Detections
Analytics

DISA STIG Oracle 11 Instance v9r1 Database

Audit Details

Name: DISA STIG Oracle 11 Instance v9r1 Database

Updated: 6/17/2024

Authority: DISA STIG

Plugin: OracleDB

Revision: 1.1

Estimated Item Count: 114

File Details

Filename: DISA_Oracle_11g_Instance_v9r1_Database.audit

Size: 219 kB

MD5: 1d826e548403abe2ee1fe9d1478a4dbf
SHA256: 174f44ed8f7268c07d7ad7ff8dfeaaa2fd5170eaba4e6325cf1041da5d6557fd

Audit Items

DescriptionCategories
DG0004-ORACLE11 - Application object owner accounts should be disabled when not performing installation or maintenance actions.

CONFIGURATION MANAGEMENT

DG0008-ORACLE11 - Application objects should be owned by accounts authorized for ownership.

ACCESS CONTROL

DG0014-ORACLE11 - Default demonstration and sample database objects and applications should be removed - 'No demo or sample users exist'

CONFIGURATION MANAGEMENT

DG0015-ORACLE11 - Database applications should be restricted from using static DDL statements to modify the application schema.

ACCESS CONTROL

DG0029-ORACLE11 - Required auditing parameters for database auditing should be set - 'audit_trail != none'

AUDIT AND ACCOUNTABILITY

DG0030-ORACLE11 - Audit trail data should be retained for one year.
DG0031-ORACLE11 - Transaction logs should be periodically reviewed for unauthorized modification of data.
DG0032-ORACLE11 - Audit records should be restricted to authorized individuals - 'AUD$ table access is restricted'
DG0032-ORACLE11 - Audit records should be restricted to authorized individuals - 'audit_trail = db or db_extended'
DG0051-ORACLE11 - Database job/batch queues should be reviewed regularly to detect unauthorized database job submissions - 'job_queue_processes limit is set'
DG0051-ORACLE11 - Database job/batch queues should be reviewed regularly to detect unauthorized database job submissions - 'max_job_slave_processes limit is set'

ACCESS CONTROL

DG0051-ORACLE11 - Database job/batch queues should be reviewed regularly to detect unauthorized database job submissions - 'No unknown jobs exist in the dba_jobs queue'
DG0051-ORACLE11 - Database job/batch queues should be reviewed regularly to detect unauthorized database job submissions - 'No unknown jobs exist in the dba_scheduler_jobs queue'
DG0060-ORACLE11 - All database non-interactive, n-tier connection, and shared accounts that exist should be documented and approved by the IAO.

ACCESS CONTROL

DG0065-ORACLE11 - DBMS authentication should require use of a DoD PKI certificate.

ACCESS CONTROL

DG0070-ORACLE11 - Unauthorized user accounts should not exist.

ACCESS CONTROL

DG0071-ORACLE11 - New passwords must be required to differ from old passwords by more than four characters - 'PASSWORD_VERIFY_FUNCTION is not set to NULL or DEFAULT'
DG0073-ORACLE11 - Database accounts should not specify account lock times less than the site-approved minimum - 'Account lockout is < 3'
DG0074-ORACLE11 - Unapproved inactive or expired database accounts should not be found on the database.
DG0075-ORACLE11 - Unauthorized database links should not be defined and active - 'No external database links exist'
DG0076-ORACLE11 - Sensitive information from production database exports must be modified before import to a development database.
DG0077-ORACLE11 - Production databases should be protected from unauthorized access by developers on shared production/development host systems.

ACCESS CONTROL

DG0078-ORACLE11 - Each database user, application or process should have an individually assigned account.
DG0079-ORACLE11 - DBMS login accounts require passwords to meet complexity requirements.

IDENTIFICATION AND AUTHENTICATION

DG0080-ORACLE11 - Application user privilege assignment should be reviewed monthly or more frequently to ensure compliance with least privilege and documented policy.
DG0085-ORACLE11 - The DBA role should not be assigned excessive or unauthorized privileges.

ACCESS CONTROL

DG0087-ORACLE11 - Sensitive data should be labeled.

ACCESS CONTROL

DG0089-ORACLE11 - Developers should not be assigned excessive privileges on production databases.

ACCESS CONTROL

DG0091-ORACLE11 - Custom and GOTS application source code stored in the database should be protected with encryption or encoding.

SYSTEM AND COMMUNICATIONS PROTECTION

DG0098-ORACLE11 - ccess to external objects should be disabled if not required and authorized - 'utl_file_dir does not include *'

CONFIGURATION MANAGEMENT

DG0100-ORACLE11 - Replication accounts should not be granted DBA privileges.
DG0105-ORACLE11 - DBMS application user roles should not be assigned unauthorized privileges.
DG0112-ORACLE11 - DBMS system data files should be stored in dedicated disk directories.

ACCESS CONTROL

DG0116-ORACLE11 - Database privileged role assignments should be restricted to IAO-authorized DBMS accounts.

ACCESS CONTROL

DG0117-ORACLE11 - Administrative privileges should be assigned to database accounts via database roles.

ACCESS CONTROL

DG0119-ORACLE11 - DBMS application users should not be granted administrative privileges to the DBMS.

ACCESS CONTROL

DG0121-ORACLE11 - Application users privileges should be restricted to assignment using application user roles.

ACCESS CONTROL

DG0122-ORACLE11 - Access to sensitive data should be restricted to authorized users identified by the Information Owner - 'controlfile'
DG0122-ORACLE11 - Access to sensitive data should be restricted to authorized users identified by the Information Owner - 'datafile'

ACCESS CONTROL

DG0122-ORACLE11 - Access to sensitive data should be restricted to authorized users identified by the Information Owner - 'logfile'

ACCESS CONTROL

DG0122-ORACLE11 - Access to sensitive data should be restricted to authorized users identified by the Information Owner - 'spfile'
DG0123-ORACLE11 - Access to DBMS system tables and other configuration or metadata should be restricted to DBAs.

ACCESS CONTROL

DG0124-ORACLE11 - Use of DBA accounts should be restricted to administrative activities.
DG0125-ORACLE11 - DBMS account passwords should be set to expire every 60 days or more frequently - 'Database password expiration < 60 days'

IDENTIFICATION AND AUTHENTICATION

DG0126-ORACLE11 - Password reuse should be prevented where supported by the DBMS - 'No unlimited REUSE_MAX or REUSE_TIME for DEFAULT profile'

IDENTIFICATION AND AUTHENTICATION

DG0126-ORACLE11 - Password reuse should be prevented where supported by the DBMS - 'No unlimited REUSE_MAX or REUSE_TIME for non DEFAULT profiles'

IDENTIFICATION AND AUTHENTICATION

DG0127-ORACLE11 - DBMS account passwords should not be set to easily guessed words or values - 'limit'
DG0127-ORACLE11 - DBMS account passwords should not be set to easily guessed words or values - 'name'

IDENTIFICATION AND AUTHENTICATION

DG0127-ORACLE11 - DBMS account passwords should not be set to easily guessed words or values - 'profile'
DG0128-ORACLE11 - DBMS default accounts should be assigned custom passwords - 'No default accounts are OPEN'