DISA STIG Oracle 12c v3r2 Database

Audit Details

Name: DISA STIG Oracle 12c v3r2 Database

Updated: 12/13/2024

Authority: DISA STIG

Plugin: OracleDB

Revision: 1.0

Estimated Item Count: 121

File Details

Filename: DISA_STIG_Oracle_Database_12c_v3r2_Database.audit

Size: 406 kB

MD5: ed2dba7c949103b2da671d8248686a31
SHA256: e46beedde9455e205053911cb24697a7a5fa552cf850b687c67a7cbe736b1e76

Audit Items

DescriptionCategories
DISA_STIG_Oracle_Database_12c_v3r2_Database.audit from DISA Oracle Database 12c v3r2 STIG
O121-BP-021200 - Access to default accounts used to support replication must be restricted to authorized DBAs.

CONFIGURATION MANAGEMENT

O121-BP-021300 - Oracle instance names must not contain Oracle version numbers.

CONFIGURATION MANAGEMENT

O121-BP-021400 - Fixed user and public database links must be authorized for use.

CONFIGURATION MANAGEMENT

O121-BP-021500 - A minimum of two Oracle control files must be defined and configured to be stored on separate, archived disks (physical or virtual) or archived partitions on a RAID device.

CONFIGURATION MANAGEMENT

O121-BP-021600 - A minimum of two Oracle redo log groups/files must be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device.

CONFIGURATION MANAGEMENT

O121-BP-021700 - The Oracle WITH GRANT OPTION privilege must not be granted to non-DBA or non-Application administrator user accounts.

CONFIGURATION MANAGEMENT

O121-BP-021900 - The Oracle REMOTE_OS_AUTHENT parameter must be set to FALSE.

CONFIGURATION MANAGEMENT

O121-BP-022000 - The Oracle REMOTE_OS_ROLES parameter must be set to FALSE.

CONFIGURATION MANAGEMENT

O121-BP-022100 - The Oracle SQL92_SECURITY parameter must be set to TRUE.

CONFIGURATION MANAGEMENT

O121-BP-022200 - The Oracle password file ownership and permissions should be limited and the REMOTE_LOGIN_PASSWORDFILE parameter must be set to EXCLUSIVE or NONE.

CONFIGURATION MANAGEMENT

O121-BP-022300 - System privileges granted using the WITH ADMIN OPTION must not be granted to unauthorized user accounts.

CONFIGURATION MANAGEMENT

O121-BP-022400 - System Privileges must not be granted to PUBLIC.

CONFIGURATION MANAGEMENT

O121-BP-022500 - Oracle roles granted using the WITH ADMIN OPTION must not be granted to unauthorized accounts.

CONFIGURATION MANAGEMENT

O121-BP-022600 - Object permissions granted to PUBLIC must be restricted.

CONFIGURATION MANAGEMENT

O121-BP-022800 - Application role permissions must not be assigned to the Oracle PUBLIC role.

CONFIGURATION MANAGEMENT

O121-BP-022900 - Oracle application administration roles must be disabled if not required and authorized.

CONFIGURATION MANAGEMENT

O121-BP-023000 - Connections by mid-tier web and application systems to the Oracle DBMS from a DMZ or external network must be encrypted.

CONFIGURATION MANAGEMENT

O121-BP-023100 - Database job/batch queues must be reviewed regularly to detect unauthorized database job submissions.

CONFIGURATION MANAGEMENT

O121-BP-023200 - Unauthorized database links must not be defined and active.

CONFIGURATION MANAGEMENT

O121-BP-023300 - Sensitive information from production database exports must be modified before import to a development database.

CONFIGURATION MANAGEMENT

O121-BP-023600 - Only authorized system accounts must have the SYSTEM tablespace specified as the default tablespace.

CONFIGURATION MANAGEMENT

O121-BP-023700 - Application owner accounts must have a dedicated application tablespace.

CONFIGURATION MANAGEMENT

O121-BP-023800 - The directories assigned to the LOG_ARCHIVE_DEST* parameters must be protected from unauthorized access.

CONFIGURATION MANAGEMENT

O121-BP-023900 - The Oracle _TRACE_FILES_PUBLIC parameter if present must be set to FALSE.

CONFIGURATION MANAGEMENT

O121-BP-024100 - DBMS production application and data directories must be protected from developers on shared production/development DBMS host systems.

CONFIGURATION MANAGEMENT

O121-BP-024200 - Use of the DBMS installation account must be logged.

CONFIGURATION MANAGEMENT

O121-BP-024750 - Oracle database products must be a version supported by the vendor.

SYSTEM AND SERVICES ACQUISITION

O121-BP-025100 - The DBMS data files, transaction logs and audit files must be stored in dedicated directories or disk partitions separate from software or other application files.

CONFIGURATION MANAGEMENT

O121-BP-025101 - The directory assigned to the AUDIT_FILE_DEST parameter must be protected from unauthorized access and must be stored in a dedicated directory or disk partition separate from software or other application files.

CONFIGURATION MANAGEMENT

O121-BP-025500 - Replication accounts must not be granted DBA privileges.

CONFIGURATION MANAGEMENT

O121-BP-025600 - Network access to the DBMS must be restricted to authorized personnel.

CONFIGURATION MANAGEMENT

O121-BP-025800 - Changes to configuration options must be audited.

CONFIGURATION MANAGEMENT

O121-BP-026200 - Changes to DBMS security labels must be audited.

CONFIGURATION MANAGEMENT

O121-BP-026300 - Remote database or other external access must use fully-qualified names.

CONFIGURATION MANAGEMENT

O121-BP-026400 - The /diag subdirectory under the directory assigned to the DIAGNOSTIC_DEST parameter must be protected from unauthorized access.

CONFIGURATION MANAGEMENT

O121-C1-011100 - Oracle software must be evaluated and patched against newly found vulnerabilities.

CONFIGURATION MANAGEMENT

O121-C1-015000 - DBMS default accounts must be assigned custom passwords.

CONFIGURATION MANAGEMENT

O121-C2-000100 - The DBMS must limit the number of concurrent sessions for each system account to an organization-defined number of sessions.

ACCESS CONTROL

O121-C2-001800 - The system must employ automated mechanisms for supporting Oracle user account management.

ACCESS CONTROL

O121-C2-001900 - The DBMS must provide a mechanism to automatically identify accounts designated as temporary or emergency accounts.

CONFIGURATION MANAGEMENT

O121-C2-002000 - The DBMS must provide a mechanism to automatically remove or disable temporary user accounts after 72 hours.

CONFIGURATION MANAGEMENT

O121-C2-002700 - The DBMS must enforce approved authorizations for logical access to the system in accordance with applicable policy.

ACCESS CONTROL

O121-C2-003000 - The DBMS must enforce Discretionary Access Control (DAC) policy allowing users to specify and control sharing by named individuals, groups of individuals, or by both, limiting propagation of access rights and including or excluding access to the granularity of a single user.

ACCESS CONTROL

O121-C2-003600 - A single database connection configuration file must not be used to configure all database clients.

CONFIGURATION MANAGEMENT

O121-C2-003700 - The DBMS must be protected from unauthorized access by developers.

CONFIGURATION MANAGEMENT

O121-C2-003800 - The DBMS must be protected from unauthorized access by developers on shared production/development host systems.

CONFIGURATION MANAGEMENT

O121-C2-003900 - The DBMS must restrict access to system tables and other configuration information or metadata to DBAs or other authorized users.

SYSTEM AND COMMUNICATIONS PROTECTION

O121-C2-004000 - Administrative privileges must be assigned to database accounts via database roles.

CONFIGURATION MANAGEMENT

O121-C2-004100 - Administrators must utilize a separate, distinct administrative account when performing administrative activities, accessing database security functions, or accessing security-relevant information.

SYSTEM AND COMMUNICATIONS PROTECTION