Detections
Analytics

DISA STIG Oracle 12c v2r6 Database

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG Oracle 12c v2r6 Database

Updated: 9/19/2023

Authority: DISA STIG

Plugin: OracleDB

Revision: 1.1

Estimated Item Count: 146

Audit Items

DescriptionCategories
DISA_STIG_Oracle_Database_12c_v2r6_DB.audit from DISA Oracle Database 12c v2r6 STIG
O121-BP-021200 - Access to default accounts used to support replication must be restricted to authorized DBAs.
O121-BP-021300 - Oracle instance names must not contain Oracle version numbers.
O121-BP-021400 - Fixed user and public database links must be authorized for use.
O121-BP-021500 - A minimum of two Oracle control files must be defined and configured to be stored on separate, archived disks (physical or virtual) or archived partitions on a RAID device.
O121-BP-021600 - A minimum of two Oracle redo log groups/files must be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device - 'V$LOG count > 2'
O121-BP-021600 - A minimum of two Oracle redo log groups/files must be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device - V$LOG where members > 1
O121-BP-021700 - The Oracle WITH GRANT OPTION privilege must not be granted to non-DBA or non-Application administrator user accounts.
O121-BP-021900 - The Oracle REMOTE_OS_AUTHENT parameter must be set to FALSE.
O121-BP-022000 - The Oracle REMOTE_OS_ROLES parameter must be set to FALSE.
O121-BP-022100 - The Oracle SQL92_SECURITY parameter must be set to TRUE.
O121-BP-022200 - The Oracle password file ownership and permissions should be limited and the REMOTE_LOGIN_PASSWORDFILE parameter must be set to EXCLUSIVE or NONE.
O121-BP-022300 - System privileges granted using the WITH ADMIN OPTION must not be granted to unauthorized user accounts.
O121-BP-022400 - System Privileges must not be granted to PUBLIC.
O121-BP-022500 - Oracle roles granted using the WITH ADMIN OPTION must not be granted to unauthorized accounts.
O121-BP-022600 - Object permissions granted to PUBLIC must be restricted.
O121-BP-022800 - Application role permissions must not be assigned to the Oracle PUBLIC role.
O121-BP-022900 - Oracle application administration roles must be disabled if not required and authorized.
O121-BP-023000 - Connections by mid-tier web and application systems to the Oracle DBMS from a DMZ or external network must be encrypted.
O121-BP-023100 - Database job/batch queues must be reviewed regularly to detect unauthorized database job submissions - 'job_queue_processes'
O121-BP-023100 - Database job/batch queues must be reviewed regularly to detect unauthorized database job submissions - 'max_job_slave_processes limit is set'
O121-BP-023100 - Database job/batch queues must be reviewed regularly to detect unauthorized database job submissions - 'owner'
O121-BP-023100 - Database job/batch queues must be reviewed regularly to detect unauthorized database job submissions.
O121-BP-023200 - Unauthorized database links must not be defined and active.
O121-BP-023300 - Sensitive information from production database exports must be modified before import to a development database.
O121-BP-023600 - Only authorized system accounts must have the SYSTEM tablespace specified as the default tablespace - 'Default Tablespaces
O121-BP-023600 - Only authorized system accounts must have the SYSTEM tablespace specified as the default tablespace - 'User Tablespaces'
O121-BP-023700 - Application owner accounts must have a dedicated application tablespace.
O121-BP-023800 - The directories assigned to the LOG_ARCHIVE_DEST* parameters must be protected from unauthorized access - DB_RECOVERY_FILE_DEST
O121-BP-023800 - The directories assigned to the LOG_ARCHIVE_DEST* parameters must be protected from unauthorized access - log_archive_dest
O121-BP-023800 - The directories assigned to the LOG_ARCHIVE_DEST* parameters must be protected from unauthorized access - NOARCHIVELOG
O121-BP-023900 - The Oracle _TRACE_FILES_PUBLIC parameter if present must be set to FALSE.
O121-BP-024000 - Application object owner accounts must be disabled when not performing installation or maintenance actions.
O121-BP-024100 - DBMS production application and data directories must be protected from developers on shared production/development DBMS host systems.
O121-BP-024200 - Use of the DBMS installation account must be logged.
O121-BP-024750 - Oracle database products must be a version supported by the vendor.
O121-BP-025100 - The DBMS data files, transaction logs and audit files must be stored in dedicated directories or disk partitions separate from software or other application files.
O121-BP-025101 - The directory assigned to the AUDIT_FILE_DEST parameter must be protected from unauthorized access and must be stored in a dedicated directory or disk partition separate from software or other application files - AUDIT_FILE_DEST
O121-BP-025101 - The directory assigned to the AUDIT_FILE_DEST parameter must be protected from unauthorized access and must be stored in a dedicated directory or disk partition separate from software or other application files - AUDIT_TRAIL
O121-BP-025500 - Replication accounts must not be granted DBA privileges.
O121-BP-025600 - Network access to the DBMS must be restricted to authorized personnel.
O121-BP-025800 - Changes to configuration options must be audited.
O121-BP-026200 - Changes to DBMS security labels must be audited - dba_sa_audit_options
O121-BP-026200 - Changes to DBMS security labels must be audited - Unified Auditing
O121-BP-026300 - Remote database or other external access must use fully-qualified names.
O121-BP-026400 - The /diag subdirectory under the directory assigned to the DIAGNOSTIC_DEST parameter must be protected from unauthorized access.
O121-C1-011100 - Oracle software must be evaluated and patched against newly found vulnerabilities.
O121-C1-015000 - DBMS default accounts must be assigned custom passwords.
O121-C2-000100 - The DBMS must limit the number of concurrent sessions for each system account to an organization-defined number of sessions.
O121-C2-001800 - The system must employ automated mechanisms for supporting Oracle user account management.