Apr 25, 2022 |
Apr 5, 2022 Miscellaneous- Audit deprecated.
- Metadata updated.
- References updated.
|
Jul 30, 2021 Miscellaneous- Metadata updated.
- References updated.
|
Jun 17, 2021 |
Apr 22, 2021 Miscellaneous- Metadata updated.
- References updated.
|
Sep 29, 2020 |
Apr 22, 2020 Miscellaneous- Metadata updated.
- References updated.
|
Feb 8, 2019 Miscellaneous- Metadata updated.
- References updated.
|
Dec 14, 2018 Informational Update- DG0001: Vendor supported software is evaluated and patched against newly found vulnerabilities.
- DG0003: DBMS security patch level
- DG0007: The database should be secured in accordance with DoD, vendor and/or commercially accepted practices where applicable.
- DG0010: DBMS software monitoring
- DG0011: DBMS Configuration Management
- DG0013: Database backup procedures should be defined, documented and implemented.
- DG0016: DBMS unused components
- DG0020: Backup and recovery procedures should be developed, documented, implemented and periodically tested.
- DG0021: DBMS software and configuration baseline
- DG0025: DBMS encryption compliance
- DG0041: DBMS installation account use logging
- DG0042: DBMS software installation account use
- DG0050: DBMS software and configuration file monitoring
- DG0052: All applications that access the database should be logged in the audit trail.
- DG0053: DBMS client connection definition file
- DG0054: The audit logs should be periodically monitored to discover DBMS access using unauthorized applications.
- DG0063: DBMS privileges to restore database data or other configurations, features, or objects should be restricted to authorized accounts.
- DG0064: DBMS backup and restoration files should be protected from unauthorized access.
- DG0066: DBMS temporary password procedures
- DG0067: DBMS account password storage
- DG0068: DBMS application password display
- DG0069: Procedures and restrictions for import of production data to development databases should be documented, implemented and followed.
- DG0083: Automated notification of suspicious activity detected in the audit trail should be implemented.
- DG0086: DBA roles should be periodically monitored to detect assignment of unauthorized or excess privileges.
- DG0088: The DBMS should be periodically tested for vulnerability management and IA compliance.
- DG0090: Sensitive information stored in the database should be protected by encryption.
- DG0092: Database data files containing sensitive information should be encrypted.
- DG0095: DBMS audit trail data review
- DG0096: The DBMS IA policies and procedures should be reviewed annually or more frequently.
- DG0097: Plans/procedures for testing DBMS installs, upgrades and patches should be defined and followed prior to production implementation.
- DG0101: OS accounts used to execute external procedures should be assigned minimum privileges.
- DG0106: Database data encryption controls should be configured in accordance with application requirements.
- DG0107: Sensitive data is stored in the DB and should be identified in the System Security Plan and AIS Functional Arch. documentation.
- DG0108: The DBMS restoration priority should be assigned.
- DG0115: Recovery procedures and technical system features exist to ensure that recovery is done in a secure and verifiable manner.
- DG0118: The IAM should review changes to DBA role assignments.
- DG0120: Unauthorized access to external database objects should be removed from application user roles.
- DG0129: Passwords should be encrypted when transmitted across the network.
- DG0140: Access to DBMS security data should be audited.
- DG0154: The DBMS requires a System Security Plan containing all required information.
- DG0155: The DBMS should have configured all applicable settings to use trusted files, functions, features, or other components.
- DG0157: Remote DBMS administration should be documented and authorized or disabled.
- DG0158: DBMS remote administration should be audited.
- DG0159: Remote administrative access to the database should be monitored by the IAO or IAM.
- DG0161: An automated tool that monitors audit data and immediately reports suspicious activity should be employed for the DBMS.
- DG0167: Sensitive data served by the DBMS should be protected by encryption when transmitted across the network.
- DG0171: The DBMS should not have a connection defined to access or be accessed by a DBMS at a different classification level.
- DG0175: The DBMS host platform and other dependent applications should be configured in compliance with applicable STIG requirements.
- DG0176: The DBMS audit logs should be included in backup operations.
- DG0186: The database should not be directly accessible from public or unauthorized networks.
- DG0194: Privileges assigned to developers on shared production/development hosts should be monitored every three months or more frequently.
- DG0198: Remote administration of the DBMS should be restricted to known, dedicated and encrypted network addresses and ports.
- DG7001: The directory assigned to the AUDIT_FILE_DEST parameter must be protected from unauthorized access.
- DO0360: Connections by mid-tier web and application systems to the DBMS should be protected, encrypted and authenticated according to req's.
- DO0430: The Oracle Management Agent should be uninstalled if not required/authorized or is installed on a DB accessible from the Internet.
- DO3630: Oracle listener authentication - 'LSNRCTL Security'
Miscellaneous- Metadata updated.
- References updated.
|
