DISA STIG Oracle 11 Installation v9r1 Windows

Audit Details

Name: DISA STIG Oracle 11 Installation v9r1 Windows

Updated: 6/17/2024

Authority: DISA STIG

Plugin: Windows

Revision: 1.5

Estimated Item Count: 115

File Details

Filename: DISA_Oracle_11g_Installation_v9r1_OS_Windows.audit

Size: 207 kB

MD5: 92a2b79e87a2dda4335a6040febed6ae
SHA256: ffcae0745151f13dd38595cb6a836ffae440e71bace0743ebd7ab9a4cb2ed3f0

Audit Items

DescriptionCategories
DG0001-ORACLE11 - Vendor supported software is evaluated and patched against newly found vulnerabilities.
DG0003-ORACLE11 - The latest security patches should be installed.
DG0005-ORACLE11 - Only necessary privileges to the host system should be granted to DBA OS accounts - 'ORA_{SID}_DBA Group has no unauthorized users'

ACCESS CONTROL

DG0005-ORACLE11 - Only necessary privileges to the host system should be granted to DBA OS accounts - 'ORA_DBA Group has no unauthorized users'

ACCESS CONTROL

DG0005-ORACLE11 - Only necessary privileges to the host system should be granted to DBA OS accounts - 'Oracle DBA is only a member of ORA_DBA and Users group'

ACCESS CONTROL

DG0005-ORACLE11 - Only necessary privileges to the host system should be granted to DBA OS accounts - 'Oracle instance DBA is only a member of ORA_{SID}_DBA and Users group'

ACCESS CONTROL

DG0007-ORACLE11 - The database should be secured in accordance with DoD, vendor and/or commercially accepted practices where applicable.
DG0009-ORACLE11 - Access to DBMS software files and directories should not be granted to unauthorized users - '%ORACLE_HOME% permissions are configured correctly'

CONFIGURATION MANAGEMENT

DG0010-ORACLE11 - Database executable and configuration files should be monitored for unauthorized modifications.
DG0011-ORACLE11 - Configuration management procedures should be defined and implemented for database software modifications.
DG0012-ORACLE11 - Database software directories including DBMS configuration files are stored in dedicated directories separate from the host OS and other applications - 'ORACLE_BASE environment variable set'

CONFIGURATION MANAGEMENT

DG0012-ORACLE11 - Database software directories including DBMS configuration files are stored in dedicated directories separate from the host OS and other applications - 'ORACLE_HOME environment variable set'

CONFIGURATION MANAGEMENT

DG0013-ORACLE11 - Database backup procedures should be defined, documented and implemented.
DG0016-ORACLE11 - Unused database components, database application software, and database objects should be removed from the DBMS system.
DG0017-ORACLE11 - A production DBMS installation should not coexist on the same DBMS host with other, non-production DBMS installations - 'All Oracle instances are documented and approved'

CONFIGURATION MANAGEMENT

DG0019-ORACLE11 - Application software should be owned by a Software Application account - 'Oracle base directory file permissions are correct'

CONFIGURATION MANAGEMENT

DG0019-ORACLE11 - Application software should be owned by a Software Application account - 'Oracle home directory file permissions are correct'

CONFIGURATION MANAGEMENT

DG0020-ORACLE11 - Backup and recovery procedures should be developed, documented, implemented and periodically tested.
DG0021-ORACLE11 - A baseline of database application software should be documented and maintained.
DG0025-ORACLE11 - DBMS cryptography must be NIST FIPS 140-2 validated - '%ORACLE_HOME%\NETWORK\ADMIN\SQLNET.ora SQLNET.SSLFIPS_140 = TRUE'

SYSTEM AND COMMUNICATIONS PROTECTION

DG0025-ORACLE11 - DBMS cryptography must be NIST FIPS 140-2 validated - '%ORACLE_HOME%\NETWORK\ADMIN\SQLNET.ora SSL_CIPHER_SUITES set to valid cipher suite'

SYSTEM AND COMMUNICATIONS PROTECTION

DG0025-ORACLE11 - DBMS cryptography must be NIST FIPS 140-2 validated - 'Oracle Advanced Security is installed'
DG0040-ORACLE11 - The DBMS software installation account should be restricted to authorized users - 'Oracle base directory file permissions are correct'

CONFIGURATION MANAGEMENT

DG0040-ORACLE11 - The DBMS software installation account should be restricted to authorized users - 'Oracle home directory file permissions are correct'

CONFIGURATION MANAGEMENT

DG0041-ORACLE11 - Use of the DBMS installation account should be logged.
DG0042-ORACLE11 - Use of the DBMS software installation account should be restricted to DBMS software installation, upgrade and maintenance actions.
DG0050-ORACLE11 - Database software, applications and configuration files should be monitored to discover unauthorized changes.
DG0052-ORACLE11 - All applications that access the database should be logged in the audit trail.
DG0053-ORACLE11 - A single database connection configuration file should not be used to configure all database clients.
DG0054-ORACLE11 - The audit logs should be periodically monitored to discover DBMS access using unauthorized applications.
DG0063-ORACLE11 - DBMS privileges to restore database data or other DBMS configurations, features, or objects should be restricted to authorized DBMS accounts.
DG0064-ORACLE11 - DBMS backup and restoration files should be protected from unauthorized access.
DG0066-ORACLE11 - Procedures for establishing temporary passwords that meet DoD password requirements for new accounts should be defined, documented and implemented.
DG0067-ORACLE11 - Database account passwords should be stored in encoded or encrypted format whether stored in database objects, external host files, environment variables or any other storage locations.

IDENTIFICATION AND AUTHENTICATION

DG0068-ORACLE11 - DBMS tools or applications that echo or require a password entry in clear text should be protected from password display.
DG0069-ORACLE11 - Procedures and restrictions for import of production data to development databases should be documented, implemented and followed.
DG0083-ORACLE11 - Automated notification of suspicious activity detected in the audit trail should be implemented.
DG0086-ORACLE11 - DBA roles should be periodically monitored to detect assignment of unauthorized or excess privileges.
DG0088-ORACLE11 - The DBMS should be periodically tested for vulnerability management and IA compliance.
DG0090-ORACLE11 - Sensitive information stored in the database should be protected by encryption.
DG0092-ORACLE11 - Database data files containing sensitive information should be encrypted.
DG0093-ORACLE11 - Remote adminstrative connections to the database should be encrypted - '%ORACLE_HOME%\ldap\admin\fips.ora SSLFIPS_140 = TRUE'

SYSTEM AND COMMUNICATIONS PROTECTION

DG0093-ORACLE11 - Remote adminstrative connections to the database should be encrypted - all protocols use TCPS'

ACCESS CONTROL

DG0095-ORACLE11 - Audit trail data should be reviewed daily or more frequently.
DG0096-ORACLE11 - The DBMS IA policies and procedures should be reviewed annually or more frequently.
DG0097-ORACLE11 - Plans and procedures for testing DBMS installations, upgrades and patches should be defined and followed prior to production implementation.
DG0099-ORACLE11 - Access to external DBMS executables should be disabled or restricted - '%ORACLE_HOME%\bin\extproc.exe does not exist'

CONFIGURATION MANAGEMENT

DG0099-ORACLE11 - Access to external DBMS executables should be disabled or restricted - '%ORACLE_HOME%\hs\admin\extproc.ora SET EXTPROC_DLLS = ONLY'

CONFIGURATION MANAGEMENT

DG0099-ORACLE11 - Access to external DBMS executables should be disabled or restricted - '%ORACLE_HOME%\hs\admin\extproc.ora SET EXTPROC_DLLS contains only valid paths'

CONFIGURATION MANAGEMENT

DG0099-ORACLE11 - Access to external DBMS executables should be disabled or restricted - '%ORACLE_HOME%\rdbms\admin\externaljob.ora run_group = nobody'

CONFIGURATION MANAGEMENT