Detections
Analytics

DISA STIG Oracle 11.2g v2r3 Database

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG Oracle 11.2g v2r3 Database

Updated: 6/17/2024

Authority: DISA STIG

Plugin: OracleDB

Revision: 1.2

Estimated Item Count: 144

Audit Items

DescriptionCategories
DISA_STIG_Oracle_Database_11.2g_v2r3_DB.audit from DISA Oracle Database 11.2g v2r3 STIG
O112-BP-021200 - Access to default accounts used to support replication must be restricted to authorized DBAs.
O112-BP-021300 - Oracle instance names must not contain Oracle version numbers.
O112-BP-021400 - Fixed user and public database links must be authorized for use - 'DB Links'
O112-BP-021400 - Fixed user and public database links must be authorized for use - 'repcatlog count = 0'
O112-BP-021500 - A minimum of two Oracle control files must be defined and configured to be stored on separate, archived disks (physical or virtual) or archived partitions on a RAID device.
O112-BP-021600 - A minimum of two Oracle redo log groups/files must be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device - V$LOG count
O112-BP-021600 - A minimum of two Oracle redo log groups/files must be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device - V$LOG members count
O112-BP-021700 - The Oracle WITH GRANT OPTION privilege must not be granted to non-DBA or non-Application administrator user accounts.
O112-BP-021800 - Execute permission must be revoked from PUBLIC for restricted Oracle packages.
O112-BP-021900 - The Oracle REMOTE_OS_AUTHENT parameter must be set to FALSE.
O112-BP-022000 - The Oracle REMOTE_OS_ROLES parameter must be set to FALSE.
O112-BP-022100 - The Oracle SQL92_SECURITY parameter must be set to TRUE.
O112-BP-022200 - The Oracle password file ownership and permissions should be limited and the REMOTE_LOGIN_PASSWORDFILE parameter must be set to EXCLUSIVE or NONE.
O112-BP-022300 - System privileges granted using the WITH ADMIN OPTION must not be granted to unauthorized user accounts.
O112-BP-022400 - System Privileges must not be granted to PUBLIC.
O112-BP-022500 - Oracle roles granted using the WITH ADMIN OPTION must not be granted to unauthorized accounts.
O112-BP-022600 - Object permissions granted to PUBLIC must be restricted.
O112-BP-022800 - Application role permissions must not be assigned to the Oracle PUBLIC role.
O112-BP-022900 - Oracle application administration roles must be disabled if not required and authorized.
O112-BP-023000 - Connections by mid-tier web and application systems to the Oracle DBMS from a DMZ or external network must be encrypted.
O112-BP-023100 - Database job/batch queues must be reviewed regularly to detect unauthorized database job submissions - job_queue_processes
O112-BP-023100 - Database job/batch queues must be reviewed regularly to detect unauthorized database job submissions - MAX_JOB_SLAVE_PROCESSES
O112-BP-023200 - Unauthorized database links must not be defined and active.
O112-BP-023300 - Sensitive information from production database exports must be modified before being imported into a development database.
O112-BP-023600 - Only authorized system accounts must have the SYSTEM tablespace specified as the default tablespace - default tablespace
O112-BP-023600 - Only authorized system accounts must have the SYSTEM tablespace specified as the default tablespace - non-default account records
O112-BP-023700 - Application owner accounts must have a dedicated application tablespace.
O112-BP-023800 - The directories assigned to the LOG_ARCHIVE_DEST* parameters must be protected from unauthorized access.
O112-BP-023900 - The Oracle _TRACE_FILES_PUBLIC parameter if present must be set to FALSE.
O112-BP-024000 - Application object owner accounts must be disabled when not performing installation or maintenance actions - dba roles
O112-BP-024000 - Application object owner accounts must be disabled when not performing installation or maintenance actions - locked roles
O112-BP-024100 - DBMS production application and data directories must be protected from developers on shared production/development DBMS host systems.
O112-BP-024200 - Use of the DBMS installation account must be logged.
O112-BP-024750 - Oracle database products must be a version supported by the vendor.
O112-BP-025101 - The directory assigned to the AUDIT_FILE_DEST parameter must be protected from unauthorized access and must be stored in a dedicated directory or disk partition separate from software or other application files.
O112-BP-025500 - Replication accounts must not be granted DBA privileges.
O112-BP-025800 - Changes to configuration options must be audited.
O112-BP-026200 - Changes to DBMS security labels must be audited.
O112-BP-026300 - Remote database or other external access must use fully-qualified names.
O112-C1-015000 - DBMS default accounts must be assigned custom passwords.
O112-C2-000100 - The DBMS must limit the number of concurrent sessions for each system account to an organization-defined number of sessions.
O112-C2-001800 - The system must employ automated mechanisms for supporting Oracle user account management.
O112-C2-001900 - The DBMS must provide a mechanism to automatically identify accounts designated as temporary or emergency accounts - Profile list
O112-C2-001900 - The DBMS must provide a mechanism to automatically identify accounts designated as temporary or emergency accounts - User not assigned the default
O112-C2-001900 - The DBMS must provide a mechanism to automatically identify accounts designated as temporary or emergency accounts - User Profile assignment
O112-C2-002000 - The DBMS must provide a mechanism to automatically terminate accounts designated as temporary or emergency accounts after an organization-defined time period.
O112-C2-002700 - The DBMS must enforce approved authorizations for logical access to the system in accordance with applicable policy - Role assignments to users
O112-C2-002700 - The DBMS must enforce approved authorizations for logical access to the system in accordance with applicable policy - Role Table SELECT
O112-C2-002700 - The DBMS must enforce approved authorizations for logical access to the system in accordance with applicable policy - User role listing