity": "medium" }, { "id": "V-15118", "title": "Remote administrative access to the database should be monitored by the IAO or IAM.", "description": "Remote administrative access to systems provides a path for access to and exploit of DBA privileges. Where the risk has been accepted to allow remote administrative access, it is imperative to implement increased monitoring of this access to detect any abuse or compromise.", "severity": "medium" }, { "id": "V-15120", "title": "DBMS backup and restoration files should be protected from unauthorized access.", "description": "Lost or compromised DBMS backup and restoration files may lead to not only the loss of data, but also the unauthorized access to sensitive data. Backup files need the same protections against unauthorized access when stored on backup media as when online and actively in use by the database system. In addition, the backup media needs to be protected against physical loss. Most DBMSs maintain online copies of critical control files to provide transparent or easy recovery from hard disk loss or other interruptions to database operation.", "severity": "medium" }, { "id": "V-15121", "title": "DBMS software libraries should be periodically backed up.", "description": "The DBMS application depends upon the availability and integrity of its software libraries. Without backups, compromise or loss of the software libraries can prevent a successful recovery of DBMS operations.", "severity": "medium" }, { "id": "V-15122", "title": "The database should not be directly accessible from public or unauthorized networks.", "description": "Databases often store critical and/or sensitive information used by the organization. For this reason, databases are targeted for attacks by malicious users. Additional protections provided by network defenses that limit accessibility help protect the database and its data from unnecessary exposure and risk.", "severity": "medium" }, { "id": "V-15126", "title": "Database backup procedures should be defined, documented and implemented.", "description": "Database backups provide the required means to restore databases after compromise or loss. Backups help reduce the vulnerability to unauthorized access or hardware loss.", "severity": "medium" }, { "id": "V-15127", "title": "The IAM should review changes to DBA role assignments.", "description": "Unauthorized assignment of DBA privileges can lead to a compromise of DBMS integrity. Providing oversight to the authorization and assignment of privileges provides the separation of duty to support sufficient oversight.", "severity": "medium" }, { "id": "V-15129", "title": "Backup and recovery procedures should be developed, documented, implemented and periodically tested.", "description": "Problems with backup procedures or backup media may not be discovered until after a recovery is needed. Testing and verification of procedures provides the opportunity to discover oversights, conflicts, or other issues in the backup procedures or use of media designed to be used.", "severity": "medium" }, { "id": "V-15131", "title": "Sensitive information stored in the database should be protected by encryption.", "description": "Sensitive data stored in unencrypted format within the database is vulnerable to unauthorized viewing.", "severity": "medium" }, { "id": "V-15132", "title": "Database data files containing sensitive information should be encrypted.", "description": "Where system and DBMS access controls do not provide complete protection of sensitive or classified information, the Information Owner may require encryption to provide additional protection. Encryption of sensitive data helps protect disclosure to privileged users who do not have a need-to-know requirement to the data, but may be able to access DBMS data files using OS file tools.\n\nNOTE: The decision to encrypt data is the responsibility of the Information Owner and should be based on other access controls employed to protect the data.", "severity": "medium" }, { "id": "V-15138", "title": "The DBMS IA policies and procedures should be reviewed annually or more frequently.", "description": "A regular review of current database security policies and procedures is necessary to maintain the desired security posture of the DBMS. Policies and procedures should be measured against current DoD policy, STIG guidance, vendor-specific guidance and recommendations, and site-specific or other security policies.", "severity": "low" }, { "id": "V-15139", "title": "Plans and procedures for testing DBMS installations, upgrades and patches should be defined and followed prior to production implementation.", "description": "Updates and patches to existing software have the intention of improving the security or enhancing or adding features to the product. However, it is unfortunately common that updates or patches can render production systems inoperable or even introduce serious vulnerabilities. Some updates also set security configurations back to unacceptable settings that do not meet security requirements. For these reasons, it is a good practice to test updates and patches offline before introducing them in a production environment.", "severity": "medium" }, { "id": "V-15140", "title": "Procedures and restrictions for import of production data to development databases should be documented, implemented and followed.", "description": "Data export from production databases may include sensitive data. Application developers may not be cleared for or have need-to-know to sensitive data. Any access they may have to production data would be considered unauthorized access and subject the sensitive data to unlawful or unauthorized disclosure.", "severity": "medium" }, { "id": "V-15141", "title": "DBMS processes or services should run under custom, dedicated OS accounts.", "description": "Shared accounts do not provide separation of duties nor allow for assignment of least privileges for use by database processes and services. Without separation and least privilege, the exploit of one service or process is more likely to be able to compromise another or all other services.", "severity": "medium" }, { "id": "V-15143", "title": "Database data encryption controls should be configured in accordance with application requirements.", "description": "Access to sensitive data may not always be sufficiently protected by authorizations and require encryption. In some cases, the required encryption may be provided by the application accessing the database. In others, the DBMS may be configured to provide the data encryption. When the DBMS provides the encryption, the requirement must be implemented as identified by the Information Owner to prevent unauthorized disclosure or access.", "severity": "medium" }, { "id": "V-15144", "title": "Sensitive data is stored in the database and should be identified in the System Security Plan and AIS Functional Architecture documentation.", "description": "A DBMS that does not have the correct confidentiality level identified or any confidentiality level assigned is not being secured at a level appropriate to the risk it poses.", "severity": "medium" }, { "id": "V-15145", "title": "The DBMS restoration priority should be assigned.", "description": "When DBMS service is disrupted, the impact it has on the overall mission of the organization can be severe. Without proper assignment of the priority placed on restoration of the DBMS and its subsystems, restoration of DBMS services may not meet mission requirements.", "severity": "low" }, { "id": "V-15146", "title": "The DBMS should not be operated without authorization on a host system supporting other application services.", "description": "In the same way that added security layers can provide a cumulative positive effect on security posture, multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit to one application can lead to an exploit of other applications sharing the same security context. For example, an exploit to a web server process that leads to unauthorized administrative access to the host system can most likely lead to a compromise of all applications hosted by the same system. A DBMS not installed on a dedicated host is threatened by other hosted applications. Applications that share a single DBMS may also create risk to one another. Access controls defined for one application by default may provide access to the other application's database objects or directories. Any method that provides any level of separation of security context assists in the protection between applications.", "severity": "medium" }, { "id": "V-15147", "title": "The DBMS data files, transaction logs and audit files should be stored in dedicated directories or disk partitions separate from software or other application files.", "description": "Protection of DBMS data, transaction and audit data files stored by the host operating system is dependent on OS controls. When different applications share the same database process, resource contention and differing security controls may be required to isolate and protect one application's data and audit logs from another. DBMS software libraries and configuration files also require differing access control lists.", "severity": "medium" }, { "id": "V-15148", "title": "DBMS network communications should comply with PPS usage restrictions.", "description": "Use of default ports is required in DoD networks to support network security device management.", "severity": "medium" }, { "id": "V-15150", "title": "The DBMS requires a System Security Plan containing all required information.", "description": "A System Security Plan identifies security control applicability and configuration for the DBMS. It also contains security control documentation requirements. Security controls applicable to the DBMS may not be documented, tracked or followed if not identified in the System Security Plan. Any omission of security control consideration could lead to an exploit of DBMS vulnerabilities.", "severity": "low" }, { "id": "V-15179", "title": "The DBMS should not share a host supporting an independent security service.", "description": "The Security Support Structure is a security control function or service provided by an external system or application. An example of this would be a Windows domain controller that provides identification and authentication that can be used by other systems to control access. The associated risk of a DBMS installed on a system that provides security support is significantly higher than when installed on separate systems. In cases where the DBMS is dedicated to local support of a security support function (e.g. a directory service), separation may not be possible.", "severity": "medium" }, { "id": "V-15608", "title": "Access to DBMS software files and directories should not be granted to unauthorized users.", "description": "The DBMS software libraries contain the executables used by the DBMS to operate. Unauthorized access to the libraries can result in malicious alteration or planting of operational executables. This may in turn jeopardize data stored in the DBMS and/or operation of the host system.", "severity": "medium" }, { "id": "V-15610", "title": "DBMS should use NIST FIPS 140-2 validated cryptography.", "description": "Use of cryptography to provide confidentiality and non-repudiation is not effective unless strong methods are employed with its use. Many earlier encryption methods and modules have been broken and/or overtaken by increasing computing power. The NIST FIPS 140-2 cryptographic standards provide proven methods and strengths to employ cryptography effectively.", "severity": "medium" }, { "id": "V-15611", "title": "The audit logs should be periodically monitored to discover DBMS access using unauthorized applications.\n", "description": "Regular and timely reviews of audit records increases the likelihood of early discovery of suspicious activity. Discovery of suspicious behavior can in turn trigger protection responses to minimize or eliminate a negative impact from malicious activity. Use of unauthorized application to access the DBMS may indicate an attempt to bypass security controls.", "severity": "low" }, { "id": "V-15618", "title": "Access to external DBMS executables should be disabled or restricted.", "description": "The Oracle external procedure capability provides use of the Oracle process account outside the operation of the DBMS process. You can use it to submit and execute applications stored externally from the database under operating system controls. The external procedure process is the subject of frequent and successful attacks as it allows unauthenticated use of the Oracle process account on the operating system. As of Oracle version 11.1, the external procedure agent may be run directly from the database and not require use of the Oracle listener. This reduces the risk of unauthorized access to the procedure from outside of the database process.", "severity": "medium" }, { "id": "V-15620", "title": "OS accounts used to execute external procedures should be assigned minimum privileges.", "description": "External applications spawned by the DBMS process may be executed under OS accounts assigned unnecessary privileges that can lead to unauthorized access to OS resources. Unauthorized access to OS resources can lead to the compromise of the OS, the DBMS, and any other service provided by the host platform.", "severity": "medium" }, { "id": "V-15621", "title": "Network access to the DBMS must be restricted to authorized personnel.", "description": "Network listeners provide the means to connect to the DBMS from remote systems. Restricting remote access to specific, trusted systems helps prevent access by unauthorized and potentially malicious users.", "severity": "medium" }, { "id": "V-15622", "title": "DBMS service identification should be unique and clearly identifies the service.", "description": "Local or network services that do not employ unique or clearly identifiable targets can lead to inadvertent or unauthorized connections.", "severity": "low" }, { "id": "V-15625", "title": "Recovery procedures and technical system features exist to ensure that recovery is done\nin a secure and verifiable manner.", "description": "A DBMS may be vulnerable to use of compromised data or other critical files during recovery. Use of compromised files could introduce maliciously altered application code, relaxed security settings or loss of data integrity. Where available, DBMS mechanisms to ensure use of only trusted files can help protect the database from this type of compromise during DBMS recovery.", "severity": "medium" }, { "id": "V-15636", "title": "Passwords should be encrypted when transmitted across the network.", "description": "DBMS passwords sent in clear text format across the network are vulnerable to discovery by unauthorized users. Disclosure of passwords may easily lead to unauthorized access to the database.", "severity": "high" }, { "id": "V-15643", "title": "Access to DBMS security data should be audited.", "description": "DBMS security data is useful to malicious users to perpetrate activities that compromise DBMS operations or data integrity. Auditing of access to this data supports forensic and accountability investigations.", "severity": "medium" }, { "id": "V-15649", "title": "The DBMS should have configured all applicable settings to use trusted files, functions, features, or other components during startup, shutdown, aborts, or other unplanned interruptions.", "description": "The DBMS opens data files and reads configuration files at system startup, system shutdown and during abort recovery efforts. If the DBMS does not verify the trustworthiness of these files, it is vulnerable to malicious alterations of its configuration or unauthorized replacement of data. ", "severity": "medium" }, { "id": "V-15651", "title": "Remote DBMS administration should be documented and authorized or disabled.", "description": "Remote administration may expose configuration and sensitive data to unauthorized viewing during transit across the network or allow unauthorized administrative access to the DBMS to remote users.", "severity": "medium" }, { "id": "V-15652", "title": "DBMS remote administration should be audited.", "description": "When remote administration is available, the vulnerability to attack for administrative access is increased. An audit of remote administrative access provides additional means to discover suspicious activity and to provide accountability for administrative actions completed by remote users.", "severity": "medium" }, { "id": "V-15656", "title": "The DBMS should not have a connection defined to access or be accessed by a DBMS at a different classification level.", "description": "Applications that access databases and databases connecting to remote databases that differ in their assigned classification levels may expose sensitive data to unauthorized clients. Any interconnections between databases or applications and databases differing in classification levels are required to comply with interface control rules.", "severity": "medium" }, { "id": "V-15658", "title": "The DBMS warning banner should meet DoD policy requirements.", "description": "Without sufficient warning of monitoring and access restrictions of a system, legal prosecution to assign responsibility for unauthorized or malicious access may not succeed. A warning message provides legal support for such prosecution. Access to the DBMS or the applications used to access the DBMS require this warning to help assign responsibility for database activities.", "severity": "medium" }, { "id": "V-15659", "title": "Credentials used to access remote databases should be protected by encryption and restricted to authorized users.", "description": "Access to database connection credential stores provides easy access to the database. Unauthorized access to the database can result without controls in place to prevent unauthorized access to the credentials.", "severity": "medium" }, { "id": "V-15662", "title": "Remote administration of the DBMS should be restricted to known, dedicated and encrypted network addresses and ports.", "description": "Remote administration provides many conveniences that can assist in the maintenance of the designed security posture of the DBMS. On the other hand, remote administration of the database also provides malicious users the ability to access from the network a highly privileged function. Remote administration needs to be carefully considered and used only when sufficient protections against its abuse can be applied. Encryption and dedication of ports to access remote administration functions can help prevent unauthorized access to it.", "severity": "medium" }, { "id": "V-16031", "title": "The Oracle listener.ora file should specify IP addresses rather than host names to identify hosts.", "description": "The use of IP address in place of host names helps to protect against malicious corruption or spoofing of host names. Use of static IP addresses is considered more stable and reliable than use of hostnames or Fully Qualified Domain Names (FQDN).", "severity": "low" }, { "id": "V-16032", "title": "Remote administration should be disabled for the Oracle connection manager.", "description": "Remote administration provides a potential opportunity for malicious users to make unauthorized changes to the Connection Manager configuration or interrupt its service.", "severity": "medium" }, { "id": "V-16055", "title": "Oracle Application Express or Oracle HTML DB should not be installed on a production database.", "description": "The Oracle Application Express, formerly called HTML DB, is an application development component installed by default with Oracle. Unauthorized application development can introduce a variety of vulnerabilities to the database.", "severity": "medium" }, { "id": "V-16056", "title": "Oracle Configuration Manager should not remain installed on a production system.", "description": "Oracle Configuration Manager (OCM) is a function of the Oracle Software Configuration Manager (SCM). OCM collects system configuration data used for automated upload to systems owned and managed by Oracle to assist in providing customer support. The configuration information about the server that the OCM collects includes IP addresses, hostname, database username, location of datafiles, etc.", "severity": "medium" }, { "id": "V-16057", "title": "The SQLNet SQLNET.ALLOWED_LOGON_VERSION parameter should be set to a value of 10 or higher.", "description": "Unsupported Oracle network client installations may introduce vulnerabilities to the database. Restriction to use of supported versions helps to protect the database and helps to enforce newer, more robust security controls.", "severity": "medium" }, { "id": "V-2420", "title": "Database executable and configuration files should be monitored for unauthorized modifications.", "description": "Changes to files in the DBMS software directory including executable, configuration, script, or batch files can indicate malicious compromise of the software files. Changes to non-executable files, such as log files and data files, do not usually reflect unauthorized changes, but are modified by the DBMS as part of normal operation. These modifications can be ignored.", "severity": "low" }, { "id": "V-2422", "title": "The DBMS software installation account should be restricted to authorized users.", "description": "DBA and other privileged administrative or application owner accounts are granted privileges that allow actions that can have a greater impact on database security and operation. It is especially important to grant access to privileged accounts to only those persons who are qualified and authorized to use them.", "severity": "medium" }, { "id": "V-2423", "title": "Database software, applications and configuration files should be monitored to discover unauthorized changes.", "description": "Unmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations.", "severity": "medium" }, { "id": "V-2608", "title": "The Oracle Listener should be configured to require administration authentication.", "description": "Oracle listener authentication helps prevent unauthorized administration of the Oracle listener. Unauthorized administration of the listener could lead to DoS exploits; loss of connection audit data, unauthorized reconfiguration or other unauthorized access. This is a Category I finding because privileged access to the listener is not restricted to authorized users. Unauthorized access can result in stopping of the listener (DoS) and overwriting of listener audit logs.", "severity": "high" }, { "id": "V-2612", "title": "Oracle SQLNet and listener log files should not be accessible to unauthorized users.", "description": "The SQLNet and Listener log files provide audit data useful to the discovery of suspicious behavior. The log files may contain usernames and passwords in clear text as well as other information that could aid a malicious user with unauthorized access attempts to the database. Generation and protection of these files helps support security monitoring efforts.", "severity": "medium" }, { "id": "V-3440", "title": "Connections by mid-tier web and application systems to the Oracle DBMS should be protected, encrypted and authenticated according to database, web, application, enclave and network requirements.", "description": "Multi-tier systems may be configured with the database and connecting middle-tier system located on an internal network, with the database located on an internal network behind a firewall and the middle-tier system located in a DMZ. In cases where systems are located in the DMZ, network communications between both systems must be encrypted. In all cases, the application account requires PKI authentication. IP address restriction to the backend database system, under a separate requirement, provides an additional level of protection.", "severity": "medium" }, { "id": "V-3497", "title": "The Oracle Listener ADMIN_RESTRICTIONS parameter if present should be set to ON.", "description": "The Oracle listener process can be dynamically configured. By connecting to the listener process directly, usually through the Oracle LSNRCTL utility, a user may change any of the parameters available through the set command. This vulnerability has been used to overwrite the listener log and trace files. The ADMIN_RESTRICTIONS parameter, set in the listener.ora file, prohibits dynamic listener configuration changes and protects the configuration using host operating system security controls.", "severity": "medium" }, { "id": "V-3726", "title": "Configuration management procedures should be defined and implemented for database software modifications.", "description": "Uncontrolled, untested, or unmanaged changes result in an unreliable security posture. All changes to software libraries related to the database and its use need to be reviewed, considered, and the responsibility for CM assigned. CM responsibilities may appear to cross boundaries. It is important, however, for the boundaries of CM responsibility to be clearly defined and assigned to ensure no libraries or configurations are left unaddressed. Related database application libraries may include third-party DBMS management tools, DBMS stored procedures, or other end-user applications.", "severity": "low" }, { "id": "V-3728", "title": "Unused database components, database application software and database objects should be removed from the DBMS system.", "description": "Unused, unnecessary DBMS components increase the attack vector for the DBMS by introducing additional targets for attack. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced.", "severity": "low" }, { "id": "V-3803", "title": "A production DBMS installation should not coexist on the same DBMS host with other, non-production DBMS installations.", "description": "Production, development and other non-production DBMS installations have different access and security requirements. Shared production/non-production DBMS installations secured at a production-level can impede development efforts whereas production/non-production DBMS installations secured at a development-level can lead to exploitation of production-level installations. Production DBMS installations should be kept separate from development, QA, TEST and other non-production DBMS systems.", "severity": "medium" }, { "id": "V-3805", "title": "Application software should be owned by a Software Application account.", "description": "File and directory ownership imparts full privileges to the owner. These privileges should be restricted to a single, dedicated account to preserve proper chains of ownership and privilege assignment management.", "severity": "low" }, { "id": "V-3806", "title": "A baseline of database application software should be documented and maintained.", "description": "Without maintenance of a baseline of current DBMS application software, monitoring for changes cannot be complete and unauthorized changes to the software can go undetected. Changes to the DBMS executables could be the result of intentional or unintentional actions.", "severity": "medium" }, { "id": "V-3807", "title": "All applications that access the database should be logged in the audit trail.", "description": "Protections and privileges are designed within the database to correspond to access via authorized software. Use of unauthorized software to access the database could indicate an attempt to bypass established permissions. Reviewing the use of application software to the database can lead to discovery of unauthorized access attempts.", "severity": "medium" }, { "id": "V-3809", "title": "A single database connection configuration file should not be used to configure all database clients.", "description": "Many sites distribute a single client database connection configuration file to all site database users that contains network access information for all databases on the site. Such a file provides information to access databases not required by all users that may assist in unauthorized access attempts.", "severity": "medium" }, { "id": "V-3811", "title": "Procedures for establishing temporary passwords that meet DoD password requirements for new accounts should be defined, documented and implemented.", "description": "New accounts authenticated by passwords that are created without a password or with an easily guessed password are vulnerable to unauthorized access. Procedures for creating new accounts with passwords should include the required assignment of a temporary password to be modified by the user upon first use.", "severity": "medium" }, { "id": "V-3812", "title": "Database account passwords should be stored in encoded or encrypted format whether stored in database objects, external host files, environment variables or any other storage locations.", "description": "Database passwords stored in clear text are vulnerable to unauthorized disclosure. Database passwords should always be encoded or encrypted when stored internally or externally to the DBMS.", "severity": "high" }, { "id": "V-3813", "title": "DBMS tools or applications that echo or require a password entry in clear text should be protected from password display.", "description": "Database applications may allow for entry of the account name and password as a visible parameter of the application execution command. This practice should be prohibited and disabled, if possible, by the application. If it cannot be disabled, then users should be strictly instructed not to use this feature. Typically, the application will prompt for this information and accept it without echoing it on the users computer screen.", "severity": "medium" }, { "id": "V-3825", "title": "Remote adminstrative connections to the database should be encrypted.", "description": "Communications between a client and database service across the network may contain sensitive information including passwords. This is particularly true in the case of administrative activities. Encryption of remote administrative connections to the database ensures confidentiality of configuration, management, and other administrative data.", "severity": "medium" }, { "id": "V-3827", "title": "Audit trail data should be reviewed daily or more frequently.", "description": "Review of audit trail data provides a means for detection of unauthorized access or attempted access. Frequent and regularly scheduled reviews ensures that such access is discovered in a timely manner.", "severity": "medium" }, { "id": "V-3842", "title": "The Oracle software installation account should not be granted excessive host system privileges.", "description": "A compromise of the Oracle database process could be used to gain access to the host operating system under the security account of the process owner. Limitation of the privileges assigned to the process account can help contain access to other processes and host system resources. This can in turn help to limit any resulting malicious activity.", "severity": "medium" }, { "id": "V-3845", "title": "OS DBA group membership should be restricted to authorized accounts.", "description": "Oracle SYSDBA privileges include privileges to administer the database outside of database controls (when the database is shut down) in addition to all privileges controlled under database operation. Assignment of membership to the OS dba group to unauthorized persons can compromise all DBMS activities.", "severity": "low" }, { "id": "V-3862", "title": "The Oracle INBOUND_CONNECT_TIMEOUT and SQLNET.INBOUND_CONNECT_TIMEOUT parameters should be set to a value greater than 0.", "description": "The INBOUND_CONNECT_TIMEOUT_[listener-name] and SQLNET.INBOUND_CONNECT_TIMEOUT defines the limit the database listener and database server respectively will wait for a client connection to complete after a connection request is made. This limit protects the listener and database server from a Denial-of-Service attack where multiple connection requests are made that are not used or closed from a client. Server resources can be exhausted if unused connections are maintained.", "severity": "medium" }, { "id": "V-3863", "title": "The Oracle SQLNET.EXPIRE_TIME parameter should be set to a value greater than 0.", "description": "The SQLNET.EXPIRE_TIME parameter defines a limit for the frequency of active connection verification of a client connection. This prevents indefinite open connections to the database where client connections have not been terminated properly. Indefinite open connections could lead to an exhaustion of system resources or leave an open connection available for compromise.", "severity": "medium" }, { "id": "V-3866", "title": "The Oracle Management Agent should be uninstalled if not required and authorized or is installed on a database accessible from the Internet.", "description": "The Oracle Management Agent (Oracle Intelligent Agent in earlier versions) provides the mechanism for local and/or remote management of the local Oracle Database by Oracle Enterprise Manager or other SNMP management platforms. Because it provides access to operating system and database functions, it should be uninstalled if not in use.", "severity": "low" }, { "id": "V-4754", "title": "Database software directories including DBMS configuration files are stored in dedicated directories separate from the host OS and other applications.", "description": "Multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit to one application can lead to an exploit of other applications sharing the same security context. For example, an exploit to a web server process that leads to unauthorized administrative access to host system directories can most likely lead to a compromise of all applications hosted by the same system. Database software not installed using dedicated directoriies both threatens and is threatened by other hosted applications. Access controls defined for one application may by default provide access to the other application’s database objects or directories. Any method that provides any level of separation of security context assists in the protection between applications.", "severity": "medium" }, { "id": "V-4758", "title": "An upgrade/migration plan should be developed to address an unsupported DBMS software version.", "description": "Unsupported software versions are not patched by vendors to address newly discovered security versions. An unpatched version is vulnerable to attack. Developing and implementing an upgrade plan prior to a lapse in support helps to protect against published vulnerabilities.", "severity": "medium" }, { "id": "V-5658", "title": "Vendor supported software is evaluated and patched against newly found vulnerabilities.", "description": "Unsupported software versions are not patched by vendors to address newly discovered security versions. An unpatched version is vulnerable to attack.", "severity": "high" }, { "id": "V-5659", "title": "The latest security patches should be installed.", "description": "Maintaining the currency of the software version protects the database from known vulnerabilities.", "severity": "medium" }, { "id": "V-6756", "title": "Only necessary privileges to the host system should be granted to DBA OS accounts.", "description": "Database administration accounts are frequently granted more permissions to the local host system than are necessary. This allows inadvertent or malicious changes to the host operating system.", "severity": "medium" }, { "id": "V-6767", "title": "The database should be secured in accordance with DoD, vendor and/or commercially accepted practices where applicable.", "description": "DBMS systems that do not follow DoD, vendor and/or public best security practices are vulnerable to related published vulnerabilities. A DoD reference document such as a security technical implementation guide or security recommendation guide constitutes the primary source for security configuration or implementation guidance for the deployment of newly acquired IA- and IA-enabled IT products that require use of the product's IA capabilities. ", "severity": "medium" } ] }