Oracle 12c Database STIG Breakdown


This post contains a listing of all 199 Oracle 12c Database STIG controls from Release 16 (24 January 2020), organized by the five major categories of database security outlined by Pete Finnigan here. I find this organization helpful for understanding how each control fits into the “big picture” of database security. The categories, with links to my related blog posts, are as follows:

  1. Hardening and Patching Controls
  2. Database Access Controls
  3. User Access Controls
  4. Data Access Controls
  5. Audit Trail Management and Monitoring

Hardening and Patching Controls

These controls have to do with Oracle software installation; operating system configuration; initialization parameters; datafile configuration; backup and recovery; and Oracle’s Transparent Data Encryption for data at rest. Together with the database access controls they will help protect against threats that are external to the database itself. They will help protect you against hacks of the operating system, theft or loss of files, or exploitation of vulnerabilities in the database software itself.

Vulnerability(Severity) Title
V-61425(High) The Oracle REMOTE_OS_AUTHENT parameter must be set to FALSE.
V-61427(High) The Oracle REMOTE_OS_ROLES parameter must be set to FALSE.
V-61441(High) The Oracle Listener must be configured to require administration authentication.
V-61537(High) DBA OS accounts must be granted only those host system privileges necessary for the administration of the DBMS.
V-61539(High) Oracle software must be evaluated and patched against newly found vulnerabilities.
V-61543(High) The DBMS, when using PKI-based authentication, must enforce authorized access to the corresponding private key.
V-61843(High) Applications must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
V-61845(High) When using command-line tools such as Oracle SQL*Plus, which can accept a plain-text password, users must use an alternative logon method that does not expose the password.
V-61865(High) Use of the DBMS software installation account must be restricted.
V-61873(High) The DBMS software installation account must be restricted to authorized users.
V-61413(Medium) Oracle instance names must not contain Oracle version numbers.
V-61419(Medium) A minimum of two Oracle redo log groups/files must be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device.
V-61429(Medium) The Oracle SQL92_SECURITY parameter must be set to TRUE.
V-61431(Medium) The Oracle password file ownership and permissions should be limited to the Oracle installation account and the REMOTE_LOGIN_PASSWORDFILE parameter must be set to EXCLUSIVE or NONE.
V-61461(Medium) Application owner accounts must have a dedicated application tablespace.
V-61463(Medium) The directories assigned to the LOG_ARCHIVE_DEST* parameters must be protected from unauthorized access.
V-61465(Medium) The Oracle _TRACE_FILES_PUBLIC parameter if present must be set to FALSE.
V-61487(Medium) DBMS production application and data directories must be protected from developers on shared production/development DBMS host systems.
V-61491(Medium) The DBMS host platform and other dependent applications must be configured in compliance with applicable STIG requirements.
V-61499(Medium) Plans and procedures for testing DBMS installations, upgrades and patches must be defined and followed prior to production implementation.
V-61509(Medium) The DBMS must not share a host supporting an independent security service.
V-61511(Medium) Access to DBMS software files and directories must not be granted to unauthorized users.
V-61525(Medium) DBMS symmetric keys must be protected in accordance with NSA or NIST-approved key management technology or processes.
V-61531(Medium) The /diag subdirectory under the directory assigned to the DIAGNOSTIC_DEST parameter must be protected from unauthorized access.
V-61533(Medium) Remote administration must be disabled for the Oracle connection manager.
V-61579(Medium) DBMS processes or services must run under custom, dedicated OS accounts.
V-61601(Medium) OS accounts utilized to run external procedures called by the DBMS must have limited privileges.
V-61659(Medium) The system must protect audit tools from unauthorized access.
V-61661(Medium) The system must protect audit tools from unauthorized modification.
V-61663(Medium) The system must protect audit tools from unauthorized deletion.
V-61677(Medium) Default demonstration and sample databases, database objects, and applications must be removed.
V-61679(Medium) Unused database components, DBMS software, and database objects must be removed.
V-61681(Medium) Unused database components that are integrated in the DBMS and cannot be uninstalled must be disabled.
V-61683(Medium) Use of external executables must be authorized.
V-61685(Medium) Access to external executables must be disabled or restricted.
V-61689(Medium) Recovery procedures and technical system features must exist to ensure recovery is done in a secure and verifiable manner.
V-61693(Medium) Oracle must back up user-level information per a defined frequency.
V-61695(Medium) Database backup procedures must be defined, documented, and implemented.
V-61697(Medium) Database recovery procedures must be developed, documented, implemented, and periodically tested.
V-61699(Medium) DBMS backup and restoration files must be protected from unauthorized access.
V-61701(Medium) DBMS must conduct backups of system-level information per organization-defined frequency that is consistent with recovery time and recovery point objectives.
V-61753(Medium) Databases employed to write data to portable digital media must use cryptographic mechanisms to protect and restrict access to information on portable digital media.
V-61755(Medium) The DBMS must support organizational requirements to encrypt information stored in the database and information extracted or derived from the database and stored on digital media.
V-61759(Medium) The DBMS must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
V-61761(Medium) Database data files containing sensitive information must be encrypted.
V-61763(Medium) The DBMS must protect the integrity of publicly available information and applications.
V-61769(Medium) The DBMS must preserve any organization-defined system state information in the event of a system failure.
V-61771(Medium) The DBMS must take needed steps to protect data at rest and ensure confidentiality and integrity of application data.
V-61781(Medium) The DBMS must prevent unauthorized and unintended information transfer via shared system resources.
V-61785(Medium) The DBMS must check the validity of data inputs.
V-61787(Medium) The system must verify there have not been unauthorized changes to the DBMS software and information.
V-61791(Medium) The DBMS must only generate error messages that provide information necessary for corrective actions without revealing organization-defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.
V-61867(Medium) Database software, applications, and configuration files must be monitored to discover unauthorized changes.
V-61869(Medium) The OS must limit privileges to change the DBMS software resident within software libraries (including privileged programs).
V-61875(Medium) Database software directories, including DBMS configuration files, must be stored in dedicated directories, or DASD pools, separate from the host OS and other applications.
V-61877(Medium) The DBMS software libraries must be periodically backed up.
V-61885(Medium) The DBMS must prevent the presentation of information system management-related functionality at an interface utilized by general (i.e., non-privileged) users.
V-61963(Medium) The DBMS data files, transaction logs and audit files must be stored in dedicated directories or disk partitions separate from software or other application files.
V-61965(Medium) The directory assigned to the AUDIT_FILE_DEST parameter must be protected from unauthorized access and must be stored in a dedicated directory or disk partition separate from software or other application files.
V-61417(Low) A minimum of two Oracle control files must be defined and configured to be stored on separate, archived disks (physical or virtual) or archived partitions on a RAID device.

Database Access Controls

These controls relate to a user’s ability to connect to the database, including anything related to networking and encryption of data in  motion; database links; passwords and password management; logon triggers; and user account authorization. This may be the most important overall category, as data is much harder to steal or corrupt if you can’t get to it at all.

Vulnerability(Severity) Title
V-61541(High) DBMS default accounts must be assigned custom passwords.
V-61545(High) The DBMS must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission unless the transmitted data is otherwise protected by alternative physical measures.
V-61415(Medium) Fixed user and public database links must be authorized for use.
V-61447(Medium) Connections by mid-tier web and application systems to the Oracle DBMS from a DMZ or external network must be encrypted.
V-61451(Medium) Unauthorized database links must not be defined and active.
V-61467(Medium) Application object owner accounts must be disabled when not performing installation or maintenance actions.
V-61495(Medium) The database must not be directly accessible from public or unauthorized networks.
V-61515(Medium) Network access to the DBMS must be restricted to authorized personnel.
V-61523(Medium) Remote DBMS administration must be documented and authorized or disabled.
V-61529(Medium) Remote database or other external access must use fully-qualified names.
V-61535(Medium) Network client connections must be restricted to supported versions.
V-61555(Medium) The DBMS must support the disabling of network protocols deemed by the organization to be nonsecure.
V-61583(Medium) A single database connection configuration file must not be used to configure all database clients.
V-61603(Medium) The DBMS must verify account lockouts persist until reset by an administrator.
V-61605(Medium) The DBMS must set the maximum number of consecutive invalid logon attempts to three.
V-61675(Medium) The DBMS must enforce requirements for remote connections to the information system.
V-61687(Medium) The DBMS must support the organizational requirements to specifically prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services.
V-61703(Medium) The DBMS must use multifactor authentication for network access to privileged accounts.
V-61705(Medium) The DBMS must use multifactor authentication for network access to non-privileged accounts.
V-61707(Medium) The DBMS must use multifactor authentication for local access to privileged accounts.
V-61709(Medium) The DBMS must use multifactor authentication for local access to non-privileged accounts.
V-61711(Medium) The DBMS must ensure users are authenticated with an individual authenticator prior to using a shared authenticator.
V-61713(Medium) The DBMS must use organization-defined replay-resistant authentication mechanisms for network access to privileged accounts.
V-61715(Medium) The DBMS must use organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts.
V-61717(Medium) The DBMS must disable user accounts after 35 days of inactivity.
V-61719(Medium) The DBMS must support organizational requirements to enforce minimum password length.
V-61721(Medium) The DBMS must support organizational requirements to prohibit password reuse for the organization-defined number of generations.
V-61723(Medium) The DBMS must support organizational requirements to enforce password complexity by the number of upper-case characters used.
V-61725(Medium) The DBMS must support organizational requirements to enforce password complexity by the number of lower-case characters used.
V-61727(Medium) The DBMS must support organizational requirements to enforce password complexity by the number of numeric characters used.
V-61729(Medium) The DBMS must support organizational requirements to enforce password complexity by the number of special characters used.
V-61731(Medium) The DBMS must support organizational requirements to enforce the number of characters that get changed when passwords are changed.
V-61733(Medium) The DBMS must support organizational requirements to enforce password encryption for storage.
V-61735(Medium) Procedures for establishing temporary passwords that meet DoD password requirements for new accounts must be defined, documented, and implemented.
V-61737(Medium) DBMS passwords must not be stored in compiled, encoded, or encrypted batch jobs or compiled, encoded, or encrypted application source code.
V-61739(Medium) The DBMS must enforce password maximum lifetime restrictions.
V-61741(Medium) The DBMS, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor.
V-61743(Medium) The DBMS must map the authenticated identity to the user account using PKI-based authentication.
V-61745(Medium) Processes (services, applications, etc.) that connect to the DBMS independently of individual users, must use valid, current DoD-issued PKI certificates for authentication to the DBMS.
V-61747(Medium) The DBMS must use NIST-validated FIPS 140-2-compliant cryptography for authentication mechanisms.
V-61749(Medium) The DBMS must employ cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications.
V-61751(Medium) The DBMS must employ strong identification and authentication techniques when establishing nonlocal maintenance and diagnostic sessions.
V-61757(Medium) The DBMS must terminate the network connection associated with a communications session at the end of the session or 15 minutes of inactivity.
V-61765(Medium) The DBMS must terminate user sessions upon user logoff or any other organization or policy-defined session termination events, such as idle time limit exceeded.
V-61783(Medium) The DBMS must protect against or limit the effects of organization-defined types of Denial of Service (DoS) attacks.
V-61879(Medium) The DBMS must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
V-61881(Medium) The DBMS must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-61967(Medium) The DBMS must limit the number of concurrent sessions for each system account to an organization-defined number of sessions.
V-61815(Low) The DBMS must restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
V-61817(Low) The DBMS must manage resources to limit the effects of information flooding types of Denial of Service (DoS) incidents.
V-61887(Low) The DBMS must protect against an individual who uses a shared account falsely denying having performed a particular action.

User Access Controls

These controls are all about least privilege – ensuring that a user can only do exactly what they have been authorized to do once they are connected to the database. User and data access controls protect you more from insider threats, or from accidental privilege escalation within your applications.

Vulnerability(Severity) Title
V-61411(Medium) Access to default accounts used to support replication must be restricted to authorized DBAs.
V-61421(Medium) The Oracle WITH GRANT OPTION privilege must not be granted to non-DBA or non-Application administrator user accounts.
V-61433(Medium) System privileges granted using the WITH ADMIN OPTION must not be granted to unauthorized user accounts.
V-61435(Medium) System Privileges must not be granted to PUBLIC.
V-61437(Medium) Oracle roles granted using the WITH ADMIN OPTION must not be granted to unauthorized accounts.
V-61443(Medium) Application role permissions must not be assigned to the Oracle PUBLIC role.
V-61445(Medium) Oracle application administration roles must be disabled if not required and authorized.
V-61455(Medium) Application user privilege assignment must be reviewed monthly or more frequently to ensure compliance with least privilege and documented policy.
V-61459(Medium) Only authorized system accounts must have the SYSTEM tablespace specified as the default tablespace.
V-61497(Medium) The ISSM must review changes to DBA role assignments.
V-61501(Medium) Procedures and restrictions for import of production data to development databases must be documented, implemented and followed.
V-61507(Medium) Credentials stored and used by the DBMS to access remote databases or applications must be authorized and restricted to authorized users.
V-61513(Medium) Replication accounts must not be granted DBA privileges.
V-61557(Medium) The system must employ automated mechanisms for supporting Oracle user account management.
V-61559(Medium) The DBMS must provide a mechanism to automatically identify accounts designated as temporary or emergency accounts.
V-61561(Medium) The DBMS must provide a mechanism to automatically terminate accounts designated as temporary or emergency accounts after an organization-defined time period.
V-61577(Medium) The DBMS must enforce Discretionary Access Control (DAC) policy allowing users to specify and control sharing by named individuals, groups of individuals, or by both, limiting propagation of access rights and including or excluding access to the granularit
V-61585(Medium) The DBMS must be protected from unauthorized access by developers.
V-61587(Medium) The DBMS must be protected from unauthorized access by developers on shared production/development host systems.
V-61589(Medium) The DBMS must restrict access to system tables and other configuration information or metadata to DBAs or other authorized users.
V-61593(Medium) Administrators must utilize a separate, distinct administrative account when performing administrative activities, accessing database security functions, or accessing security-relevant information.
V-61597(Medium) Owners of privileged accounts must use non-privileged accounts for non-administrative activities.
V-61599(Medium) The DBA role must not be assigned excessive or unauthorized privileges.
V-61619(Medium) A DBMS utilizing Discretionary Access Control (DAC) must enforce a policy that includes or excludes access to the granularity of a single user.
V-61669(Medium) The DBMS must protect the audit records generated, as a result of remote access to privileged accounts, and the execution of privileged functions.
V-61671(Medium) The DBMS must support enforcement of logical access restrictions associated with changes to the DBMS configuration and to the database itself.
V-61673(Medium) Database objects must be owned by accounts authorized for ownership.
V-61777(Medium) The DBMS must automatically terminate emergency accounts after an organization-defined time period for each type of account.
V-61793(Medium) The DBMS must restrict error messages so only authorized personnel may view them.
V-61849(Medium) DBMS default accounts must be protected from misuse.
V-61883(Medium) The DBMS must separate user functionality (including user interface services) from database management functionality.
V-61809(Low) The DBMS must implement separation of duties through assigned information access authorizations.
V-61819(Low) The DBMS must limit the use of resources by priority and not impede the host from servicing processes designated as a higher-priority.

Data Access Controls

Data access controls include business rules around the data that limit how, when, and where it can be used. Also known as context based security, this includes the use of Oracle’s Virtual Private Database, Label Security, Database Vault, customized Application Roles, table constraints, and application business logic. These controls make sure that your data integrity is protected, and that sensitive data is available only in the right time and place to the right users.

Vulnerability(Severity) Title
V-61439(Medium) Object permissions granted to PUBLIC must be restricted.
V-61453(Medium) Sensitive information from production database exports must be modified before import to a development database.
V-61503(Medium) Sensitive data stored in the database must be identified in the System Security Plan and AIS Functional Architecture documentation.
V-61575(Medium) The DBMS must enforce approved authorizations for logical access to the system in accordance with applicable policy.
V-61581(Medium) The DBMS must restrict grants to sensitive information to authorized user roles.
V-61591(Medium) Administrative privileges must be assigned to database accounts via database roles.
V-61617(Medium) Databases utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights.
V-61775(Medium) The DBMS must isolate security functions from nonsecurity functions by means of separate security domains.

Auditing and Monitoring

With all of our other controls in place, it is important to know when they are being violated, tested, or otherwise abused. This category includes the configuration of Traditional and Unified Auditing; Fine Grained Auditing; Audit Vault and Database Firewall; and the use of related 3rd party tools like syslog, Splunk, and Tripwire.

Vulnerability(Severity) Title
V-61409(Medium) Audit trail data must be retained for at least one year.
V-61449(Medium) Database job/batch queues must be reviewed regularly to detect unauthorized database job submissions.
V-61457(Medium) Audit trail data must be reviewed daily or more frequently.
V-61489(Medium) Use of the DBMS installation account must be logged.
V-61493(Medium) Remote administrative access to the database must be monitored by the ISSO or ISSM.
V-61519(Medium) Changes to configuration options must be audited.
V-61527(Medium) Changes to DBMS security labels must be audited.
V-61553(Medium) The DBMS must ensure remote sessions that access an organization-defined list of security functions and security-relevant information are audited.
V-61565(Medium) The DBMS must automatically audit account creation.
V-61569(Medium) The DBMS must automatically audit account modification.
V-61571(Medium) The DBMS must automatically audit account disabling actions, to the extent such information is available.
V-61573(Medium) The DBMS must automatically audit account termination.
V-61595(Medium) All use of privileged accounts must be audited.
V-61613(Medium) The DBMS must have its auditing configured to reduce the likelihood of storage capacity being exceeded.
V-61615(Medium) The DBMS must have allocated audit record storage capacity.
V-61621(Medium) The DBMS must provide audit record generation capability for organization-defined auditable events within the database.
V-61623(Medium) The DBMS must allow designated organizational personnel to select which auditable events are to be audited by the database.
V-61625(Medium) The DBMS must generate audit records for the DoD-selected list of auditable events, to the extent such information is available.
V-61627(Medium) The DBMS must produce audit records containing sufficient information to establish what type of events occurred.
V-61631(Medium) The DBMS must produce audit records containing sufficient information to establish when (date and time) the events occurred.
V-61633(Medium) The DBMS must produce audit records containing sufficient information to establish where the events occurred.
V-61635(Medium) The DBMS must produce audit records containing sufficient information to establish the sources (origins) of the events.
V-61637(Medium) The DBMS must produce audit records containing sufficient information to establish the outcome (success or failure) of the events.
V-61639(Medium) The DBMS must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event.
V-61641(Medium) The DBMS must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject.
V-61643(Medium) The DBMS itself, or the logging or alerting mechanism the application utilizes, must provide a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity.
V-61645(Medium) The system must provide a real-time alert when organization-defined audit failure events occur.
V-61647(Medium) The system must alert designated organizational officials in the event of an audit processing failure.
V-61649(Medium) The system must provide the capability to automatically process audit records for events of interest based upon selectable event criteria.
V-61651(Medium) Attempts to bypass access controls must be audited.
V-61653(Medium) The system must protect audit information from any type of unauthorized access.
V-61655(Medium) The system must protect audit information from unauthorized modification.
V-61657(Medium) The system must protect audit information from unauthorized deletion.
V-61665(Medium) The DBMS must support the requirement to back up audit data and records onto a different system or media than the system being audited on an organization-defined frequency.
V-61667(Medium) The DBMS must protect audit data records and integrity by using cryptographic mechanisms.
V-61779(Medium) The DBMS must employ automated mechanisms to alert security personnel of inappropriate or unusual activities with security implications.
V-61789(Medium) The DBMS must identify potentially security-relevant error conditions.
V-61795(Medium) The DBMS must support taking organization-defined list of least disruptive actions to terminate suspicious events.
V-61797(Medium) The DBMS must notify appropriate individuals when accounts are created.
V-61799(Medium) The DBMS must notify appropriate individuals when accounts are modified.
V-61801(Medium) The DBMS must notify appropriate individuals when account disabling actions are taken.
V-61803(Medium) The DBMS must notify appropriate individuals when accounts are terminated.
V-61853(Medium) Disk space used by audit trail(s) must be monitored; audit records must be regularly or continuously off-loaded to a centralized log management system.
V-61871(Medium) The DBMS must provide the ability to write specified audit record content to a centralized audit log repository.
V-68863(Medium) Logic modules within the database (to include packages, procedures, functions and triggers) must be monitored to discover unauthorized changes.
V-61813(Low) The system must provide an audit log reduction capability.
V-61969(Low) The system must provide a report generation capability for audit reduction data.

One thought on “Oracle 12c Database STIG Breakdown

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.