DG0093-ORACLE11 - Remote adminstrative connections to the database should be encrypted - 'Remote admin connections are encrypted'

Information

Communications between a client and database service across the network may contain sensitive information including passwords. This is particularly true in the case of administrative activities. Encryption of remote administrative connections to the database ensures confidentiality of configuration, management, and other administrative data.

Solution

Where remote access to DBA accounts is not allowed, develop, document and implement policies and train DBAs that remote access to DBA accounts is prohibited.

Where remote access to DBA accounts is allowed, the remote connection must be encrypted.

Ensure unclassified, sensitive data transmitted through a commercial or wireless network are encrypted using NIST-certified cryptography.

If remote access is established via the database listener, then install a dedicated listener configured to encrypt all traffic for use by DBAs for remote access.

This requires use of Oracle Advanced Security and Oracle Wallet Manager.

See the Oracle Advanced Security Guide, Configuring Network Data Encryption and Integrity for Oracle Servers and Clients for details.

Configure the listener to require SSL for the DBA connections by specifying the TCPS as the network protocol.

Sample listener.ora entries:

DBALSNR =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS) (HOST = [IP]) (PORT = 1575))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = [SID])
)
)

Configure the server's FIPS.ORA file to use FIPS 140-2 compliant settings to encrypt the traffic and ensure integrity of the transmission.

In the FIPS.ORA file in the $ORACLE_HOME/ldap/admin directory or the directory specified in the FIPS_HOME environment variable for the dedicated listener on the server, add the following line:

SSLFIPS_140=TRUE

Monitor the listener log files for evidence of any unencrypted remote access to DBA accounts.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_11g_Y21M10_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-17(2), CAT|II, Rule-ID|SV-24687r1_rule, STIG-ID|DG0093-ORACLE11, Vuln-ID|V-3825

Plugin: Unix

Control ID: 0b090ab486b5a5b78cca672b790292193d55ffd401146ffcc3c39bea31739327