Thoughts on the DISA Database STIG


Years ago I was fortunate enough to be a contributing author to the original DISA Database Secure Technical Implementation Guide (STIG), which primarily addressed Oracle 7 and 8. Over the years the STIG has changed quite a bit, and I thought it would be interesting to review it piece by piece with some tips and tricks and advice for implementing its various provisions.

I’ll be basing my thoughts on the most recent version of the Database STIG – Version 8 Release 1.10, dated 24 January 2014. The STIG comes in two major parts: the first covers the installation of Oracle software and basic infrastructure, and the second covers the configuration of the Oracle instance. Each has over 100 items to review and secure, some of which are technical and some of which are procedural. I will mostly focus on the technical items, though I may comment on some of the procedural things if I think they are particularly appropriate. My comments will also focus almost exclusively on Linux/UNIX installations, as that is where my primary experience lies.

I will include some of the STIG text in my reviews, but if you want to follow along with the original, it is available to the public here: http://iase.disa.mil/stigs/app-security/database/Pages/index.aspx

One thought on “Thoughts on the DISA Database STIG

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.