From edcdd587013cffaf4db890a738d08d4a6f451444 Mon Sep 17 00:00:00 2001 From: MITRE SAF Date: Fri, 29 Sep 2023 00:27:33 +0000 Subject: [PATCH] Automated ingestion of profiles Signed-off-by: MITRE SAF --- ...rds-oracle-database-12c-stig-baseline.json | 7384 ++++---- ...onical-ubuntu-16.04-lts-stig-baseline.json | 9658 +++++----- ...ql-server-2014-database-stig-baseline.json | 1392 +- ...ql-server-2014-instance-stig-baseline.json | 3192 ++-- .../microsoft-windows-10-stig-baseline.json | 10560 +++++------ ...oft-windows-server-2016-stig-baseline.json | 10554 +++++------ ...oft-windows-server-2019-stig-baseline.json | 11518 ++++++------ ...b-enterprise-advanced-3-stig-baseline.json | 1814 +- .../data/baselineProfiles/nginx-baseline.json | 1224 +- .../nginx-stigready-baseline.json | 3094 ++-- .../oracle-database-12c-stig-baseline.json | 6896 +++---- ...time-environment-7-unix-stig-baseline.json | 302 +- ...time-environment-8-unix-stig-baseline.json | 454 +- .../oracle-mysql-ee-5.7-cis-baseline.json | 1650 +- .../baselineProfiles/pgstigcheck-inspec.json | 3916 ++-- ...dhat-enterprise-linux-6-stig-baseline.json | 9126 +++++----- ...dhat-enterprise-linux-7-stig-baseline.json | 11664 ++++++------ ...dhat-enterprise-linux-8-stig-baseline.json | 14952 ++++++++-------- ...pplication-platform-6.3-stig-baseline.json | 2284 +-- ...security-configuration-guide-baseline.json | 226 +- 20 files changed, 55930 insertions(+), 55930 deletions(-) diff --git a/src/assets/data/baselineProfiles/aws-rds-oracle-database-12c-stig-baseline.json b/src/assets/data/baselineProfiles/aws-rds-oracle-database-12c-stig-baseline.json index 4677f802..ad913427 100644 --- a/src/assets/data/baselineProfiles/aws-rds-oracle-database-12c-stig-baseline.json +++ b/src/assets/data/baselineProfiles/aws-rds-oracle-database-12c-stig-baseline.json @@ -20,28 +20,24 @@ "supports": [], "controls": [ { - "title": "The DBMS must terminate the network connection associated with a\n communications session at the end of the session or 15 minutes of inactivity.", - "desc": "Non-local maintenance and diagnostic activities are those activities\n conducted by individuals communicating through a network, either an external\n network (e.g., the Internet) or an internal network.\n\n The act of managing systems and applications includes the ability to access\n sensitive application information, such as system configuration details,\n diagnostic information, user information, and potentially sensitive application\n data.\n\n When applications provide a remote management capability inherent to the\n application, the application needs to ensure all sessions and network\n connections are terminated when non-local maintenance is completed.\n\n When network connections are left open after the database session has\n closed, the network session is open to session hijacking.\n\n The Oracle Listener inherently meets most of this SRG requirement. When a\n user logs off, or times out, or encounters an unrecoverable network fault, the\n Oracle Listener terminates all sessions and network connections. The remaining\n aspect of the requirement, the timeout because of inactivity, is configurable.", + "title": "Credentials stored and used by the DBMS to access remote databases or\n applications must be authorized and restricted to authorized users.", + "desc": "Credentials defined for access to remote databases or applications may\n provide unauthorized access to additional databases and applications to\n unauthorized or malicious users.", "descriptions": { - "default": "Non-local maintenance and diagnostic activities are those activities\n conducted by individuals communicating through a network, either an external\n network (e.g., the Internet) or an internal network.\n\n The act of managing systems and applications includes the ability to access\n sensitive application information, such as system configuration details,\n diagnostic information, user information, and potentially sensitive application\n data.\n\n When applications provide a remote management capability inherent to the\n application, the application needs to ensure all sessions and network\n connections are terminated when non-local maintenance is completed.\n\n When network connections are left open after the database session has\n closed, the network session is open to session hijacking.\n\n The Oracle Listener inherently meets most of this SRG requirement. When a\n user logs off, or times out, or encounters an unrecoverable network fault, the\n Oracle Listener terminates all sessions and network connections. The remaining\n aspect of the requirement, the timeout because of inactivity, is configurable." + "default": "Credentials defined for access to remote databases or applications may\n provide unauthorized access to additional databases and applications to\n unauthorized or malicious users." }, - "impact": 0.5, - "refs": [ - { - "ref": [] - } - ], + "impact": 0, + "refs": [], "tags": { - "gtitle": "SRG-APP-000190-DB-000137", - "gid": "V-61757", - "rid": "SV-76247r2_rule", - "stig_id": "O121-C2-016500", - "fix_id": "F-67673r2_fix", + "gtitle": "SRG-APP-000516-DB-999900", + "gid": "V-61507", + "rid": "SV-75997r1_rule", + "stig_id": "O121-BP-025200", + "fix_id": "F-67423r1_fix", "cci": [ - "CCI-001133" + "CCI-000366" ], "nist": [ - "SC-10", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -54,39 +50,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Review DBMS settings, OS settings, and vendor documentation to\n verify network connections are terminated when a database communications\n session is ended or after 15 minutes of inactivity.\n\n If the network connection is not terminated, this is a finding.\n\n The defined duration for these timeouts 15 minutes, except to fulfill\n documented and validated mission requirements.", - "fix": "Configure DBMS and/or OS settings to disconnect network sessions\n when database communication sessions have ended or after the DoD-defined period\n of inactivity.\n\n To configure this in Oracle, modify each relevant profile. The resource name\n is IDLE_TIME, which is expressed in minutes. Using PPPPPP as an example of a\n profile, set the timeout to 15 minutes with:\n ALTER PROFILE PPPPPP LIMIT IDLE_TIME 15;" + "check": "Review the list of defined database links generated from the\n DBMS.\n\n Compare to the list in the System Security Plan with the DBA.\n\n If no database links are listed in the database and in the System Security\n Plan, this check is not a finding.\n\n If any database links are defined in the DBMS, verify the authorization for the\n definition in the System Security Plan.\n\n If any database links exist that are not authorized or not listed in the System\n Security Plan, this is a finding.", + "fix": "Grant access to database links to authorized users or\n applications only.\n\n Document all database links access authorizations in the System Security Plan." }, - "code": "control 'V-61757' do\n title \"The DBMS must terminate the network connection associated with a\n communications session at the end of the session or 15 minutes of inactivity.\"\n desc \"Non-local maintenance and diagnostic activities are those activities\n conducted by individuals communicating through a network, either an external\n network (e.g., the Internet) or an internal network.\n\n The act of managing systems and applications includes the ability to access\n sensitive application information, such as system configuration details,\n diagnostic information, user information, and potentially sensitive application\n data.\n\n When applications provide a remote management capability inherent to the\n application, the application needs to ensure all sessions and network\n connections are terminated when non-local maintenance is completed.\n\n When network connections are left open after the database session has\n closed, the network session is open to session hijacking.\n\n The Oracle Listener inherently meets most of this SRG requirement. When a\n user logs off, or times out, or encounters an unrecoverable network fault, the\n Oracle Listener terminates all sessions and network connections. The remaining\n aspect of the requirement, the timeout because of inactivity, is configurable.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000190-DB-000137'\n tag \"gid\": 'V-61757'\n tag \"rid\": 'SV-76247r2_rule'\n tag \"stig_id\": 'O121-C2-016500'\n tag \"fix_id\": 'F-67673r2_fix'\n tag \"cci\": ['CCI-001133']\n tag \"nist\": ['SC-10', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review DBMS settings, OS settings, and vendor documentation to\n verify network connections are terminated when a database communications\n session is ended or after 15 minutes of inactivity.\n\n If the network connection is not terminated, this is a finding.\n\n The defined duration for these timeouts 15 minutes, except to fulfill\n documented and validated mission requirements.\"\n tag \"fix\": \"Configure DBMS and/or OS settings to disconnect network sessions\n when database communication sessions have ended or after the DoD-defined period\n of inactivity.\n\n To configure this in Oracle, modify each relevant profile. The resource name\n is IDLE_TIME, which is expressed in minutes. Using PPPPPP as an example of a\n profile, set the timeout to 15 minutes with:\n ALTER PROFILE PPPPPP LIMIT IDLE_TIME 15;\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n query = %{\n SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE PROFILE =\n '%s' AND RESOURCE_NAME = 'IDLE_TIME'\n }\n\n user_profiles = sql.query('SELECT profile FROM dba_users;').column('profile').uniq\n\n user_profiles.each do |profile|\n next if profile == \"RDSADMIN\"\n idle_time = sql.query(format(query, profile: profile)).column('limit')\n\n describe \"The oracle database idele time for profile: #{profile}\" do\n subject { idle_time }\n it { should cmp <= 15 }\n end\n end\n if user_profiles.empty?\n describe 'There are no user profiles, therefore this control is NA' do\n skip 'There are no user profiles, therefore this control is NA'\n end\n end\nend\n", + "code": "control 'V-61507' do\n title \"Credentials stored and used by the DBMS to access remote databases or\n applications must be authorized and restricted to authorized users.\"\n desc \"Credentials defined for access to remote databases or applications may\n provide unauthorized access to additional databases and applications to\n unauthorized or malicious users.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000516-DB-999900'\n tag \"gid\": 'V-61507'\n tag \"rid\": 'SV-75997r1_rule'\n tag \"stig_id\": 'O121-BP-025200'\n tag \"fix_id\": 'F-67423r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review the list of defined database links generated from the\n DBMS.\n\n Compare to the list in the System Security Plan with the DBA.\n\n If no database links are listed in the database and in the System Security\n Plan, this check is not a finding.\n\n If any database links are defined in the DBMS, verify the authorization for the\n definition in the System Security Plan.\n\n If any database links exist that are not authorized or not listed in the System\n Security Plan, this is a finding.\"\n tag \"fix\": \"Grant access to database links to authorized users or\n applications only.\n\n Document all database links access authorizations in the System Security Plan.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n db_links = sql.query('SELECT DB_LINK FROM DBA_DB_LINKS;').column('db_link').uniq\n if db_links.empty?\n impact 0.0\n describe 'There are no oracle database links defined, control N/A' do\n skip 'There are no oracle database links defined, control N/A'\n end\n else\n db_links.each do |link|\n describe \"The defined oracle database link: #{link}\" do\n subject { link }\n it { should be_in input('allowed_db_links') }\n end\n end\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61757.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61507.rb", "line": 1 }, - "id": "V-61757" + "id": "V-61507" }, { - "title": "The DBMS must protect against or limit the effects of\n organization-defined types of Denial of Service (DoS) attacks.", - "desc": "A variety of technologies exist to limit, or in some cases, eliminate\n the effects of DoS attacks. For example, boundary protection devices can filter\n certain types of packets to protect devices on an organization's internal\n network from being directly affected by DoS attacks.\n\n Employing increased capacity and bandwidth combined with service redundancy\n may reduce the susceptibility to some DoS attacks.\n\n Some of the ways databases can limit their exposure to DoS attacks are\n through limiting the number of connections that can be opened by a single user\n and database clustering.", + "title": "Unauthorized database links must not be defined and active.", + "desc": "DBMS links provide a communication and data transfer path definition\n between two databases that may be used by malicious users to discover and\n obtain unauthorized access to remote systems. Database links between production\n and development DBMSs provide a means for developers to access production data\n not authorized for their access or to introduce untested or unauthorized\n applications to the production database. Only protected, controlled, and\n authorized downloads of any production data to use for development may be\n allowed. Only applications that have completed the configuration management\n process may be introduced by the application object owner account to the\n production system.", "descriptions": { - "default": "A variety of technologies exist to limit, or in some cases, eliminate\n the effects of DoS attacks. For example, boundary protection devices can filter\n certain types of packets to protect devices on an organization's internal\n network from being directly affected by DoS attacks.\n\n Employing increased capacity and bandwidth combined with service redundancy\n may reduce the susceptibility to some DoS attacks.\n\n Some of the ways databases can limit their exposure to DoS attacks are\n through limiting the number of connections that can be opened by a single user\n and database clustering." + "default": "DBMS links provide a communication and data transfer path definition\n between two databases that may be used by malicious users to discover and\n obtain unauthorized access to remote systems. Database links between production\n and development DBMSs provide a means for developers to access production data\n not authorized for their access or to introduce untested or unauthorized\n applications to the production database. Only protected, controlled, and\n authorized downloads of any production data to use for development may be\n allowed. Only applications that have completed the configuration management\n process may be introduced by the application object owner account to the\n production system." }, "impact": 0, - "refs": [ - { - "ref": [] - } - ], + "refs": [], "tags": { - "gtitle": "SRG-APP-000245-DB-000132", - "gid": "V-61783", - "rid": "SV-76273r1_rule", - "stig_id": "O121-C2-019100", - "fix_id": "F-67699r1_fix", + "gtitle": "SRG-APP-000516-DB-999900", + "gid": "V-61451", + "rid": "SV-75941r1_rule", + "stig_id": "O121-BP-023200", + "fix_id": "F-67367r1_fix", "cci": [ - "CCI-002385" + "CCI-000366" ], "nist": [ - "SC-5", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -99,35 +91,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Review DBMS settings to verify the DBMS implements measures to\n limit the effects of the organization-defined types of Denial of Service (DoS)\n attacks.\n\n If measures have not been implemented, this is a finding.\n\n Check the $ORACLE_HOME/network/admin/listener.ora to see if a Rate Limit has\n been established. A rate limit is used to prevent denial of service (DOS)\n attacks on a database or to control a logon storm such as may be caused by an\n application server reboot.\n\n - - - - -\n Example of a listener configuration with rate limiting in effect:\n\n CONNECTION_RATE_LISTENER=10\n\n LISTENER=\n (ADDRESS_LIST=\n (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521)(RATE_LIMIT=yes))\n (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1522)(RATE_LIMIT=yes))\n (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1526))\n )\n LISTENER=\n (ADDRESS_LIST=\n (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521)(RATE_LIMIT=8))\n (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1522)(RATE_LIMIT=12))\n (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1526))\n )", - "fix": "Implement measures to limit the effects of organization-defined\n types of Denial of Service attacks.\n\n Modify the $ORACLE_HOME/network/admin/listener.ora to establish a Rate Limit." + "check": "From SQL*Plus:\n select db_link||': '||host from dba_db_links;\n\n If no links are returned, this check is not a finding.\n\n Review documentation for definitions of authorized database links to external\n interfaces.\n\n The documentation should include:\n\n - Any remote access to the database\n - The purpose or function of the remote connection\n - Any access to data or procedures stored externally to the local DBMS\n - Any network ports or protocols used by remote connections, whether the remote\n connection is to a production, test, or development system\n - Any security accounts used by DBMS to access remote resources or objects\n\n If any unauthorized database links are defined or the definitions do not match\n the documentation, this is a finding.\n\n Note: findings for production-development links under this check are assigned\n to the production database only.\n\n If any database links are defined between the production database and any test\n or development databases, this is a finding.\n\n If remote interface documentation does not exist or is incomplete, this is a\n finding.", + "fix": "Document all remote or external interfaces used by the DBMS to\n connect to or allow connections from remote or external sources.\n\n Include with the documentation as appropriate, any network ports or protocols,\n security accounts, and the sensitivity of any data exchanged.\n\n Do not define or configure database links between production databases and test\n or development databases.\n\n Note: Oracle Database Advanced Replication is deprecated in Oracle Database\n 12c. Use Oracle GoldenGate to replace all features of Advanced Replication,\n including multimaster replication, updatable materialized views, hierarchical\n materialized views, and deployment templates." }, - "code": " control 'V-61783' do\n impact 0.0\n describe 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on' do\n skip 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on'\n end\n end\n", + "code": "control 'V-61451' do\n title 'Unauthorized database links must not be defined and active.'\n desc \"DBMS links provide a communication and data transfer path definition\n between two databases that may be used by malicious users to discover and\n obtain unauthorized access to remote systems. Database links between production\n and development DBMSs provide a means for developers to access production data\n not authorized for their access or to introduce untested or unauthorized\n applications to the production database. Only protected, controlled, and\n authorized downloads of any production data to use for development may be\n allowed. Only applications that have completed the configuration management\n process may be introduced by the application object owner account to the\n production system.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000516-DB-999900'\n tag \"gid\": 'V-61451'\n tag \"rid\": 'SV-75941r1_rule'\n tag \"stig_id\": 'O121-BP-023200'\n tag \"fix_id\": 'F-67367r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"From SQL*Plus:\n select db_link||': '||host from dba_db_links;\n\n If no links are returned, this check is not a finding.\n\n Review documentation for definitions of authorized database links to external\n interfaces.\n\n The documentation should include:\n\n - Any remote access to the database\n - The purpose or function of the remote connection\n - Any access to data or procedures stored externally to the local DBMS\n - Any network ports or protocols used by remote connections, whether the remote\n connection is to a production, test, or development system\n - Any security accounts used by DBMS to access remote resources or objects\n\n If any unauthorized database links are defined or the definitions do not match\n the documentation, this is a finding.\n\n Note: findings for production-development links under this check are assigned\n to the production database only.\n\n If any database links are defined between the production database and any test\n or development databases, this is a finding.\n\n If remote interface documentation does not exist or is incomplete, this is a\n finding.\"\n tag \"fix\": \"Document all remote or external interfaces used by the DBMS to\n connect to or allow connections from remote or external sources.\n\n Include with the documentation as appropriate, any network ports or protocols,\n security accounts, and the sensitivity of any data exchanged.\n\n Do not define or configure database links between production databases and test\n or development databases.\n\n Note: Oracle Database Advanced Replication is deprecated in Oracle Database\n 12c. Use Oracle GoldenGate to replace all features of Advanced Replication,\n including multimaster replication, updatable materialized views, hierarchical\n materialized views, and deployment templates.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n db_links = sql.query('SELECT DB_LINK FROM DBA_DB_LINKS;').column('db_link').uniq\n if db_links.empty?\n impact 0.0\n describe 'There are no oracle database links defined, control N/A' do\n skip 'There are no oracle database links defined, control N/A'\n end\n else\n db_links.each do |link|\n describe \"The defined oracle database link: #{link}\" do\n subject { link }\n it { should be_in input('allowed_db_links') }\n end\n end\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61783.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61451.rb", "line": 1 }, - "id": "V-61783" + "id": "V-61451" }, { - "title": "The DBMS must preserve any organization-defined system state\n information in the event of a system failure.", - "desc": "Failure in a known state can address safety or security in accordance\n with the mission/business needs of the organization. Failure in a known secure\n state helps prevent a loss of confidentiality, integrity, or availability in\n the event of a failure of the information system or a component of the system.\n\n Preserving information system state information helps to facilitate system\n restart and return to the operational mode of the organization with less\n disruption of mission/business processes.", + "title": "The Oracle SQL92_SECURITY parameter must be set to TRUE.", + "desc": "The configuration option SQL92_SECURITY specifies whether table-level\n SELECT privileges are required to execute an update or delete that references\n table column values. If this option is disabled (set to FALSE), the UPDATE\n privilege can be used to determine values that should require SELECT privileges.\n\n The SQL92_SECURITY setting of TRUE prevents the exploitation of user\n credentials with only DELETE or UPDATE privileges on a table from being able to\n derive column values in that table by performing a series of update/delete\n statements using a where clause, and rolling back the change. In the following\n example, with SQL92_SECURITY set to FALSE, a user with only delete privilege on\n the scott.emp table is able to derive that there is one employee with a salary\n greater than 3000. With SQL92_SECURITY set to TRUE, that user is prevented from\n attempting to derive a value.\n\n SQL92_SECURITY = FALSE\n SQL> delete from scott.emp where sal > 3000;\n 1 row deleted\n SQL> rollback;\n Rollback complete\n\n SQL92_SECURITY = TRUE\n SQL> delete from scott.emp where sal > 3000;\n delete from scott.emp where sal > 3000\n *\n ERROR at line 1:\n ORA-01031: insufficient privileges", "descriptions": { - "default": "Failure in a known state can address safety or security in accordance\n with the mission/business needs of the organization. Failure in a known secure\n state helps prevent a loss of confidentiality, integrity, or availability in\n the event of a failure of the information system or a component of the system.\n\n Preserving information system state information helps to facilitate system\n restart and return to the operational mode of the organization with less\n disruption of mission/business processes." + "default": "The configuration option SQL92_SECURITY specifies whether table-level\n SELECT privileges are required to execute an update or delete that references\n table column values. If this option is disabled (set to FALSE), the UPDATE\n privilege can be used to determine values that should require SELECT privileges.\n\n The SQL92_SECURITY setting of TRUE prevents the exploitation of user\n credentials with only DELETE or UPDATE privileges on a table from being able to\n derive column values in that table by performing a series of update/delete\n statements using a where clause, and rolling back the change. In the following\n example, with SQL92_SECURITY set to FALSE, a user with only delete privilege on\n the scott.emp table is able to derive that there is one employee with a salary\n greater than 3000. With SQL92_SECURITY set to TRUE, that user is prevented from\n attempting to derive a value.\n\n SQL92_SECURITY = FALSE\n SQL> delete from scott.emp where sal > 3000;\n 1 row deleted\n SQL> rollback;\n Rollback complete\n\n SQL92_SECURITY = TRUE\n SQL> delete from scott.emp where sal > 3000;\n delete from scott.emp where sal > 3000\n *\n ERROR at line 1:\n ORA-01031: insufficient privileges" }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000226-DB-000147", - "gid": "V-61769", - "rid": "SV-76259r3_rule", - "stig_id": "O121-C2-018200", - "fix_id": "F-67685r5_fix", + "gtitle": "SRG-APP-000516-DB-999900", + "gid": "V-61429", + "rid": "SV-75919r1_rule", + "stig_id": "O121-BP-022100", + "fix_id": "F-67345r1_fix", "cci": [ - "CCI-001665" + "CCI-000366" ], "nist": [ - "SC-24", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -140,35 +132,39 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If the database is used solely for transient data (such as one\n dedicated to Extract-Transform-Load (ETL)), and a clear plan exists for the\n recovery of the database by means other than archiving, this is not a finding.\n\n If it has been determined that up-to-the second recovery is not necessary and\n this fact is recorded in the system documentation, with appropriate approval,\n this is not a finding.\n\n Check DBMS settings to determine whether system state information is being\n preserved in the event of a system failure.\n\n The necessary state information is defined as \"information necessary to\n determine cause of failure and to return to operations with least disruption to\n mission/business processes\".\n\n Oracle creates what is known as archive logs. Archive logs contain information\n required to replay a transaction should something happen. The redo logs are\n also used to copy transactions or pieces of transactions.\n\n Issue the following commands to check the status of archive log mode:\n\n $ sqlplus connect as sysdba --Check current archivelog mode in database\n\n SQL> archive log list\n Database log mode Archive Mode\n Automatic archival Enabled\n Archive destination /home/oracle/app/oracle/arc2/ORCL\n Oldest online log sequence 433\n Next log sequence to archive 435\n Current log sequence 435\n\n If archive log mode is not enabled, this is a finding.", - "fix": "Configure DBMS settings to preserve all required system state\n information in the event of a system failure.\n\n If the database is not in archive log mode, issue the following commands to put\n the database in archive log mode. The database must be normally shutdown and\n restarted before it can be placed in archive log mode.\n\n $ sqlplus connect as sysdba -- stop and dismount database and shutdown instance.\n SQL> shutdown immediate;\n\n Database closed.\n Database dismounted.\n ORACLE instance shut down.\n\n SQL> startup mount; -- Restart instance.\n\n ORACLE instance started.\n Total System Global Area 1653518336 bytes\n Fixed Size 2228904 bytes\n Variable Size 1325403480 bytes\n Database Buffers 318767104 bytes\n Redo Buffers 7118848 bytes\n Database mounted.\n\n SQL> alter database archivelog; -- Enable ArchiveLog\n Database altered.\n\n SQL> alter database open; -- Re-open database\n Database altered.\n\n Issue the following command to see the new status:\n SQL> select log_mode from v$database;\n\n LOG_MODE\n ------------\n ARCHIVELOG\n\n SQL> archive log list;\n\n Database log mode Archive Mode\n Automatic archival Enabled\n Archive destination USE_DB_RECOVERY_FILE_DEST\n Oldest online log sequence 294\n Next log sequence to archive 296\n Current log sequence 296\n\n The database is now in archive log mode, and transactions are either being\n recorded to transport to another database or being re-applied if the database\n becomes corrupt and needs to be restored from the last backup. Use the redo\n logs to replay transactions not captured in the backup." + "check": "From SQL*Plus:\n\n select value from v$parameter where name = 'sql92_security';\n\n If the value returned is set to FALSE, this is a finding.\n\n If the parameter is set to TRUE or does not exist, this is not a finding.", + "fix": "Enable SQL92 security.\n\n From SQL*Plus:\n\n alter system set sql92_security = TRUE scope = spfile;\n\n The above SQL*Plus command will set the parameter to take effect at next system\n startup." }, - "code": "control 'V-61769' do\n title \"The DBMS must preserve any organization-defined system state\n information in the event of a system failure.\"\n desc \"Failure in a known state can address safety or security in accordance\n with the mission/business needs of the organization. Failure in a known secure\n state helps prevent a loss of confidentiality, integrity, or availability in\n the event of a failure of the information system or a component of the system.\n\n Preserving information system state information helps to facilitate system\n restart and return to the operational mode of the organization with less\n disruption of mission/business processes.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000226-DB-000147'\n tag \"gid\": 'V-61769'\n tag \"rid\": 'SV-76259r3_rule'\n tag \"stig_id\": 'O121-C2-018200'\n tag \"fix_id\": 'F-67685r5_fix'\n tag \"cci\": ['CCI-001665']\n tag \"nist\": ['SC-24', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the database is used solely for transient data (such as one\n dedicated to Extract-Transform-Load (ETL)), and a clear plan exists for the\n recovery of the database by means other than archiving, this is not a finding.\n\n If it has been determined that up-to-the second recovery is not necessary and\n this fact is recorded in the system documentation, with appropriate approval,\n this is not a finding.\n\n Check DBMS settings to determine whether system state information is being\n preserved in the event of a system failure.\n\n The necessary state information is defined as \\\"information necessary to\n determine cause of failure and to return to operations with least disruption to\n mission/business processes\\\".\n\n Oracle creates what is known as archive logs. Archive logs contain information\n required to replay a transaction should something happen. The redo logs are\n also used to copy transactions or pieces of transactions.\n\n Issue the following commands to check the status of archive log mode:\n\n $ sqlplus connect as sysdba --Check current archivelog mode in database\n\n SQL> archive log list\n Database log mode Archive Mode\n Automatic archival Enabled\n Archive destination /home/oracle/app/oracle/arc2/ORCL\n Oldest online log sequence 433\n Next log sequence to archive 435\n Current log sequence 435\n\n If archive log mode is not enabled, this is a finding.\"\n tag \"fix\": \"Configure DBMS settings to preserve all required system state\n information in the event of a system failure.\n\n If the database is not in archive log mode, issue the following commands to put\n the database in archive log mode. The database must be normally shutdown and\n restarted before it can be placed in archive log mode.\n\n $ sqlplus connect as sysdba -- stop and dismount database and shutdown instance.\n SQL> shutdown immediate;\n\n Database closed.\n Database dismounted.\n ORACLE instance shut down.\n\n SQL> startup mount; -- Restart instance.\n\n ORACLE instance started.\n Total System Global Area 1653518336 bytes\n Fixed Size 2228904 bytes\n Variable Size 1325403480 bytes\n Database Buffers 318767104 bytes\n Redo Buffers 7118848 bytes\n Database mounted.\n\n SQL> alter database archivelog; -- Enable ArchiveLog\n Database altered.\n\n SQL> alter database open; -- Re-open database\n Database altered.\n\n Issue the following command to see the new status:\n SQL> select log_mode from v$database;\n\n LOG_MODE\n ------------\n ARCHIVELOG\n\n SQL> archive log list;\n\n Database log mode Archive Mode\n Automatic archival Enabled\n Archive destination USE_DB_RECOVERY_FILE_DEST\n Oldest online log sequence 294\n Next log sequence to archive 296\n Current log sequence 296\n\n The database is now in archive log mode, and transactions are either being\n recorded to transport to another database or being re-applied if the database\n becomes corrupt and needs to be restored from the last backup. Use the redo\n logs to replay transactions not captured in the backup.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n log_mode = sql.query('select log_mode from v$database;').column('log_mode')\n\n describe 'The list of oracle database log mode' do\n subject { log_mode }\n it { should cmp 'ARCHIVELOG' }\n end\nend\n", + "code": "control 'V-61429' do\n title 'The Oracle SQL92_SECURITY parameter must be set to TRUE.'\n desc \"The configuration option SQL92_SECURITY specifies whether table-level\n SELECT privileges are required to execute an update or delete that references\n table column values. If this option is disabled (set to FALSE), the UPDATE\n privilege can be used to determine values that should require SELECT privileges.\n\n The SQL92_SECURITY setting of TRUE prevents the exploitation of user\n credentials with only DELETE or UPDATE privileges on a table from being able to\n derive column values in that table by performing a series of update/delete\n statements using a where clause, and rolling back the change. In the following\n example, with SQL92_SECURITY set to FALSE, a user with only delete privilege on\n the scott.emp table is able to derive that there is one employee with a salary\n greater than 3000. With SQL92_SECURITY set to TRUE, that user is prevented from\n attempting to derive a value.\n\n SQL92_SECURITY = FALSE\n SQL> delete from scott.emp where sal > 3000;\n 1 row deleted\n SQL> rollback;\n Rollback complete\n\n SQL92_SECURITY = TRUE\n SQL> delete from scott.emp where sal > 3000;\n delete from scott.emp where sal > 3000\n *\n ERROR at line 1:\n ORA-01031: insufficient privileges\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000516-DB-999900'\n tag \"gid\": 'V-61429'\n tag \"rid\": 'SV-75919r1_rule'\n tag \"stig_id\": 'O121-BP-022100'\n tag \"fix_id\": 'F-67345r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"From SQL*Plus:\n\n select value from v$parameter where name = 'sql92_security';\n\n If the value returned is set to FALSE, this is a finding.\n\n If the parameter is set to TRUE or does not exist, this is not a finding.\"\n tag \"fix\": \"Enable SQL92 security.\n\n From SQL*Plus:\n\n alter system set sql92_security = TRUE scope = spfile;\n\n The above SQL*Plus command will set the parameter to take effect at next system\n startup.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n parameter = sql.query(\"select value from v$parameter where name = 'sql92_security';\").column('value')\n\n describe 'The oracle database SQL92_SECURITY parameter' do\n subject { parameter }\n it { should cmp 'TRUE' }\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61769.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61429.rb", "line": 1 }, - "id": "V-61769" + "id": "V-61429" }, { - "title": "The Oracle REMOTE_LOGIN_PASSWORDFILE parameter must be set to\n EXCLUSIVE or NONE.", - "desc": "The REMOTE_LOGIN_PASSWORDFILE setting of \"NONE\" disallows remote\n administration of the database. The REMOTE_LOGIN_PASSWORDFILE setting of\n \"EXCLUSIVE\" allows for auditing of individual DBA logons to the SYS account.\n If not set to \"EXCLUSIVE\", remote connections to the database as \"internal\"\n or \"as SYSDBA\" are not logged to an individual account.", + "title": "The DBMS must support organizational requirements to enforce password\n complexity by the number of numeric characters used.", + "desc": "Password complexity or strength is a measure of the effectiveness of a\n password in resisting attempts at guessing and brute-force attacks.\n\n Password complexity is one factor of several that determine how long it\n takes to crack a password. The more complex the password is, the greater the\n number of possible combinations that need to be tested before the password is\n compromised.\n\n Use of a complex password helps to increase the time and resources required\n to compromise the password.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP This requirement applies to cases where it is necessary to\n have accounts directly managed by Oracle.", "descriptions": { - "default": "The REMOTE_LOGIN_PASSWORDFILE setting of \"NONE\" disallows remote\n administration of the database. The REMOTE_LOGIN_PASSWORDFILE setting of\n \"EXCLUSIVE\" allows for auditing of individual DBA logons to the SYS account.\n If not set to \"EXCLUSIVE\", remote connections to the database as \"internal\"\n or \"as SYSDBA\" are not logged to an individual account." + "default": "Password complexity or strength is a measure of the effectiveness of a\n password in resisting attempts at guessing and brute-force attacks.\n\n Password complexity is one factor of several that determine how long it\n takes to crack a password. The more complex the password is, the greater the\n number of possible combinations that need to be tested before the password is\n compromised.\n\n Use of a complex password helps to increase the time and resources required\n to compromise the password.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP This requirement applies to cases where it is necessary to\n have accounts directly managed by Oracle." }, "impact": 0.5, - "refs": [], + "refs": [ + { + "ref": [] + } + ], "tags": { - "gtitle": "SRG-APP-000516-DB-999900", - "gid": "V-61431", - "rid": "SV-75921r2_rule", - "stig_id": "O121-BP-022200", - "fix_id": "F-67347r2_fix", + "gtitle": "SRG-APP-000168-DB-000072", + "gid": "V-61727", + "rid": "SV-76217r1_rule", + "stig_id": "O121-C2-014300", + "fix_id": "F-67643r1_fix", "cci": [ - "CCI-000366" + "CCI-000194" ], "nist": [ - "CM-6 b", + "IA-5 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -181,35 +177,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "From SQL*Plus:\n\n select value from v$parameter where upper(name) = 'REMOTE_LOGIN_PASSWORDFILE';\n\n If the value returned does not equal 'EXCLUSIVE' or 'NONE', this is a finding.", - "fix": "Disable use of the REMOTE_LOGIN_PASSWORDFILE where remote\n administration is not authorized by specifying a value of NONE.\n\n If authorized, restrict use of a password file to exclusive use by each\n database by specifying a value of EXCLUSIVE.\n\n From SQL*Plus:\n\n alter system set REMOTE_LOGIN_PASSWORDFILE = 'EXCLUSIVE' scope = spfile;\n\n OR\n\n alter system set REMOTE_LOGIN_PASSWORDFILE = 'NONE' scope = spfile;\n\n The above SQL*Plus command will set the parameter to take effect at next system\n startup." + "check": "If all user accounts are managed and authenticated by the OS or\n an enterprise-level authentication/access mechanism, and not by Oracle, this is\n not a finding.\n\n For each profile that can be applied to accounts where authentication is under\n Oracle's control, determine the password verification function, if any, that is\n in use:\n\n SELECT * FROM SYS.DBA_PROFILES\n WHERE RESOURCE_NAME = 'PASSWORD_VERIFY_FUNCTION'\n [AND PROFILE NOT IN ()]\n ORDER BY PROFILE;\n Bearing in mind that a profile can inherit from another profile, and the root\n profile is called DEFAULT, determine the name of the password verification\n function effective for each profile.\n\n If, for any profile, the function name is null, this is a finding.\n\n For each password verification function, examine its source code.\n\n If it does not enforce the organization-defined minimum number of numeric\n characters (1 unless otherwise specified), this is a finding.", + "fix": "If all user accounts are authenticated by the OS or an\n enterprise-level authentication/access mechanism, and not by Oracle, no fix to\n the DBMS is required.\n\n If any user accounts are managed by Oracle: Develop, test and implement a\n password verification function that enforces DoD requirements.\n\n (Oracle supplies a sample function called ORA12C_STRONG_VERIFY_FUNCTION, in the\n script file\n /RDBMS/ADMIN/utlpwdmg.sql. This can be used as the starting point\n for a customized function.)" }, - "code": "control 'V-61431' do\n title \"The Oracle REMOTE_LOGIN_PASSWORDFILE parameter must be set to\n EXCLUSIVE or NONE.\"\n desc \"The REMOTE_LOGIN_PASSWORDFILE setting of \\\"NONE\\\" disallows remote\n administration of the database. The REMOTE_LOGIN_PASSWORDFILE setting of\n \\\"EXCLUSIVE\\\" allows for auditing of individual DBA logons to the SYS account.\n If not set to \\\"EXCLUSIVE\\\", remote connections to the database as \\\"internal\\\"\n or \\\"as SYSDBA\\\" are not logged to an individual account.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000516-DB-999900'\n tag \"gid\": 'V-61431'\n tag \"rid\": 'SV-75921r2_rule'\n tag \"stig_id\": 'O121-BP-022200'\n tag \"fix_id\": 'F-67347r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"From SQL*Plus:\n\n select value from v$parameter where upper(name) = 'REMOTE_LOGIN_PASSWORDFILE';\n\n If the value returned does not equal 'EXCLUSIVE' or 'NONE', this is a finding.\"\n tag \"fix\": \"Disable use of the REMOTE_LOGIN_PASSWORDFILE where remote\n administration is not authorized by specifying a value of NONE.\n\n If authorized, restrict use of a password file to exclusive use by each\n database by specifying a value of EXCLUSIVE.\n\n From SQL*Plus:\n\n alter system set REMOTE_LOGIN_PASSWORDFILE = 'EXCLUSIVE' scope = spfile;\n\n OR\n\n alter system set REMOTE_LOGIN_PASSWORDFILE = 'NONE' scope = spfile;\n\n The above SQL*Plus command will set the parameter to take effect at next system\n startup.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n parameter = sql.query(\"select value from v$parameter where upper(name) = 'REMOTE_LOGIN_PASSWORDFILE';\").column('value')\n\n describe.one do\n describe 'The oracle database REMOTE_LOGIN_PASSWORDFILE parameter' do\n subject { parameter }\n it { should cmp 'EXCLUSIVE' }\n end\n\n describe 'The oracle database REMOTE_LOGIN_PASSWORDFILE parameter' do\n subject { parameter }\n it { should cmp 'NONE' }\n end\n end\nend\n", + "code": "control 'V-61727' do\n title \"The DBMS must support organizational requirements to enforce password\n complexity by the number of numeric characters used.\"\n desc \"Password complexity or strength is a measure of the effectiveness of a\n password in resisting attempts at guessing and brute-force attacks.\n\n Password complexity is one factor of several that determine how long it\n takes to crack a password. The more complex the password is, the greater the\n number of possible combinations that need to be tested before the password is\n compromised.\n\n Use of a complex password helps to increase the time and resources required\n to compromise the password.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP This requirement applies to cases where it is necessary to\n have accounts directly managed by Oracle.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000168-DB-000072'\n tag \"gid\": 'V-61727'\n tag \"rid\": 'SV-76217r1_rule'\n tag \"stig_id\": 'O121-C2-014300'\n tag \"fix_id\": 'F-67643r1_fix'\n tag \"cci\": ['CCI-000194']\n tag \"nist\": ['IA-5 (1) (a)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If all user accounts are managed and authenticated by the OS or\n an enterprise-level authentication/access mechanism, and not by Oracle, this is\n not a finding.\n\n For each profile that can be applied to accounts where authentication is under\n Oracle's control, determine the password verification function, if any, that is\n in use:\n\n SELECT * FROM SYS.DBA_PROFILES\n WHERE RESOURCE_NAME = 'PASSWORD_VERIFY_FUNCTION'\n [AND PROFILE NOT IN ()]\n ORDER BY PROFILE;\n Bearing in mind that a profile can inherit from another profile, and the root\n profile is called DEFAULT, determine the name of the password verification\n function effective for each profile.\n\n If, for any profile, the function name is null, this is a finding.\n\n For each password verification function, examine its source code.\n\n If it does not enforce the organization-defined minimum number of numeric\n characters (1 unless otherwise specified), this is a finding.\"\n tag \"fix\": \"If all user accounts are authenticated by the OS or an\n enterprise-level authentication/access mechanism, and not by Oracle, no fix to\n the DBMS is required.\n\n If any user accounts are managed by Oracle: Develop, test and implement a\n password verification function that enforces DoD requirements.\n\n (Oracle supplies a sample function called ORA12C_STRONG_VERIFY_FUNCTION, in the\n script file\n /RDBMS/ADMIN/utlpwdmg.sql. This can be used as the starting point\n for a customized function.)\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n query = %{\n SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE PROFILE =\n '%s' AND RESOURCE_NAME = 'PASSWORD_VERIFY_FUNCTION'\n }\n\n user_profiles = sql.query('SELECT profile FROM dba_users;').column('profile').uniq\n\n user_profiles.each do |profile|\n next if profile == \"RDSADMIN\"\n password_verify_function = sql.query(format(query, profile: profile)).column('limit')\n\n describe \"The oracle database account password verify function for profile: #{profile}\" do\n subject { password_verify_function }\n it { should_not eq ['NULL'] }\n end\n end\n if user_profiles.empty?\n describe 'There are no user profiles, therefore this control is NA' do\n skip 'There are no user profiles, therefore this control is NA'\n end\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61431.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61727.rb", "line": 1 }, - "id": "V-61431" + "id": "V-61727" }, { - "title": "DBMS default accounts must be assigned custom passwords.", - "desc": "Password maximum lifetime is the maximum period of time, (typically\nin days) a user's password may be in effect before the user is forced to change\nit.\n\n Passwords need to be changed at specific policy-based intervals as per\npolicy. Any password, no matter how complex, can eventually be cracked.\n\n One method of minimizing this risk is to use complex passwords and\nperiodically change them. If the application does not limit the lifetime of\npasswords and force users to change their passwords, there is the risk that the\nsystem and/or application passwords could be compromised.\n\n DBMS default passwords provide a commonly known and exploited means for\nunauthorized access to database installations.", + "title": "Remote database or other external access must use fully-qualified\n names.", + "desc": "The Oracle GLOBAL_NAMES parameter is used to set the requirement for\n database link names to be the same name as the remote database whose connection\n they define. By using the same name for both, ambiguity is avoided and\n unauthorized or unintended connections to remote databases are less likely.", "descriptions": { - "default": "Password maximum lifetime is the maximum period of time, (typically\nin days) a user's password may be in effect before the user is forced to change\nit.\n\n Passwords need to be changed at specific policy-based intervals as per\npolicy. Any password, no matter how complex, can eventually be cracked.\n\n One method of minimizing this risk is to use complex passwords and\nperiodically change them. If the application does not limit the lifetime of\npasswords and force users to change their passwords, there is the risk that the\nsystem and/or application passwords could be compromised.\n\n DBMS default passwords provide a commonly known and exploited means for\nunauthorized access to database installations." + "default": "The Oracle GLOBAL_NAMES parameter is used to set the requirement for\n database link names to be the same name as the remote database whose connection\n they define. By using the same name for both, ambiguity is avoided and\n unauthorized or unintended connections to remote databases are less likely." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000174-DB-000078", - "gid": "V-61541", - "rid": "SV-76031r1_rule", - "stig_id": "O121-C1-015000", - "fix_id": "F-67457r1_fix", + "gtitle": "SRG-APP-000516-DB-999900", + "gid": "V-61529", + "rid": "SV-76019r1_rule", + "stig_id": "O121-BP-026300", + "fix_id": "F-67445r1_fix", "cci": [ - "CCI-000199" + "CCI-000366" ], "nist": [ - "IA-5 (1) (d)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -222,35 +218,39 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Use this query to identify the Oracle-supplied accounts that\n still have their default passwords:\n SELECT * FROM SYS.DBA_USERS_WITH_DEFPWD;\n\n If any accounts other than XS$NULL are listed, this is a finding.\n\n (XS$NULL is an internal account that represents the absence of a user in a\n session. Because XS$NULL is not a user, this account can only be accessed by\n the Oracle Database instance. XS$NULL has no privileges and no one can\n authenticate as XS$NULL, nor can authentication credentials ever be assigned to\n XS$NULL.)", - "fix": "Change passwords for DBMS accounts to non-default values. Where\n necessary, unlock or enable accounts to change the password, and then return\n the account to disabled or locked status." + "check": "From SQL*Plus:\n\n select value from v$parameter where name = 'global_names';\n\n If the value returned is FALSE, this is a finding.", + "fix": "From SQL*Plus:\n\n alter system set global_names = TRUE scope = spfile;\n\n Note: This parameter, if changed, will affect all currently defined Oracle\n database links.\n\n The above SQL*Plus command will set the parameter to take effect at next system\n startup." }, - "code": "control 'V-61541' do\n title 'DBMS default accounts must be assigned custom passwords.'\n desc \"Password maximum lifetime is the maximum period of time, (typically\nin days) a user's password may be in effect before the user is forced to change\nit.\n\n Passwords need to be changed at specific policy-based intervals as per\npolicy. Any password, no matter how complex, can eventually be cracked.\n\n One method of minimizing this risk is to use complex passwords and\nperiodically change them. If the application does not limit the lifetime of\npasswords and force users to change their passwords, there is the risk that the\nsystem and/or application passwords could be compromised.\n\n DBMS default passwords provide a commonly known and exploited means for\nunauthorized access to database installations.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-APP-000174-DB-000078'\n tag \"gid\": 'V-61541'\n tag \"rid\": 'SV-76031r1_rule'\n tag \"stig_id\": 'O121-C1-015000'\n tag \"fix_id\": 'F-67457r1_fix'\n tag \"cci\": ['CCI-000199']\n tag \"nist\": ['IA-5 (1) (d)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Use this query to identify the Oracle-supplied accounts that\n still have their default passwords:\n SELECT * FROM SYS.DBA_USERS_WITH_DEFPWD;\n\n If any accounts other than XS$NULL are listed, this is a finding.\n\n (XS$NULL is an internal account that represents the absence of a user in a\n session. Because XS$NULL is not a user, this account can only be accessed by\n the Oracle Database instance. XS$NULL has no privileges and no one can\n authenticate as XS$NULL, nor can authentication credentials ever be assigned to\n XS$NULL.)\"\n tag \"fix\": \"Change passwords for DBMS accounts to non-default values. Where\n necessary, unlock or enable accounts to change the password, and then return\n the account to disabled or locked status.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n sys_dba_users_with_defpwd = sql.query(' SELECT username FROM SYS.DBA_USERS_WITH_DEFPWD;').column('username').uniq\n\n describe.one do\n sys_dba_users_with_defpwd.each do |user|\n describe \"The oracle system database user: #{user} with a default password\" do\n subject { user }\n it { should cmp 'XS$NULL' }\n end\n end\n \n describe sys_dba_users_with_defpwd do\n it { should be_empty }\n end\n end\nend\n", + "code": "control 'V-61529' do\n title \"Remote database or other external access must use fully-qualified\n names.\"\n desc \"The Oracle GLOBAL_NAMES parameter is used to set the requirement for\n database link names to be the same name as the remote database whose connection\n they define. By using the same name for both, ambiguity is avoided and\n unauthorized or unintended connections to remote databases are less likely.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000516-DB-999900'\n tag \"gid\": 'V-61529'\n tag \"rid\": 'SV-76019r1_rule'\n tag \"stig_id\": 'O121-BP-026300'\n tag \"fix_id\": 'F-67445r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"From SQL*Plus:\n\n select value from v$parameter where name = 'global_names';\n\n If the value returned is FALSE, this is a finding.\"\n tag \"fix\": \"From SQL*Plus:\n\n alter system set global_names = TRUE scope = spfile;\n\n Note: This parameter, if changed, will affect all currently defined Oracle\n database links.\n\n The above SQL*Plus command will set the parameter to take effect at next system\n startup.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n parameter = sql.query(\"select value from v$parameter where name = 'global_names';\").column('value')\n\n describe 'The oracle database GLOBAL_NAMES parameter' do\n subject { parameter }\n it { should_not cmp 'FALSE' }\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61541.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61529.rb", "line": 1 }, - "id": "V-61541" + "id": "V-61529" }, { - "title": "The DBMS must automatically terminate emergency accounts after an\n organization-defined time period for each type of account.", - "desc": "Emergency application accounts are typically created due to an\n unforeseen operational event or could ostensibly be used in the event of a\n vendor support visit where a support representative requires a temporary unique\n account in order to perform diagnostic testing or conduct some other\n support-related activity. When these types of accounts are created, there is a\n risk that the temporary account may remain in place and active after the\n support representative has left.\n\n In the event emergency application accounts are required, the application\n must ensure accounts that are designated as temporary in nature shall\n automatically terminate these accounts after an organization-defined time\n period. Such a process and capability greatly reduces the risk that accounts\n will be misused, hijacked, or application data compromised.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP. This requirement applies to cases where it is necessary to\n have accounts directly managed by Oracle.\n\n If it is possible for any temporary emergency accounts to be created and\n managed by Oracle, then the DBMS or application must provide or utilize a\n mechanism to automatically terminate such accounts after an\n organization-defined time period.\n\n Emergency database accounts must be automatically terminated after an\n organization-defined time period in order to mitigate the risk of the account\n being misused.", + "title": "Use of the DBMS installation account must be logged.", + "desc": "The DBMS installation account may be used by any authorized user to\n perform DBMS installation or maintenance. Without logging, accountability for\n actions attributed to the account is lost.", "descriptions": { - "default": "Emergency application accounts are typically created due to an\n unforeseen operational event or could ostensibly be used in the event of a\n vendor support visit where a support representative requires a temporary unique\n account in order to perform diagnostic testing or conduct some other\n support-related activity. When these types of accounts are created, there is a\n risk that the temporary account may remain in place and active after the\n support representative has left.\n\n In the event emergency application accounts are required, the application\n must ensure accounts that are designated as temporary in nature shall\n automatically terminate these accounts after an organization-defined time\n period. Such a process and capability greatly reduces the risk that accounts\n will be misused, hijacked, or application data compromised.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP. This requirement applies to cases where it is necessary to\n have accounts directly managed by Oracle.\n\n If it is possible for any temporary emergency accounts to be created and\n managed by Oracle, then the DBMS or application must provide or utilize a\n mechanism to automatically terminate such accounts after an\n organization-defined time period.\n\n Emergency database accounts must be automatically terminated after an\n organization-defined time period in order to mitigate the risk of the account\n being misused." + "default": "The DBMS installation account may be used by any authorized user to\n perform DBMS installation or maintenance. Without logging, accountability for\n actions attributed to the account is lost." }, - "impact": 0.5, - "refs": [], + "impact": 0, + "refs": [ + { + "ref": [] + } + ], "tags": { - "gtitle": "SRG-APP-000234-DB-000157", - "gid": "V-61777", - "rid": "SV-76267r1_rule", - "stig_id": "O121-C2-018600", - "fix_id": "F-67693r1_fix", + "gtitle": "SRG-APP-000516-DB-999900", + "gid": "V-61489", + "rid": "SV-75979r1_rule", + "stig_id": "O121-BP-024200", + "fix_id": "F-67405r1_fix", "cci": [ - "CCI-001682" + "CCI-000366" ], "nist": [ - "AC-2 (2)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -263,35 +263,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If the organization has a policy, consistently enforced,\n forbidding the creation of emergency or temporary accounts, this is not a\n finding.\n\n Check DBMS settings, OS settings, and/or enterprise-level authentication/access\n mechanisms settings to determine if emergency accounts are being automatically\n terminated by the system after an organization-defined time period. Check also\n for custom code (scheduled jobs, procedures, triggers, etc.) for achieving\n this.\n\n If emergency accounts are not being terminated after an organization-defined\n time period, this is a finding.", - "fix": "Create a profile specifically for emergency or temporary\n accounts. When creating the accounts, assign them to this profile. Configure\n DBMS, OS, and/or enterprise-level authentication/access mechanisms, or\n implement custom code, to terminate accounts with this profile after an\n organization-defined time period." + "check": "Review documented and implemented procedures for monitoring the\n use of the DBMS software installation account in the System Security Plan.\n\n If use of this account is not monitored or procedures for monitoring its use do\n not exist or are incomplete, this is a finding.\n\n Note: On Windows systems, The Oracle DBMS software is installed using an\n account with administrator privileges. Ownership should be reassigned to a\n dedicated OS account used to operate the DBMS software. If monitoring does not\n include all accounts with administrator privileges on the DBMS host, this is a\n finding.", + "fix": "Develop, document and implement a logging procedure for use of\n the DBMS software installation account that provides accountability to\n individuals for any actions taken by the account.\n\n Host system audit logs should be included in the DBMS account usage log along\n with an indication of the person who accessed the account and an explanation\n for the access.\n\n Ensure all accounts with administrator privileges are monitored for DBMS host\n on Windows OS platforms." }, - "code": "control 'V-61777' do\n title \"The DBMS must automatically terminate emergency accounts after an\n organization-defined time period for each type of account.\"\n desc \"Emergency application accounts are typically created due to an\n unforeseen operational event or could ostensibly be used in the event of a\n vendor support visit where a support representative requires a temporary unique\n account in order to perform diagnostic testing or conduct some other\n support-related activity. When these types of accounts are created, there is a\n risk that the temporary account may remain in place and active after the\n support representative has left.\n\n In the event emergency application accounts are required, the application\n must ensure accounts that are designated as temporary in nature shall\n automatically terminate these accounts after an organization-defined time\n period. Such a process and capability greatly reduces the risk that accounts\n will be misused, hijacked, or application data compromised.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP. This requirement applies to cases where it is necessary to\n have accounts directly managed by Oracle.\n\n If it is possible for any temporary emergency accounts to be created and\n managed by Oracle, then the DBMS or application must provide or utilize a\n mechanism to automatically terminate such accounts after an\n organization-defined time period.\n\n Emergency database accounts must be automatically terminated after an\n organization-defined time period in order to mitigate the risk of the account\n being misused.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000234-DB-000157'\n tag \"gid\": 'V-61777'\n tag \"rid\": 'SV-76267r1_rule'\n tag \"stig_id\": 'O121-C2-018600'\n tag \"fix_id\": 'F-67693r1_fix'\n tag \"cci\": ['CCI-001682']\n tag \"nist\": ['AC-2 (2)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the organization has a policy, consistently enforced,\n forbidding the creation of emergency or temporary accounts, this is not a\n finding.\n\n Check DBMS settings, OS settings, and/or enterprise-level authentication/access\n mechanisms settings to determine if emergency accounts are being automatically\n terminated by the system after an organization-defined time period. Check also\n for custom code (scheduled jobs, procedures, triggers, etc.) for achieving\n this.\n\n If emergency accounts are not being terminated after an organization-defined\n time period, this is a finding.\"\n tag \"fix\": \"Create a profile specifically for emergency or temporary\n accounts. When creating the accounts, assign them to this profile. Configure\n DBMS, OS, and/or enterprise-level authentication/access mechanisms, or\n implement custom code, to terminate accounts with this profile after an\n organization-defined time period.\"\n describe 'A manual review is required to ensure the DBMS automatically terminates emergency accounts after an\n organization-defined time period for each type of account' do\n skip 'A manual review is required to ensure the DBMS automatically terminates emergency accounts after an\n organization-defined time period for each type of account'\n end\nend\n", + "code": " control 'V-61489' do\n impact 0.0\n describe 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on' do\n skip 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on'\n end\n end\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61777.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61489.rb", "line": 1 }, - "id": "V-61777" + "id": "V-61489" }, { - "title": "The DBMS must prevent unauthorized and unintended information transfer\n via shared system resources.", - "desc": "The purpose of this control is to prevent information, including\n encrypted representations of information, produced by the actions of a prior\n user/role (or the actions of a process acting on behalf of a prior user/role)\n from being available to any current user/role (or current process) that obtains\n access to a shared system resource (e.g., registers, main memory, secondary\n storage) after the resource has been released back to the information system.\n Control of information in shared resources is also referred to as object reuse.\n\n Data used for the development and testing of applications often involves\n copying data from production. It is important that specific procedures exist\n for this process, so copies of sensitive data are not misplaced or left in a\n temporary location without the proper controls.", + "title": "DBMS backup and restoration files must be protected from unauthorized\n access.", + "desc": "Information system backup is a critical step in maintaining data\n assurance and availability.\n\n User-level information is data generated by information system and/or\n application users. In order to assure availability of this data in the event of\n a system failure, DoD organizations are required to ensure user-generated data\n is backed up at a defined frequency. This includes data stored on file systems,\n within databases or within any other storage media.\n\n Applications performing backups must be capable of backing up user-level\n information per the DoD-defined frequency.\n\n Lost or compromised DBMS backup and restoration files may lead to not only\n the loss of data, but also the unauthorized access to sensitive data. Backup\n files need the same protections against unauthorized access when stored on\n backup media as when online and actively in use by the database system. In\n addition, the backup media needs to be protected against physical loss. Most\n DBMS's maintain online copies of critical control files to provide transparent\n or easy recovery from hard disk loss or other interruptions to database\n operation.", "descriptions": { - "default": "The purpose of this control is to prevent information, including\n encrypted representations of information, produced by the actions of a prior\n user/role (or the actions of a process acting on behalf of a prior user/role)\n from being available to any current user/role (or current process) that obtains\n access to a shared system resource (e.g., registers, main memory, secondary\n storage) after the resource has been released back to the information system.\n Control of information in shared resources is also referred to as object reuse.\n\n Data used for the development and testing of applications often involves\n copying data from production. It is important that specific procedures exist\n for this process, so copies of sensitive data are not misplaced or left in a\n temporary location without the proper controls." + "default": "Information system backup is a critical step in maintaining data\n assurance and availability.\n\n User-level information is data generated by information system and/or\n application users. In order to assure availability of this data in the event of\n a system failure, DoD organizations are required to ensure user-generated data\n is backed up at a defined frequency. This includes data stored on file systems,\n within databases or within any other storage media.\n\n Applications performing backups must be capable of backing up user-level\n information per the DoD-defined frequency.\n\n Lost or compromised DBMS backup and restoration files may lead to not only\n the loss of data, but also the unauthorized access to sensitive data. Backup\n files need the same protections against unauthorized access when stored on\n backup media as when online and actively in use by the database system. In\n addition, the backup media needs to be protected against physical loss. Most\n DBMS's maintain online copies of critical control files to provide transparent\n or easy recovery from hard disk loss or other interruptions to database\n operation." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000243-DB-000128", - "gid": "V-61781", - "rid": "SV-76271r1_rule", - "stig_id": "O121-C2-018900", - "fix_id": "F-67697r1_fix", + "gtitle": "SRG-APP-000145-DB-000098", + "gid": "V-61699", + "rid": "SV-76189r1_rule", + "stig_id": "O121-C2-012500", + "fix_id": "F-67615r1_fix", "cci": [ - "CCI-001090" + "CCI-000535" ], "nist": [ - "SC-4", + "CP-9 (a)", "Rev_4" ], "false_negatives": null, @@ -304,39 +304,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Verify there are proper procedures in place for the refreshing\n of development/test data from production. Review any scripts or code that\n exists for the movement of production data to development/test, and verify\n copies of production data are not left in unprotected locations.\n\n If there is no documented procedure for data movement from production to\n development/test, this is a finding.\n\n If the code that exists for data movement does not remove any copies of\n production data from unprotected locations, this is a finding.", - "fix": "Create and document a process for moving data from production to\n development/test systems, and follow the process.\n\n Modify any code used for moving data from production to development/test\n systems to ensure copies of production data are not left in nonsecured\n locations.\n\n Moving data is only a part of the challenge of protecting the data. When the\n data is moved, it should also be changed so sensitive information is not made\n available in development environments.\n\n With the Oracle Data Masking Pack for Oracle Enterprise Manager, organizations\n can comply with data privacy and protection mandates that restrict the use of\n actual customer data. With Oracle Data Masking Pack, sensitive information,\n such as credit card or social security numbers, can be replaced with realistic\n values, allowing production data to be safely used for development, testing, or\n sharing with out-source or off-shore partners for other nonproduction purposes.\n When used in conjunction with Oracle Enterprise Manager, it is easy to develop\n a secure process that is capable of obfuscating the data during the movement\n process.\n\n If the Oracle Data Masking Pack and Enterprise Manager are not available,\n develop site-specific procedures to manage and obfuscate sensitive data." + "check": "Review file protections assigned to online backup and\n restoration files. Review access protections and procedures for off-line backup\n and restoration files.\n\n If backup or restoration files are subject to unauthorized access, this is a\n finding.\n\n It may be necessary to review backup and restoration procedures to determine\n ownership and access during all phases of backup and recovery.", + "fix": "Implement protection for backup and restoration files. Document\n personnel and the level of access authorized for each to the backup and\n restoration files in the system documentation." }, - "code": "control 'V-61781' do\n title \"The DBMS must prevent unauthorized and unintended information transfer\n via shared system resources.\"\n desc \"The purpose of this control is to prevent information, including\n encrypted representations of information, produced by the actions of a prior\n user/role (or the actions of a process acting on behalf of a prior user/role)\n from being available to any current user/role (or current process) that obtains\n access to a shared system resource (e.g., registers, main memory, secondary\n storage) after the resource has been released back to the information system.\n Control of information in shared resources is also referred to as object reuse.\n\n Data used for the development and testing of applications often involves\n copying data from production. It is important that specific procedures exist\n for this process, so copies of sensitive data are not misplaced or left in a\n temporary location without the proper controls.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000243-DB-000128'\n tag \"gid\": 'V-61781'\n tag \"rid\": 'SV-76271r1_rule'\n tag \"stig_id\": 'O121-C2-018900'\n tag \"fix_id\": 'F-67697r1_fix'\n tag \"cci\": ['CCI-001090']\n tag \"nist\": ['SC-4', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Verify there are proper procedures in place for the refreshing\n of development/test data from production. Review any scripts or code that\n exists for the movement of production data to development/test, and verify\n copies of production data are not left in unprotected locations.\n\n If there is no documented procedure for data movement from production to\n development/test, this is a finding.\n\n If the code that exists for data movement does not remove any copies of\n production data from unprotected locations, this is a finding.\"\n tag \"fix\": \"Create and document a process for moving data from production to\n development/test systems, and follow the process.\n\n Modify any code used for moving data from production to development/test\n systems to ensure copies of production data are not left in nonsecured\n locations.\n\n Moving data is only a part of the challenge of protecting the data. When the\n data is moved, it should also be changed so sensitive information is not made\n available in development environments.\n\n With the Oracle Data Masking Pack for Oracle Enterprise Manager, organizations\n can comply with data privacy and protection mandates that restrict the use of\n actual customer data. With Oracle Data Masking Pack, sensitive information,\n such as credit card or social security numbers, can be replaced with realistic\n values, allowing production data to be safely used for development, testing, or\n sharing with out-source or off-shore partners for other nonproduction purposes.\n When used in conjunction with Oracle Enterprise Manager, it is easy to develop\n a secure process that is capable of obfuscating the data during the movement\n process.\n\n If the Oracle Data Masking Pack and Enterprise Manager are not available,\n develop site-specific procedures to manage and obfuscate sensitive data.\"\n describe 'A manual review is required to ensure the DBMS prevents unauthorized and unintended information transfer\n via shared system resources' do\n skip 'A manual review is required to ensure the DBMS prevents unauthorized and unintended information transfer\n via shared system resources'\n end\nend\n", + "code": "control 'V-61699' do\n title \"DBMS backup and restoration files must be protected from unauthorized\n access.\"\n desc \"Information system backup is a critical step in maintaining data\n assurance and availability.\n\n User-level information is data generated by information system and/or\n application users. In order to assure availability of this data in the event of\n a system failure, DoD organizations are required to ensure user-generated data\n is backed up at a defined frequency. This includes data stored on file systems,\n within databases or within any other storage media.\n\n Applications performing backups must be capable of backing up user-level\n information per the DoD-defined frequency.\n\n Lost or compromised DBMS backup and restoration files may lead to not only\n the loss of data, but also the unauthorized access to sensitive data. Backup\n files need the same protections against unauthorized access when stored on\n backup media as when online and actively in use by the database system. In\n addition, the backup media needs to be protected against physical loss. Most\n DBMS's maintain online copies of critical control files to provide transparent\n or easy recovery from hard disk loss or other interruptions to database\n operation.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000145-DB-000098'\n tag \"gid\": 'V-61699'\n tag \"rid\": 'SV-76189r1_rule'\n tag \"stig_id\": 'O121-C2-012500'\n tag \"fix_id\": 'F-67615r1_fix'\n tag \"cci\": ['CCI-000535']\n tag \"nist\": ['CP-9 (a)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review file protections assigned to online backup and\n restoration files. Review access protections and procedures for off-line backup\n and restoration files.\n\n If backup or restoration files are subject to unauthorized access, this is a\n finding.\n\n It may be necessary to review backup and restoration procedures to determine\n ownership and access during all phases of backup and recovery.\"\n tag \"fix\": \"Implement protection for backup and restoration files. Document\n personnel and the level of access authorized for each to the backup and\n restoration files in the system documentation.\"\n describe 'A manual review is required to ensure DBMS backup and restoration files are protected from unauthorized\n access' do\n skip 'A manual review is required to ensure DBMS backup and restoration files are protected from unauthorized\n access'\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61781.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61699.rb", "line": 1 }, - "id": "V-61781" + "id": "V-61699" }, { - "title": "Access to external executables must be disabled or restricted.", - "desc": "The Oracle external procedure capability provides use of the Oracle\n process account outside the operation of the DBMS process. You can use it to\n submit and execute applications stored externally from the database under\n operating system controls. The external procedure process is the subject of\n frequent and successful attacks as it allows unauthenticated use of the Oracle\n process account on the operating system. As of Oracle version 11.1, the\n external procedure agent may be run directly from the database and not require\n use of the Oracle listener. This reduces the risk of unauthorized access to the\n procedure from outside of the database process.", + "title": "Object permissions granted to PUBLIC must be restricted.", + "desc": "Permissions on objects may be granted to the user group PUBLIC.\n Because every database user is a member of the PUBLIC group, granting object\n permissions to PUBLIC gives all users in the database access to that object. In\n a secure environment, granting object permissions to PUBLIC must be restricted\n to those objects that all users are allowed to access. The policy does not\n require object permissions assigned to PUBLIC by the installation of Oracle\n Database server components be revoked.", "descriptions": { - "default": "The Oracle external procedure capability provides use of the Oracle\n process account outside the operation of the DBMS process. You can use it to\n submit and execute applications stored externally from the database under\n operating system controls. The external procedure process is the subject of\n frequent and successful attacks as it allows unauthenticated use of the Oracle\n process account on the operating system. As of Oracle version 11.1, the\n external procedure agent may be run directly from the database and not require\n use of the Oracle listener. This reduces the risk of unauthorized access to the\n procedure from outside of the database process." + "default": "Permissions on objects may be granted to the user group PUBLIC.\n Because every database user is a member of the PUBLIC group, granting object\n permissions to PUBLIC gives all users in the database access to that object. In\n a secure environment, granting object permissions to PUBLIC must be restricted\n to those objects that all users are allowed to access. The policy does not\n require object permissions assigned to PUBLIC by the installation of Oracle\n Database server components be revoked." }, "impact": 0, - "refs": [ - { - "ref": [] - } - ], + "refs": [], "tags": { - "gtitle": "SRG-APP-000141-DB-000093", - "gid": "V-61685", - "rid": "SV-76175r2_rule", - "stig_id": "O121-C2-011810", - "fix_id": "F-67599r1_fix", + "gtitle": "SRG-APP-000516-DB-999900", + "gid": "V-61439", + "rid": "SV-75929r3_rule", + "stig_id": "O121-BP-022600", + "fix_id": "F-67355r2_fix", "cci": [ - "CCI-000381" + "CCI-000366" ], "nist": [ - "CM-7 a", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -349,30 +345,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Review the System Security Plan to determine if the use of the\n external procedure agent is authorized.\n\n Review the ORACLE_HOME/bin directory or search the ORACLE_BASE path for the\n executable extproc (UNIX) or extproc.exe (Windows).\n\n If external procedure agent is not authorized for use in the System Security\n Plan and the executable file does not exist or is restricted, this is not a\n finding.\n\n If external procedure agent is not authorized for use in the System Security\n Plan and the executable file exists and is not restricted, this is a finding.\n\n If use of the external procedure agent is authorized, ensure extproc is\n restricted to execution of authorized applications.\n\n External jobs are run using the account nobody by default.\n\n Review the contents of the file ORACLE_HOME/rdbms/admin/externaljob.ora for the\n lines run_user= and run_group=.\n\n If the user assigned to these parameters is not \"nobody\", this is a finding.\n\n For versions 11.1 and later, the external procedure agent (extproc executable)\n is available directly from the database and does not require definition in the\n listener.ora file for use.\n\n Review the contents of the file ORACLE_HOME/hs/admin/extproc.ora.\n\n If the file does not exist, this is a finding.\n\n If the following entry does not appear in the file, this is a finding:\n\n EXTPROC_DLLS=ONLY:[dll full file name1]:[dll full file name2]:..\n\n [dll full file name] represents a full path and file name.\n\n This list of file names is separated by \":\".\n\n Note: If \"ONLY\" is specified, then the list is restricted to allow execution\n of only the DLLs specified in the list and is not a finding. If \"ANY\" is\n specified, then there are no restrictions for execution except what is\n controlled by operating system permissions and is a finding. If no\n specification is made, any files located in the %ORACLE_HOME%\\bin directory on\n Windows systems or $ORACLE_HOME/lib directory on UNIX systems can be executed\n (the default) and is a finding.\n\n Ensure that EXTPROC is not accessible from the listener.\n\n Review the listener.ora file. If any entries reference \"extproc\", this is a\n finding.\n\n Determine if the external procedure agent is in use per Oracle 10.x conventions.\n\n Review the listener.ora file.\n\n If any entries reference \"extproc\", then the agent is in use.\n\n If external procedure agent is not authorized for use in the System Security\n Plan and references to \"extproc\" exist, this is a finding.\n\n Sample listener.ora entries with extproc included:\n\n LISTENER =\n (DESCRIPTION =\n (ADDRESS = (PROTOCOL = TCP)(HOST = 127.0.0.1)(PORT = 1521))\n )\n EXTLSNR =\n (DESCRIPTION =\n (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC))\n )\n SID_LIST_LISTENER =\n (SID_LIST =\n (SID_DESC =\n (GLOBAL_DBNAME = ORCL)\n (ORACLE_HOME = /home/oracle/app/oracle/product/11.1.0/db_1)\n (SID_NAME = ORCL)\n )\n )\n SID_LIST_EXTLSNR =\n (SID_LIST =\n (SID_DESC =\n (PROGRAM = extproc)\n (SID_NAME = PLSExtProc)\n (ORACLE_HOME = /home/oracle/app/oracle/product/11.1.0/db_1)\n (ENVS=\"EXTPROC_DLLS=ONLY:/home/app1/app1lib.so:/home/app2/app2lib.so,\n LD_LIBRARY_PATH=/private/app2/lib:/private/app1,\n MYPATH=/usr/fso:/usr/local/packages\")\n )\n )\n\n Sample tnsnames.ora entries with extproc included:\n\n ORCL =\n (DESCRIPTION =\n (ADDRESS_LIST =\n (ADDRESS = (PROTOCOL = TCP)(HOST = 127.0.0.1)(PORT = 1521))\n )\n (CONNECT_DATA =\n (SERVICE_NAME = ORCL)\n )\n )\n EXTPROC_CONNECTION_DATA =\n (DESCRIPTION =\n (ADDRESS_LIST =\n (ADDRESS = (PROTOCOL = IPC)(KEY = extproc))\n )\n (CONNECT_DATA =\n (SERVER = DEDICATED)\n (SERVICE_NAME = PLSExtProc)\n )\n )\n\n If EXTPROC is in use, confirm that a listener is dedicated to serving the\n external procedure agent (as shown above).\n\n View the protocols configured for the listener.\n\n For the listener to be dedicated, the only entries will be to specify extproc.\n\n If there is not a dedicated listener in use for the external procedure agent,\n this is a finding.\n\n If the PROTOCOL= specified is other than IPC, this is a finding.\n\n Verify and ensure extproc is restricted executing authorized external\n applications only and extproc is restricted to execution of authorized\n applications.\n\n Review the listener.ora file.\n\n If the following entry does not exist, this is a finding:\n\n EXTPROC_DLLS=ONLY:[dll full file name1]:[dll full file name2]:...\n\n Note: [dll full file name] represents a full path and file name. This list of\n file names is separated by \":\".\n\n Note: If \"ONLY\" is specified, then the list is restricted to allow execution\n of only the DLLs specified in the list and is not a finding. If \"ANY\" is\n specified, then there are no restrictions for execution except what is\n controlled by operating system permissions and is a finding. If no\n specification is made, any files located in the %ORACLE_HOME%\\bin directory on\n Windows systems or $ORACLE_HOME/lib directory on UNIX systems can be executed\n (the default) and is a finding.\n\n View the listener.ora file (usually in ORACLE_HOME/network/admin or directory\n specified by the TNS_ADMIN environment variable).\n\n If multiple listener processes are running, then the listener.ora file for each\n must be viewed.\n\n For each process, determine the directory specified in the ORACLE_HOME or\n TNS_ADMIN environment variable defined for the process account to locate the\n listener.ora file.", - "fix": "If use of the external procedure agent is required, then\n authorize and document the requirement in the System Security Plan.\n\n If the external procedure agent must be accessible to the Oracle listener, then\n specify this and authorize it in the System Security Plan.\n\n If use of the Oracle External Procedure agent is not required:\n\n - Stop the Oracle Listener process\n - Remove all references to extproc in the listener.ora and tnsnames.ora files\n - Alter the permissions on the executable files:\n UNIX - Remove read/write/execute permissions from owner, group and\n world\n Windows - Remove Groups/Users from the executable (except groups\n SYSTEM and ADMINISTRATORS) and allow READ [only] for SYSTEM and ADMINISTRATORS\n groups\n\n If required:\n\n - Restrict extproc execution to only authorized applications.\n - Specify EXTPROC_DLLS=ONLY: [list of authorized DLLS] in the extproc.ora and\n the listener.ora files\n - Create a separate, dedicated listener for use by the external procedure agent\n\n See the Oracle Net Services Administrators Guides, External Procedures section\n for detailed configuration information." + "check": "A default Oracle Database installation provides a set of\n predefined administrative accounts and non-administrative accounts. These are\n accounts that have special privileges required to administer areas of the\n database, such as the “CREATE ANY TABLE” or “ALTER SESSION” privilege, or\n “EXECUTE” privileges on packages owned by the SYS schema. The default\n tablespace for administrative accounts is either “SYSTEM” or “SYSAUX”.\n Non-administrative user accounts only have the minimum privileges needed to\n perform their jobs. Their default tablespace is “USERS”.\n\n To protect these accounts from unauthorized access, the installation process\n expires and locks most of these accounts, except where noted below. The\n database administrator is responsible for unlocking and resetting these\n accounts, as required.\n\n Non-Administrative Accounts - Expired and locked:\n APEX_PUBLIC_USER, DIP, FLOWS_040100*, FLOWS_FILES, MDDATA, ORACLE_OCM,\n SPATIAL_CSW_ADMIN_USR, SPATIAL_WFS_ADMIN_USR, XS$NULL\n\n Administrative Accounts - Expired and Locked:\n ANONYMOUS, CTXSTS, EXFSYS, LBACSYS, MDSYS, OLAPSYS, OEDDATA, OWBSYS,\n ORDPLUGINS, ORDSYS, OUTLN, SI_INFORMTN_SCHEMA, WK_TEST, WK_SYS, WKPROXY, WMSYS,\n XDB\n\n Administrative Accounts - Open:\n DBSNMP, MGMT_VIEW, SYS, SYSMAN, SYSTEM\n\n * Subject to change based on version installed\n\n Run the SQL query:\n\n select owner ||'.'|| table_name ||':'|| privilege from dba_tab_privs\n where grantee = 'PUBLIC';\n and owner not in\n ();\n\n (With respect to the list of special accounts that are excluded from this\n requirement, it is expected that the DBA will maintain the list to suit local\n circumstances, adding special accounts as necessary and removing any that are\n not supposed to be in use in the Oracle deployment that is under review.)\n\n If there are any records returned that are not Oracle product accounts, and are\n not documented and authorized, this is a finding.\n\n Note: This check may return false positives where other Oracle product accounts\n are not included in the exclusion list.", + "fix": "Revoke any privileges granted to PUBLIC for objects that are not\n owned by Oracle product accounts.\n\n From SQL*Plus:\n\n revoke [privilege name] from [user name] on [object name];\n\n Assign permissions to custom application user roles based on job functions:\n\n From SQL*Plus:\n\n grant [privilege name] to [user role] on [object name];" }, - "code": " control 'V-61685' do\n impact 0.0\n describe 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on' do\n skip 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on'\n end\n end\n", + "code": "control 'V-61439' do\n title 'Object permissions granted to PUBLIC must be restricted.'\n desc \"Permissions on objects may be granted to the user group PUBLIC.\n Because every database user is a member of the PUBLIC group, granting object\n permissions to PUBLIC gives all users in the database access to that object. In\n a secure environment, granting object permissions to PUBLIC must be restricted\n to those objects that all users are allowed to access. The policy does not\n require object permissions assigned to PUBLIC by the installation of Oracle\n Database server components be revoked.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000516-DB-999900'\n tag \"gid\": 'V-61439'\n tag \"rid\": 'SV-75929r3_rule'\n tag \"stig_id\": 'O121-BP-022600'\n tag \"fix_id\": 'F-67355r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"A default Oracle Database installation provides a set of\n predefined administrative accounts and non-administrative accounts. These are\n accounts that have special privileges required to administer areas of the\n database, such as the “CREATE ANY TABLE” or “ALTER SESSION” privilege, or\n “EXECUTE” privileges on packages owned by the SYS schema. The default\n tablespace for administrative accounts is either “SYSTEM” or “SYSAUX”.\n Non-administrative user accounts only have the minimum privileges needed to\n perform their jobs. Their default tablespace is “USERS”.\n\n To protect these accounts from unauthorized access, the installation process\n expires and locks most of these accounts, except where noted below. The\n database administrator is responsible for unlocking and resetting these\n accounts, as required.\n\n Non-Administrative Accounts - Expired and locked:\n APEX_PUBLIC_USER, DIP, FLOWS_040100*, FLOWS_FILES, MDDATA, ORACLE_OCM,\n SPATIAL_CSW_ADMIN_USR, SPATIAL_WFS_ADMIN_USR, XS$NULL\n\n Administrative Accounts - Expired and Locked:\n ANONYMOUS, CTXSTS, EXFSYS, LBACSYS, MDSYS, OLAPSYS, OEDDATA, OWBSYS,\n ORDPLUGINS, ORDSYS, OUTLN, SI_INFORMTN_SCHEMA, WK_TEST, WK_SYS, WKPROXY, WMSYS,\n XDB\n\n Administrative Accounts - Open:\n DBSNMP, MGMT_VIEW, SYS, SYSMAN, SYSTEM\n\n * Subject to change based on version installed\n\n Run the SQL query:\n\n select owner ||'.'|| table_name ||':'|| privilege from dba_tab_privs\n where grantee = 'PUBLIC';\n and owner not in\n ();\n\n (With respect to the list of special accounts that are excluded from this\n requirement, it is expected that the DBA will maintain the list to suit local\n circumstances, adding special accounts as necessary and removing any that are\n not supposed to be in use in the Oracle deployment that is under review.)\n\n If there are any records returned that are not Oracle product accounts, and are\n not documented and authorized, this is a finding.\n\n Note: This check may return false positives where other Oracle product accounts\n are not included in the exclusion list.\"\n tag \"fix\": \"Revoke any privileges granted to PUBLIC for objects that are not\n owned by Oracle product accounts.\n\n From SQL*Plus:\n\n revoke [privilege name] from [user name] on [object name];\n\n Assign permissions to custom application user roles based on job functions:\n\n From SQL*Plus:\n\n grant [privilege name] to [user role] on [object name];\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n users_with_public_access = sql.query(\"select DISTINCT owner from dba_tab_privs where grantee = 'PUBLIC';\").column('owner').uniq\n\n if users_with_public_access.empty?\n impact 0.0\n describe 'There are no oracle users with access to PUBLIC, control N/A' do\n skip 'There are no oracle users with access to PUBLIC'\n end\n else\n users_with_public_access.each do |user|\n describe \"oracle user: #{user} with access to PUBLIC\" do\n subject { user }\n it { should be_in input('users_allowed_access_to_public')}\n end\n end\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61685.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61439.rb", "line": 1 }, - "id": "V-61685" + "id": "V-61439" }, { - "title": "DBA OS accounts must be granted only those host system privileges\n necessary for the administration of the DBMS.", - "desc": "This requirement is intended to limit exposure due to operating from\n within a privileged account or role. The inclusion of role is intended to\n address those situations where an access control policy, such as Role Based\n Access Control (RBAC), is being implemented and where a change of role provides\n the same degree of assurance in the change of access authorizations for both\n the user and all processes acting on behalf of the user as would be provided by\n a change between a privileged and non-privileged account.\n\n DBAs, if assigned excessive OS privileges, could perform actions that could\n endanger the information system or hide evidence of malicious activity.", + "title": "The DBMS must protect the integrity of publicly available information\n and applications.", + "desc": "The purpose of this control is to ensure organizations explicitly\n address the protection needs for public information and applications with such\n protection likely being implemented as part of other security controls.\n\n Databases designed to contain publicly available information, though not\n concerned with confidentiality, must still maintain the integrity of the data\n they house. If data available to the public is not protected from unauthorized\n modification, then it cannot be trusted by those accessing it.", "descriptions": { - "default": "This requirement is intended to limit exposure due to operating from\n within a privileged account or role. The inclusion of role is intended to\n address those situations where an access control policy, such as Role Based\n Access Control (RBAC), is being implemented and where a change of role provides\n the same degree of assurance in the change of access authorizations for both\n the user and all processes acting on behalf of the user as would be provided by\n a change between a privileged and non-privileged account.\n\n DBAs, if assigned excessive OS privileges, could perform actions that could\n endanger the information system or hide evidence of malicious activity." + "default": "The purpose of this control is to ensure organizations explicitly\n address the protection needs for public information and applications with such\n protection likely being implemented as part of other security controls.\n\n Databases designed to contain publicly available information, though not\n concerned with confidentiality, must still maintain the integrity of the data\n they house. If data available to the public is not protected from unauthorized\n modification, then it cannot be trusted by those accessing it." }, - "impact": 0.7, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000063-DB-000021", - "gid": "V-61537", - "rid": "SV-76027r1_rule", - "stig_id": "O121-C1-004500", - "fix_id": "F-67453r1_fix", + "gtitle": "SRG-APP-000201-DB-000145", + "gid": "V-61763", + "rid": "SV-76253r1_rule", + "stig_id": "O121-C2-017100", + "fix_id": "F-67679r1_fix", "cci": [ "CCI-000366" ], @@ -390,35 +386,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Review host system privileges assigned to the Oracle DBA group\n and all individual Oracle DBA accounts.\n\n Note: do not include the Oracle software installation account in any results\n for this check.\n\n For UNIX systems (as root):\n cat /etc/group | grep -i dba\n groups root\n\n If \"root\" is returned in the first list, this is a finding.\n\n If any accounts listed in the first list are also listed in the second list,\n this is a finding.\n\n Investigate any user account group memberships other than DBA or root groups\n that are returned by the following command (also as root):\n\n groups [dba user account]\n\n Replace [dba user account] with the user account name of each DBA account.\n\n If individual DBA accounts are assigned to groups that grant access or\n privileges for purposes other than DBA responsibilities, this is a finding.\n\n For Windows Systems (click or select):\n Start / Settings / Control Panel / Administrative Tools / Computer Management /\n Local Users and Groups / Groups / ORA_DBA\n Start / Settings / Control Panel / Administrative Tools / Computer Management /\n Local Users and Groups / Groups / ORA_[SID]_DBA (if present)\n\n Note: Users assigned DBA privileges on a Windows host are granted membership in\n the ORA_DBA and/or ORA_[SID]_DBA groups. The ORA_DBA group grants DBA\n privileges to any database on the system. The ORA_[SID]_DBA groups grant DBA\n privileges to specific Oracle instances only.\n\n Make a note of each user listed. For each user (click or select):\n Start / Settings / Control Panel / Administrative Tools / Computer Management /\n Local Users and Groups / Users / [DBA user name] / Member of\n\n If DBA users belong to any groups other than DBA groups and the Windows Users\n group, this is a finding.\n\n Examine User Rights assigned to DBA groups or group members:\n Start / Settings / Control Panel / Administrative Tools / Local Security Policy\n / Security Settings / Local Policies / User Rights Assignments\n\n If any User Rights are assigned directly to the DBA group(s) or DBA user\n accounts, this is a finding.", - "fix": "Revoke all host system privileges from the DBA group accounts and\n DBA user accounts not required for DBMS administration.\n\n Revoke all OS group memberships that assign excessive privileges to the DBA\n group accounts and DBA user accounts.\n\n Remove any directly applied permissions or user rights from the DBA group\n accounts and DBA user accounts.\n\n Document all DBA group accounts and individual DBA account-assigned privileges\n in the System Security Plan." + "check": "Determine whether the database houses and distributes\n information to the public. Review DBMS settings to determine whether controls\n exist to protect the integrity of publicly available information.\n\n If not, this is a finding.\n\n - - - - -\n All of the permissions and policies we would employ to protect information\n would be in play, like access control mechanisms, auditing, and password\n protection. For data that is for display or download to the public for their\n informational needs, it may be appropriate to place the data in a read-only\n tablespace. This will provide the DBA with the ability to modify content as\n needed by modifying the tablespace from read-only to read-write in the event\n the content needs to be modified. Check with the Application Developer to see\n what tables are used to store the data and/or content that is displayed to the\n public. Then find the tablespace name the data objects are stored in.\n\n $ sqlplus connect as sysdba\n\n SQL> SELECT table_name, tablespace_name from dba_tables where upper(table_name)\n like &tablename_from_developer;\n\n For better performance while accessing data in a read-only tablespace, can\n issue a query that accesses all of the blocks of the tables in the tablespace\n just before making it read-only. A simple query, such as SELECT COUNT (*),\n executed against each table ensures that the data blocks in the tablespace can\n be subsequently accessed most efficiently. This eliminates the need for the\n database to check the status of the transactions that most recently modified\n the blocks.\n\n The following statement makes the flights tablespace read-only:\n\n ALTER TABLESPACE flights READ ONLY;\n\n Can issue the ALTER TABLESPACE...READ ONLY statement while the database is\n processing transactions. After the statement is issued, the tablespace is put\n into a transitional read-only state. No transactions are allowed to make\n further changes (using DML statements) to the tablespace.\n\n If a transaction attempts further changes, it is terminated and rolled back.\n However, transactions that already made changes and that attempt no further\n changes are allowed to commit or roll back.\n\n The ALTER TABLESPACE...READ ONLY statement waits for the following transactions\n to either commit or roll back before returning: transactions that have pending\n or uncommitted changes to the tablespace and that were started before the\n statement was issued.\n\n If a transaction started before the statement remains active, but rolls back to\n a savepoint, rolling back its changes to the tablespace, then the statement no\n longer waits for this active transaction.", + "fix": "Apply appropriate controls to protect the integrity of publicly\n available information.\n\n - - - - -\n If the appropriate controls include placing the data in a read-only tablespace,\n proceed as follows.\n\n After we figure out the tablespace the data object is stored in:\n $ sqlplus connect as sysdba\n SQL> SELECT table_name, tablespace_name from dba_tables where upper(table_name)\n like &tablename_from_developer;\n\n Once we get the name of the tablespace where all of the important data is\n stored, alter the tablespace to be read-only.\n SQL> ALTER TABLESPACE &tablespace_where_data_is READ ONLY;\n\n The following statement makes the flights tablespace read-only:\n ALTER TABLESPACE flights READ ONLY;\n\n Can issue the ALTER TABLESPACE...READ ONLY statement while the database is\n processing transactions. After the statement is issued, the tablespace is put\n into a transitional read-only state. No transactions are allowed to make\n further changes (using DML statements) to the tablespace. If a transaction\n attempts further changes, it is terminated and rolled back. However,\n transactions that already made changes and that attempt no further changes are\n allowed to commit or roll back.\n\n The ALTER TABLESPACE...READ ONLY statement waits for the following transactions\n to either commit or roll back before returning: transactions that have pending\n or uncommitted changes to the tablespace and that were started before the\n statement was issued. If a transaction started before the statement remains\n active, but rolls back to a savepoint, rolling back its changes to the\n tablespace, then the statement no longer waits for this active transaction." }, - "code": "control 'V-61537' do\n title \"DBA OS accounts must be granted only those host system privileges\n necessary for the administration of the DBMS.\"\n desc \"This requirement is intended to limit exposure due to operating from\n within a privileged account or role. The inclusion of role is intended to\n address those situations where an access control policy, such as Role Based\n Access Control (RBAC), is being implemented and where a change of role provides\n the same degree of assurance in the change of access authorizations for both\n the user and all processes acting on behalf of the user as would be provided by\n a change between a privileged and non-privileged account.\n\n DBAs, if assigned excessive OS privileges, could perform actions that could\n endanger the information system or hide evidence of malicious activity.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-APP-000063-DB-000021'\n tag \"gid\": 'V-61537'\n tag \"rid\": 'SV-76027r1_rule'\n tag \"stig_id\": 'O121-C1-004500'\n tag \"fix_id\": 'F-67453r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review host system privileges assigned to the Oracle DBA group\n and all individual Oracle DBA accounts.\n\n Note: do not include the Oracle software installation account in any results\n for this check.\n\n For UNIX systems (as root):\n cat /etc/group | grep -i dba\n groups root\n\n If \\\"root\\\" is returned in the first list, this is a finding.\n\n If any accounts listed in the first list are also listed in the second list,\n this is a finding.\n\n Investigate any user account group memberships other than DBA or root groups\n that are returned by the following command (also as root):\n\n groups [dba user account]\n\n Replace [dba user account] with the user account name of each DBA account.\n\n If individual DBA accounts are assigned to groups that grant access or\n privileges for purposes other than DBA responsibilities, this is a finding.\n\n For Windows Systems (click or select):\n Start / Settings / Control Panel / Administrative Tools / Computer Management /\n Local Users and Groups / Groups / ORA_DBA\n Start / Settings / Control Panel / Administrative Tools / Computer Management /\n Local Users and Groups / Groups / ORA_[SID]_DBA (if present)\n\n Note: Users assigned DBA privileges on a Windows host are granted membership in\n the ORA_DBA and/or ORA_[SID]_DBA groups. The ORA_DBA group grants DBA\n privileges to any database on the system. The ORA_[SID]_DBA groups grant DBA\n privileges to specific Oracle instances only.\n\n Make a note of each user listed. For each user (click or select):\n Start / Settings / Control Panel / Administrative Tools / Computer Management /\n Local Users and Groups / Users / [DBA user name] / Member of\n\n If DBA users belong to any groups other than DBA groups and the Windows Users\n group, this is a finding.\n\n Examine User Rights assigned to DBA groups or group members:\n Start / Settings / Control Panel / Administrative Tools / Local Security Policy\n / Security Settings / Local Policies / User Rights Assignments\n\n If any User Rights are assigned directly to the DBA group(s) or DBA user\n accounts, this is a finding.\"\n tag \"fix\": \"Revoke all host system privileges from the DBA group accounts and\n DBA user accounts not required for DBMS administration.\n\n Revoke all OS group memberships that assign excessive privileges to the DBA\n group accounts and DBA user accounts.\n\n Remove any directly applied permissions or user rights from the DBA group\n accounts and DBA user accounts.\n\n Document all DBA group accounts and individual DBA account-assigned privileges\n in the System Security Plan.\"\n\n get_dba_users = command('cat /etc/group | grep -i dba').stdout.strip.split(\"\\n\")\n get_members_root_group = command('groups root').stdout.strip.split(\"\\n\")\n\n get_dba_users.each do |user|\n describe \"The dba user: #{user} in /etc/group\" do\n subject { user }\n it { should_not cmp 'root' }\n end\n\n get_members_root_group.each do |member|\n describe \"The user: #{member} in the root group\" do\n subject { member }\n it { should_not cmp user.to_s }\n end\n end\n end\n if get_dba_users.empty?\n describe 'There are no dba users, therefore this control is NA' do\n skip 'There are no dba users, therefore this control is NA'\n end\n end\nend\n", + "code": "control 'V-61763' do\n title \"The DBMS must protect the integrity of publicly available information\n and applications.\"\n desc \"The purpose of this control is to ensure organizations explicitly\n address the protection needs for public information and applications with such\n protection likely being implemented as part of other security controls.\n\n Databases designed to contain publicly available information, though not\n concerned with confidentiality, must still maintain the integrity of the data\n they house. If data available to the public is not protected from unauthorized\n modification, then it cannot be trusted by those accessing it.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000201-DB-000145'\n tag \"gid\": 'V-61763'\n tag \"rid\": 'SV-76253r1_rule'\n tag \"stig_id\": 'O121-C2-017100'\n tag \"fix_id\": 'F-67679r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Determine whether the database houses and distributes\n information to the public. Review DBMS settings to determine whether controls\n exist to protect the integrity of publicly available information.\n\n If not, this is a finding.\n\n - - - - -\n All of the permissions and policies we would employ to protect information\n would be in play, like access control mechanisms, auditing, and password\n protection. For data that is for display or download to the public for their\n informational needs, it may be appropriate to place the data in a read-only\n tablespace. This will provide the DBA with the ability to modify content as\n needed by modifying the tablespace from read-only to read-write in the event\n the content needs to be modified. Check with the Application Developer to see\n what tables are used to store the data and/or content that is displayed to the\n public. Then find the tablespace name the data objects are stored in.\n\n $ sqlplus connect as sysdba\n\n SQL> SELECT table_name, tablespace_name from dba_tables where upper(table_name)\n like &tablename_from_developer;\n\n For better performance while accessing data in a read-only tablespace, can\n issue a query that accesses all of the blocks of the tables in the tablespace\n just before making it read-only. A simple query, such as SELECT COUNT (*),\n executed against each table ensures that the data blocks in the tablespace can\n be subsequently accessed most efficiently. This eliminates the need for the\n database to check the status of the transactions that most recently modified\n the blocks.\n\n The following statement makes the flights tablespace read-only:\n\n ALTER TABLESPACE flights READ ONLY;\n\n Can issue the ALTER TABLESPACE...READ ONLY statement while the database is\n processing transactions. After the statement is issued, the tablespace is put\n into a transitional read-only state. No transactions are allowed to make\n further changes (using DML statements) to the tablespace.\n\n If a transaction attempts further changes, it is terminated and rolled back.\n However, transactions that already made changes and that attempt no further\n changes are allowed to commit or roll back.\n\n The ALTER TABLESPACE...READ ONLY statement waits for the following transactions\n to either commit or roll back before returning: transactions that have pending\n or uncommitted changes to the tablespace and that were started before the\n statement was issued.\n\n If a transaction started before the statement remains active, but rolls back to\n a savepoint, rolling back its changes to the tablespace, then the statement no\n longer waits for this active transaction.\"\n tag \"fix\": \"Apply appropriate controls to protect the integrity of publicly\n available information.\n\n - - - - -\n If the appropriate controls include placing the data in a read-only tablespace,\n proceed as follows.\n\n After we figure out the tablespace the data object is stored in:\n $ sqlplus connect as sysdba\n SQL> SELECT table_name, tablespace_name from dba_tables where upper(table_name)\n like &tablename_from_developer;\n\n Once we get the name of the tablespace where all of the important data is\n stored, alter the tablespace to be read-only.\n SQL> ALTER TABLESPACE &tablespace_where_data_is READ ONLY;\n\n The following statement makes the flights tablespace read-only:\n ALTER TABLESPACE flights READ ONLY;\n\n Can issue the ALTER TABLESPACE...READ ONLY statement while the database is\n processing transactions. After the statement is issued, the tablespace is put\n into a transitional read-only state. No transactions are allowed to make\n further changes (using DML statements) to the tablespace. If a transaction\n attempts further changes, it is terminated and rolled back. However,\n transactions that already made changes and that attempt no further changes are\n allowed to commit or roll back.\n\n The ALTER TABLESPACE...READ ONLY statement waits for the following transactions\n to either commit or roll back before returning: transactions that have pending\n or uncommitted changes to the tablespace and that were started before the\n statement was issued. If a transaction started before the statement remains\n active, but rolls back to a savepoint, rolling back its changes to the\n tablespace, then the statement no longer waits for this active transaction.\"\n describe 'A manual review is required to ensure the DBMS protects the integrity of publicly available information\n and applications.' do\n skip 'A manual review is required to ensure the DBMS protects the integrity of publicly available information\n and applications.'\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61537.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61763.rb", "line": 1 }, - "id": "V-61537" + "id": "V-61763" }, { - "title": "Only authorized system accounts must have the SYSTEM tablespace\n specified as the default tablespace.", - "desc": "The Oracle SYSTEM tablespace is used by the database to store all DBMS\n system objects. Other use of the system tablespace may compromise system\n availability and the effectiveness of host system access controls to the\n tablespace files.", + "title": "The system must alert designated organizational officials in the event\n of an audit processing failure.", + "desc": "It is critical for the appropriate personnel to be aware if a system\n is at risk of failing to process audit logs as required. Audit processing\n failures include: software/hardware errors, failures in the audit capturing\n mechanisms, and audit storage capacity being reached or exceeded.\n\n A failure of database auditing will result in either the database\n continuing to function without auditing or in a complete halt to database\n operations. When audit processing fails, appropriate personnel must be alerted\n immediately to avoid further downtime or unaudited transactions.\n\n If Oracle Enterprise Manager is in use, the capability to issue such an\n alert is built in and configurable via the console so an alert can be sent to a\n designated administrator.", "descriptions": { - "default": "The Oracle SYSTEM tablespace is used by the database to store all DBMS\n system objects. Other use of the system tablespace may compromise system\n availability and the effectiveness of host system access controls to the\n tablespace files." + "default": "It is critical for the appropriate personnel to be aware if a system\n is at risk of failing to process audit logs as required. Audit processing\n failures include: software/hardware errors, failures in the audit capturing\n mechanisms, and audit storage capacity being reached or exceeded.\n\n A failure of database auditing will result in either the database\n continuing to function without auditing or in a complete halt to database\n operations. When audit processing fails, appropriate personnel must be alerted\n immediately to avoid further downtime or unaudited transactions.\n\n If Oracle Enterprise Manager is in use, the capability to issue such an\n alert is built in and configurable via the console so an alert can be sent to a\n designated administrator." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000516-DB-999900", - "gid": "V-61459", - "rid": "SV-75949r2_rule", - "stig_id": "O121-BP-023600", - "fix_id": "F-67375r2_fix", + "gtitle": "SRG-APP-000108-DB-000048", + "gid": "V-61647", + "rid": "SV-76137r2_rule", + "stig_id": "O121-C2-008500", + "fix_id": "F-67561r3_fix", "cci": [ - "CCI-000366" + "CCI-000139" ], "nist": [ - "CM-6 b", + "AU-5 a", "Rev_4" ], "false_negatives": null, @@ -431,30 +427,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Run the query:\n\n select property_name, property_value\n from database_properties\n where property_name in\n ('DEFAULT_PERMANENT_TABLESPACE','DEFAULT_TEMP_TABLESPACE');\n\n If either value is set to SYSTEM, this is a finding.\n\n Run the query:\n\n select username from dba_users\n where (default_tablespace = 'SYSTEM' or temporary_tablespace = 'SYSTEM')\n and username not in\n ('LBACSYS','OUTLN','SYS','SYSTEM');\n\n If any non-default account records are returned, this is a finding.", - "fix": "Create and dedicate tablespaces to support only one application.\n\n Do not share tablespaces between applications.\n\n Do not grant quotas to application object owners on tablespaces not dedicated\n to their associated application.\n\n Run the queries:\n\n alter database default tablespace ;\n alter database default temporary tablespace ;\n\n alter user default tablespace temporary tablespace\n ;\n\n Replace with the named user account.\n Replace with the new default tablespace name.\n Replace with the new default temporary tablespace\n name (typically TEMP).\n Repeat the \"alter user\" for each affected user account." + "check": "Review OS or third-party logging application settings to\n determine whether an alert will be sent to the designated organizational\n personnel when auditing fails for any reason.\n\n If no alert will be sent, this is a finding.", + "fix": "Modify OS or third-party logging application settings to alert\n designated organizational personnel when auditing fails for any reason.\n\n If Oracle Enterprise Manager is in use, the capability to issue such an alert\n is built in and configurable via the console so an alert can be sent to a\n designated administrator." }, - "code": "control 'V-61459' do\n title \"Only authorized system accounts must have the SYSTEM tablespace\n specified as the default tablespace.\"\n desc \"The Oracle SYSTEM tablespace is used by the database to store all DBMS\n system objects. Other use of the system tablespace may compromise system\n availability and the effectiveness of host system access controls to the\n tablespace files.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000516-DB-999900'\n tag \"gid\": 'V-61459'\n tag \"rid\": 'SV-75949r2_rule'\n tag \"stig_id\": 'O121-BP-023600'\n tag \"fix_id\": 'F-67375r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the query:\n\n select property_name, property_value\n from database_properties\n where property_name in\n ('DEFAULT_PERMANENT_TABLESPACE','DEFAULT_TEMP_TABLESPACE');\n\n If either value is set to SYSTEM, this is a finding.\n\n Run the query:\n\n select username from dba_users\n where (default_tablespace = 'SYSTEM' or temporary_tablespace = 'SYSTEM')\n and username not in\n ('LBACSYS','OUTLN','SYS','SYSTEM');\n\n If any non-default account records are returned, this is a finding.\"\n tag \"fix\": \"Create and dedicate tablespaces to support only one application.\n\n Do not share tablespaces between applications.\n\n Do not grant quotas to application object owners on tablespaces not dedicated\n to their associated application.\n\n Run the queries:\n\n alter database default tablespace ;\n alter database default temporary tablespace ;\n\n alter user default tablespace temporary tablespace\n ;\n\n Replace with the named user account.\n Replace with the new default tablespace name.\n Replace with the new default temporary tablespace\n name (typically TEMP).\n Repeat the \\\"alter user\\\" for each affected user account.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n property_name = sql.query(\"select property_name\n from database_properties\n where property_name in\n ('DEFAULT_PERMANENT_TABLESPACE','DEFAULT_TEMP_TABLESPACE');\").column('property_name')\n\n describe 'The oracle database property_name' do\n subject { property_name }\n it { should_not include 'SYSTEM' }\n end\n\n property_value = sql.query(\"select property_value\n from database_properties\n where property_name in\n ('DEFAULT_PERMANENT_TABLESPACE','DEFAULT_TEMP_TABLESPACE');\").column('property_value')\n\n describe 'The oracle database property_value' do\n subject { property_value }\n it { should_not include 'SYSTEM' }\n end\n\n users_with_system_tablespace = sql.query(\"select username from dba_users\n where (default_tablespace = 'SYSTEM' or temporary_tablespace = 'SYSTEM')\n and username not in\n ('LBACSYS','OUTLN','SYS','SYSTEM');\").column('username').uniq\n if users_with_system_tablespace.empty?\n impact 0.0\n describe 'There are no oracle users granted system tablespace, therefore control N/A' do\n skip 'There are no oracle users granted system tablespace, therefore control N/A'\n end\n else\n users_with_system_tablespace.each do |user|\n describe \"oracle users with system tablespace: #{user}\" do\n subject { user }\n it { should be_in input('allowed_users_system_tablespace') }\n end\n end\n end\nend\n", + "code": "control 'V-61647' do\n title \"The system must alert designated organizational officials in the event\n of an audit processing failure.\"\n desc \"It is critical for the appropriate personnel to be aware if a system\n is at risk of failing to process audit logs as required. Audit processing\n failures include: software/hardware errors, failures in the audit capturing\n mechanisms, and audit storage capacity being reached or exceeded.\n\n A failure of database auditing will result in either the database\n continuing to function without auditing or in a complete halt to database\n operations. When audit processing fails, appropriate personnel must be alerted\n immediately to avoid further downtime or unaudited transactions.\n\n If Oracle Enterprise Manager is in use, the capability to issue such an\n alert is built in and configurable via the console so an alert can be sent to a\n designated administrator.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000108-DB-000048'\n tag \"gid\": 'V-61647'\n tag \"rid\": 'SV-76137r2_rule'\n tag \"stig_id\": 'O121-C2-008500'\n tag \"fix_id\": 'F-67561r3_fix'\n tag \"cci\": ['CCI-000139']\n tag \"nist\": ['AU-5 a', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review OS or third-party logging application settings to\n determine whether an alert will be sent to the designated organizational\n personnel when auditing fails for any reason.\n\n If no alert will be sent, this is a finding.\"\n tag \"fix\": \"Modify OS or third-party logging application settings to alert\n designated organizational personnel when auditing fails for any reason.\n\n If Oracle Enterprise Manager is in use, the capability to issue such an alert\n is built in and configurable via the console so an alert can be sent to a\n designated administrator.\"\n describe 'A manual review is required to ensure the system alerts designated organizational officials in the event\n of an audit processing failure' do\n skip 'A manual review is required to ensure the system alerts designated organizational officials in the event\n of an audit processing failure'\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61459.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61647.rb", "line": 1 }, - "id": "V-61459" + "id": "V-61647" }, { - "title": "Unauthorized database links must not be defined and active.", - "desc": "DBMS links provide a communication and data transfer path definition\n between two databases that may be used by malicious users to discover and\n obtain unauthorized access to remote systems. Database links between production\n and development DBMSs provide a means for developers to access production data\n not authorized for their access or to introduce untested or unauthorized\n applications to the production database. Only protected, controlled, and\n authorized downloads of any production data to use for development may be\n allowed. Only applications that have completed the configuration management\n process may be introduced by the application object owner account to the\n production system.", + "title": "The DBMS must not share a host supporting an independent security\n service.", + "desc": "The Security Support Structure is a security control function or\n service provided by an external system or application. An example of this would\n be a Windows domain controller that provides identification and authentication\n that can be used by other systems to control access. The associated risk of a\n DBMS installed on a system that provides security support is significantly\n higher than when installed on separate systems. In cases where the DBMS is\n dedicated to local support of a security support function (e.g. a directory\n service), separation may not be possible.", "descriptions": { - "default": "DBMS links provide a communication and data transfer path definition\n between two databases that may be used by malicious users to discover and\n obtain unauthorized access to remote systems. Database links between production\n and development DBMSs provide a means for developers to access production data\n not authorized for their access or to introduce untested or unauthorized\n applications to the production database. Only protected, controlled, and\n authorized downloads of any production data to use for development may be\n allowed. Only applications that have completed the configuration management\n process may be introduced by the application object owner account to the\n production system." + "default": "The Security Support Structure is a security control function or\n service provided by an external system or application. An example of this would\n be a Windows domain controller that provides identification and authentication\n that can be used by other systems to control access. The associated risk of a\n DBMS installed on a system that provides security support is significantly\n higher than when installed on separate systems. In cases where the DBMS is\n dedicated to local support of a security support function (e.g. a directory\n service), separation may not be possible." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-APP-000516-DB-999900", - "gid": "V-61451", - "rid": "SV-75941r1_rule", - "stig_id": "O121-BP-023200", - "fix_id": "F-67367r1_fix", + "gid": "V-61509", + "rid": "SV-75999r1_rule", + "stig_id": "O121-BP-025300", + "fix_id": "F-67425r1_fix", "cci": [ "CCI-000366" ], @@ -472,30 +468,34 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "From SQL*Plus:\n select db_link||': '||host from dba_db_links;\n\n If no links are returned, this check is not a finding.\n\n Review documentation for definitions of authorized database links to external\n interfaces.\n\n The documentation should include:\n\n - Any remote access to the database\n - The purpose or function of the remote connection\n - Any access to data or procedures stored externally to the local DBMS\n - Any network ports or protocols used by remote connections, whether the remote\n connection is to a production, test, or development system\n - Any security accounts used by DBMS to access remote resources or objects\n\n If any unauthorized database links are defined or the definitions do not match\n the documentation, this is a finding.\n\n Note: findings for production-development links under this check are assigned\n to the production database only.\n\n If any database links are defined between the production database and any test\n or development databases, this is a finding.\n\n If remote interface documentation does not exist or is incomplete, this is a\n finding.", - "fix": "Document all remote or external interfaces used by the DBMS to\n connect to or allow connections from remote or external sources.\n\n Include with the documentation as appropriate, any network ports or protocols,\n security accounts, and the sensitivity of any data exchanged.\n\n Do not define or configure database links between production databases and test\n or development databases.\n\n Note: Oracle Database Advanced Replication is deprecated in Oracle Database\n 12c. Use Oracle GoldenGate to replace all features of Advanced Replication,\n including multimaster replication, updatable materialized views, hierarchical\n materialized views, and deployment templates." + "check": "Review the services and processes active on the DBMS host\n system.\n\n If the host system is a Windows domain controller, this is a finding.\n\n If the host system is supporting any other security or directory services that\n do not use the DBMS to store information, this is a finding.\n\n Note: This does not include client security applications like firewall and\n antivirus software.", + "fix": "Either move the DBMS installation to a dedicated host system or\n move the directory or security services to another host system.\n\n A dedicated host system in this case refers to an instance of the operating\n system at a minimum.\n\n The operating system may reside on a virtual host machine where supported by\n the DBMS vendor." }, - "code": "control 'V-61451' do\n title 'Unauthorized database links must not be defined and active.'\n desc \"DBMS links provide a communication and data transfer path definition\n between two databases that may be used by malicious users to discover and\n obtain unauthorized access to remote systems. Database links between production\n and development DBMSs provide a means for developers to access production data\n not authorized for their access or to introduce untested or unauthorized\n applications to the production database. Only protected, controlled, and\n authorized downloads of any production data to use for development may be\n allowed. Only applications that have completed the configuration management\n process may be introduced by the application object owner account to the\n production system.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000516-DB-999900'\n tag \"gid\": 'V-61451'\n tag \"rid\": 'SV-75941r1_rule'\n tag \"stig_id\": 'O121-BP-023200'\n tag \"fix_id\": 'F-67367r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"From SQL*Plus:\n select db_link||': '||host from dba_db_links;\n\n If no links are returned, this check is not a finding.\n\n Review documentation for definitions of authorized database links to external\n interfaces.\n\n The documentation should include:\n\n - Any remote access to the database\n - The purpose or function of the remote connection\n - Any access to data or procedures stored externally to the local DBMS\n - Any network ports or protocols used by remote connections, whether the remote\n connection is to a production, test, or development system\n - Any security accounts used by DBMS to access remote resources or objects\n\n If any unauthorized database links are defined or the definitions do not match\n the documentation, this is a finding.\n\n Note: findings for production-development links under this check are assigned\n to the production database only.\n\n If any database links are defined between the production database and any test\n or development databases, this is a finding.\n\n If remote interface documentation does not exist or is incomplete, this is a\n finding.\"\n tag \"fix\": \"Document all remote or external interfaces used by the DBMS to\n connect to or allow connections from remote or external sources.\n\n Include with the documentation as appropriate, any network ports or protocols,\n security accounts, and the sensitivity of any data exchanged.\n\n Do not define or configure database links between production databases and test\n or development databases.\n\n Note: Oracle Database Advanced Replication is deprecated in Oracle Database\n 12c. Use Oracle GoldenGate to replace all features of Advanced Replication,\n including multimaster replication, updatable materialized views, hierarchical\n materialized views, and deployment templates.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n db_links = sql.query('SELECT DB_LINK FROM DBA_DB_LINKS;').column('db_link').uniq\n if db_links.empty?\n impact 0.0\n describe 'There are no oracle database links defined, control N/A' do\n skip 'There are no oracle database links defined, control N/A'\n end\n else\n db_links.each do |link|\n describe \"The defined oracle database link: #{link}\" do\n subject { link }\n it { should be_in input('allowed_db_links') }\n end\n end\n end\nend\n", + "code": "control 'V-61509' do\n title \"The DBMS must not share a host supporting an independent security\n service.\"\n desc \"The Security Support Structure is a security control function or\n service provided by an external system or application. An example of this would\n be a Windows domain controller that provides identification and authentication\n that can be used by other systems to control access. The associated risk of a\n DBMS installed on a system that provides security support is significantly\n higher than when installed on separate systems. In cases where the DBMS is\n dedicated to local support of a security support function (e.g. a directory\n service), separation may not be possible.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000516-DB-999900'\n tag \"gid\": 'V-61509'\n tag \"rid\": 'SV-75999r1_rule'\n tag \"stig_id\": 'O121-BP-025300'\n tag \"fix_id\": 'F-67425r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review the services and processes active on the DBMS host\n system.\n\n If the host system is a Windows domain controller, this is a finding.\n\n If the host system is supporting any other security or directory services that\n do not use the DBMS to store information, this is a finding.\n\n Note: This does not include client security applications like firewall and\n antivirus software.\"\n tag \"fix\": \"Either move the DBMS installation to a dedicated host system or\n move the directory or security services to another host system.\n\n A dedicated host system in this case refers to an instance of the operating\n system at a minimum.\n\n The operating system may reside on a virtual host machine where supported by\n the DBMS vendor.\"\n describe 'A manual review is required to ensure the DBMS does not share a host supporting an independent security\n service' do\n skip 'A manual review is required to ensure the DBMS does not share a host supporting an independent security\n service'\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61451.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61509.rb", "line": 1 }, - "id": "V-61451" + "id": "V-61509" }, { - "title": "Owners of privileged accounts must use non-privileged accounts for\n non-administrative activities.", - "desc": "Use of privileged accounts for non-administrative purposes puts data\n at risk of unintended or unauthorized loss, modification, or exposure. In\n particular, DBA accounts, if used for non-administration application\n development or application maintenance, can lead to excessive privileges where\n privileges are inherited by object owners. It may also lead to loss or\n compromise of application data where the elevated privileges bypass controls\n designed in and provided by applications.", + "title": "Connections by mid-tier web and application systems to the Oracle DBMS\n from a DMZ or external network must be encrypted.\n ", + "desc": "Multi-tier systems may be configured with the database and connecting\n middle-tier system located on an internal network, with the database located on\n an internal network behind a firewall and the middle-tier system located in a\n DMZ. In cases where either or both systems are located in the DMZ (or on\n networks external to DoD), network communications between the systems must be\n encrypted.", "descriptions": { - "default": "Use of privileged accounts for non-administrative purposes puts data\n at risk of unintended or unauthorized loss, modification, or exposure. In\n particular, DBA accounts, if used for non-administration application\n development or application maintenance, can lead to excessive privileges where\n privileges are inherited by object owners. It may also lead to loss or\n compromise of application data where the elevated privileges bypass controls\n designed in and provided by applications." + "default": "Multi-tier systems may be configured with the database and connecting\n middle-tier system located on an internal network, with the database located on\n an internal network behind a firewall and the middle-tier system located in a\n DMZ. In cases where either or both systems are located in the DMZ (or on\n networks external to DoD), network communications between the systems must be\n encrypted." }, - "impact": 0.5, - "refs": [], + "impact": 0, + "refs": [ + { + "ref": [] + } + ], "tags": { - "gtitle": "SRG-APP-000063-DB-000018", - "gid": "V-61597", - "rid": "SV-76087r1_rule", - "stig_id": "O121-C2-004210", - "fix_id": "F-67513r1_fix", + "gtitle": "SRG-APP-000516-DB-999900", + "gid": "V-61447", + "rid": "SV-75937r2_rule", + "stig_id": "O121-BP-023000", + "fix_id": "F-67363r2_fix", "cci": [ "CCI-000366" ], @@ -513,35 +513,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Review procedures and practices. If there is not a policy\n requiring owners of privileged accounts to use non-privileged accounts for\n non-administrative activities, this is a finding. If there is evidence that\n owners of privileged accounts do not adhere to this policy, this is a finding.", - "fix": "Require that DBAs and other privileged users use non-privileged\n accounts for non-administrative activities." + "check": "Review the System Security Plan for remote applications that\n access and use the database.\n\n For each remote application or application server, determine whether\n communications between it and the DBMS are encrypted. If any are not encrypted,\n this is a finding.", + "fix": "Configure communications between the DBMS and remote\n applications/application servers to use DoD-approved encryption." }, - "code": "control 'V-61597' do\n title \"Owners of privileged accounts must use non-privileged accounts for\n non-administrative activities.\"\n desc \"Use of privileged accounts for non-administrative purposes puts data\n at risk of unintended or unauthorized loss, modification, or exposure. In\n particular, DBA accounts, if used for non-administration application\n development or application maintenance, can lead to excessive privileges where\n privileges are inherited by object owners. It may also lead to loss or\n compromise of application data where the elevated privileges bypass controls\n designed in and provided by applications.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000063-DB-000018'\n tag \"gid\": 'V-61597'\n tag \"rid\": 'SV-76087r1_rule'\n tag \"stig_id\": 'O121-C2-004210'\n tag \"fix_id\": 'F-67513r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review procedures and practices. If there is not a policy\n requiring owners of privileged accounts to use non-privileged accounts for\n non-administrative activities, this is a finding. If there is evidence that\n owners of privileged accounts do not adhere to this policy, this is a finding.\"\n tag \"fix\": \"Require that DBAs and other privileged users use non-privileged\n accounts for non-administrative activities.\"\n describe 'A manual review is required to ensure owners of privileged accounts use non-privileged accounts for\n non-administrative activities' do\n skip 'A manual review is required to ensure owners of privileged accounts use non-privileged accounts for\n non-administrative activities'\n end\nend\n", + "code": " control 'V-61447' do\n impact 0.0\n describe 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on' do\n skip 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on'\n end\n end\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61597.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61447.rb", "line": 1 }, - "id": "V-61597" + "id": "V-61447" }, { - "title": "The DBMS must protect against an individual who uses a shared account\n falsely denying having performed a particular action.", - "desc": "Non-repudiation of actions taken is required in order to maintain\n application integrity. Examples of particular actions taken by individuals\n include creating information, sending a message, approving information (e.g.,\n indicating concurrence or signing a contract), and receiving a message.\n\n Non-repudiation protects individuals against later claims by an author of\n not having authored a particular document, a sender of not having transmitted a\n message, a receiver of not having received a message, or a signatory of not\n having signed a document.\n\n Authentication via shared accounts does not provide individual\n accountability for actions taken on the DBMS or data. Whenever a single\n database account is used to connect to the database, a secondary authentication\n method that provides individual accountability is required. This scenario most\n frequently occurs when an externally hosted application authenticates\n individual users to the application and the application uses a single account\n to retrieve or update database information on behalf of the individual users.\n\n When shared accounts are utilized without another means of identifying\n individual users, users may deny having performed a particular action.\n\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure operation\n of databases that they must not be ignored. At a minimum, the DBA must attempt\n to obtain assurances from the development organization that this issue has been\n addressed and must document what has been discovered.", + "title": "Access to default accounts used to support replication must be\n restricted to authorized DBAs.", + "desc": "Replication database accounts are used for database connections\n between databases. Replication requires the configuration of these accounts\n using the same username and password on all databases participating in the\n replication. Replication connections use fixed user database links. This means\n that access to the replication account on one server provides access to the\n other servers participating in the replication. Granting unauthorized access to\n the replication account provides unauthorized and privileged access to all\n databases participating in the replication group.", "descriptions": { - "default": "Non-repudiation of actions taken is required in order to maintain\n application integrity. Examples of particular actions taken by individuals\n include creating information, sending a message, approving information (e.g.,\n indicating concurrence or signing a contract), and receiving a message.\n\n Non-repudiation protects individuals against later claims by an author of\n not having authored a particular document, a sender of not having transmitted a\n message, a receiver of not having received a message, or a signatory of not\n having signed a document.\n\n Authentication via shared accounts does not provide individual\n accountability for actions taken on the DBMS or data. Whenever a single\n database account is used to connect to the database, a secondary authentication\n method that provides individual accountability is required. This scenario most\n frequently occurs when an externally hosted application authenticates\n individual users to the application and the application uses a single account\n to retrieve or update database information on behalf of the individual users.\n\n When shared accounts are utilized without another means of identifying\n individual users, users may deny having performed a particular action.\n\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure operation\n of databases that they must not be ignored. At a minimum, the DBA must attempt\n to obtain assurances from the development organization that this issue has been\n addressed and must document what has been discovered." + "default": "Replication database accounts are used for database connections\n between databases. Replication requires the configuration of these accounts\n using the same username and password on all databases participating in the\n replication. Replication connections use fixed user database links. This means\n that access to the replication account on one server provides access to the\n other servers participating in the replication. Granting unauthorized access to\n the replication account provides unauthorized and privileged access to all\n databases participating in the replication group." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000080-DB-000063", - "gid": "V-61887", - "rid": "SV-76377r2_rule", - "stig_id": "O121-P3-006200", - "fix_id": "F-67803r2_fix", + "gtitle": "SRG-APP-000516-DB-999900", + "gid": "V-61411", + "rid": "SV-75901r1_rule", + "stig_id": "O121-BP-021200", + "fix_id": "F-67327r1_fix", "cci": [ - "CCI-000166" + "CCI-000366" ], "nist": [ - "AU-10", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -554,35 +554,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If there are no shared accounts available to more than one\n user, this is not a finding.\n\n If a shared account is used by an application to interact with the database,\n review the System Security Plan, the tables in the database, and the\n application source code/documentation to determine whether the application\n captures the individual user's identity and stores that identity along with all\n data inserted and updated (also with all records of reads and/or deletions, if\n these are required to be logged).\n\n If there are gaps in the application's ability to do this, and the gaps and the\n risk are not defined in the system documentation and accepted by the AO, this\n is a finding.\n\n If users are sharing a group account to log on to Oracle tools or third-party\n products that access the database, this is a finding.\n\n If Standard Auditing is used:\n To ensure that user activities other than SELECT, INSERT, UPDATE, and DELETE\n are also monitored and attributed to individuals, verify that Oracle auditing\n is enabled. To see if Oracle is configured to capture audit data, enter the\n following SQL*Plus command:\n SHOW PARAMETER AUDIT_TRAIL\n or the following SQL query:\n SELECT * FROM SYS.V$PARAMETER WHERE NAME = 'audit_trail';\n If Oracle returns the value 'NONE', this is a finding.\n\n If Unified Auditing is used:\n To ensure that user activities other than SELECT, INSERT, UPDATE, and DELETE\n are also monitored and attributed to individuals, verify that Oracle auditing\n is enabled. To see if Oracle is configured to capture audit data, enter the\n following SQL*Plus command:\n SELECT * FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';\n If Oracle returns the value \"TRUE\", this is not a finding.", - "fix": "Use accounts assigned to individual users where feasible.\n Configure DBMS to provide individual accountability at the DBMS level, and in\n audit logs, for actions performed under a shared database account.\n\n Modify applications and data tables that are not capturing individual user\n identity to do so.\n\n Create and enforce the use of individual user IDs for logging on to Oracle\n tools and third-party products.\n\n If Oracle auditing is not already enabled, enable it.\n\n If Standard Auditing is used:\n If Oracle (or third-party) auditing is not already enabled, enable it. For\n Oracle auditing, use this query:\n ALTER SYSTEM SET AUDIT_TRAIL= SCOPE=SPFILE;\n Audit trail type can be 'OS', 'DB', 'DB,EXTENDED', 'XML' or 'XML,EXTENDED'.\n After executing this statement, it may be necessary to shut down and restart\n the Oracle database.\n\n If Unified Auditing is used:\n Link the oracle binary with uniaud_on, and then restart the database. Oracle\n Database Upgrade Guide describes how to enable unified auditing.\n\n For more information on the configuration of auditing, refer to the following\n documents:\n \"Auditing Database Activity\" in the Oracle Database 2 Day + Security Guide:\n http://docs.oracle.com/database/121/TDPSG/tdpsg_auditing.htm#TDPSG50000\n \"Monitoring Database Activity with Auditing\" in the Oracle Database Security\n Guide:\n http://docs.oracle.com/database/121/DBSEG/part_6.htm#CCHEHCGI\n \"DBMS_AUDIT_MGMT\" in the Oracle Database PL/SQL Packages and Types Reference:\n http://docs.oracle.com/database/121/ARPLS/d_audit_mgmt.htm#ARPLS241\n Oracle Database Upgrade Guide:\n http://docs.oracle.com/database/121/UPGRD/afterup.htm#UPGRD52810\n\n If the site-specific audit requirements are not covered by the default audit\n options, deploy and configure Fine-Grained Auditing. For details, refer to\n Oracle documentation at the locations above.\n\n If this level of auditing does not meet site-specific requirements, consider\n deploying the Oracle Audit Vault. The Audit Vault is a highly configurable\n option from Oracle made specifically for performing the audit functions. It\n has reporting capabilities as well as user-defined rules that provide\n additional flexibility for complex auditing requirements." + "check": "From SQL*Plus:\n\n select 'The number of replication objects defined is: '||\n count(*) from all_tables\n where table_name like 'REPCAT%';\n\n If the count returned is 0, then Oracle Replication is not installed and this\n check is not a finding.\n\n Otherwise:\n\n From SQL*Plus:\n\n select count(*) from sys.dba_repcatlog;\n\n If the count returned is 0, then Oracle Replication is not in use and this\n check is not a finding.\n\n If any results are returned, ask the ISSO or DBA if the replication account\n (the default is REPADMIN, but may be customized) is restricted to\n ISSO-authorized personnel only.\n\n If it is not, this is a finding.\n\n If there are multiple replication accounts, confirm that all are justified and\n documented with the ISSO.\n\n If they are not, this is a finding.\n\n Note: Oracle Database Advanced Replication is deprecated in Oracle Database\n 12c. Use Oracle GoldenGate to replace all features of Advanced Replication,\n including multimaster replication, updatable materialized views, hierarchical\n materialized views, and deployment templates.", + "fix": "Change the password for default and custom replication accounts\n and provide the password to ISSO-authorized users only." }, - "code": "control 'V-61887' do\n title \"The DBMS must protect against an individual who uses a shared account\n falsely denying having performed a particular action.\"\n desc \"Non-repudiation of actions taken is required in order to maintain\n application integrity. Examples of particular actions taken by individuals\n include creating information, sending a message, approving information (e.g.,\n indicating concurrence or signing a contract), and receiving a message.\n\n Non-repudiation protects individuals against later claims by an author of\n not having authored a particular document, a sender of not having transmitted a\n message, a receiver of not having received a message, or a signatory of not\n having signed a document.\n\n Authentication via shared accounts does not provide individual\n accountability for actions taken on the DBMS or data. Whenever a single\n database account is used to connect to the database, a secondary authentication\n method that provides individual accountability is required. This scenario most\n frequently occurs when an externally hosted application authenticates\n individual users to the application and the application uses a single account\n to retrieve or update database information on behalf of the individual users.\n\n When shared accounts are utilized without another means of identifying\n individual users, users may deny having performed a particular action.\n\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure operation\n of databases that they must not be ignored. At a minimum, the DBA must attempt\n to obtain assurances from the development organization that this issue has been\n addressed and must document what has been discovered.\n \"\n impact 0.3\n tag \"gtitle\": 'SRG-APP-000080-DB-000063'\n tag \"gid\": 'V-61887'\n tag \"rid\": 'SV-76377r2_rule'\n tag \"stig_id\": 'O121-P3-006200'\n tag \"fix_id\": 'F-67803r2_fix'\n tag \"cci\": ['CCI-000166']\n tag \"nist\": ['AU-10', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If there are no shared accounts available to more than one\n user, this is not a finding.\n\n If a shared account is used by an application to interact with the database,\n review the System Security Plan, the tables in the database, and the\n application source code/documentation to determine whether the application\n captures the individual user's identity and stores that identity along with all\n data inserted and updated (also with all records of reads and/or deletions, if\n these are required to be logged).\n\n If there are gaps in the application's ability to do this, and the gaps and the\n risk are not defined in the system documentation and accepted by the AO, this\n is a finding.\n\n If users are sharing a group account to log on to Oracle tools or third-party\n products that access the database, this is a finding.\n\n If Standard Auditing is used:\n To ensure that user activities other than SELECT, INSERT, UPDATE, and DELETE\n are also monitored and attributed to individuals, verify that Oracle auditing\n is enabled. To see if Oracle is configured to capture audit data, enter the\n following SQL*Plus command:\n SHOW PARAMETER AUDIT_TRAIL\n or the following SQL query:\n SELECT * FROM SYS.V$PARAMETER WHERE NAME = 'audit_trail';\n If Oracle returns the value 'NONE', this is a finding.\n\n If Unified Auditing is used:\n To ensure that user activities other than SELECT, INSERT, UPDATE, and DELETE\n are also monitored and attributed to individuals, verify that Oracle auditing\n is enabled. To see if Oracle is configured to capture audit data, enter the\n following SQL*Plus command:\n SELECT * FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';\n If Oracle returns the value \\\"TRUE\\\", this is not a finding.\"\n tag \"fix\": \"Use accounts assigned to individual users where feasible.\n Configure DBMS to provide individual accountability at the DBMS level, and in\n audit logs, for actions performed under a shared database account.\n\n Modify applications and data tables that are not capturing individual user\n identity to do so.\n\n Create and enforce the use of individual user IDs for logging on to Oracle\n tools and third-party products.\n\n If Oracle auditing is not already enabled, enable it.\n\n If Standard Auditing is used:\n If Oracle (or third-party) auditing is not already enabled, enable it. For\n Oracle auditing, use this query:\n ALTER SYSTEM SET AUDIT_TRAIL= SCOPE=SPFILE;\n Audit trail type can be 'OS', 'DB', 'DB,EXTENDED', 'XML' or 'XML,EXTENDED'.\n After executing this statement, it may be necessary to shut down and restart\n the Oracle database.\n\n If Unified Auditing is used:\n Link the oracle binary with uniaud_on, and then restart the database. Oracle\n Database Upgrade Guide describes how to enable unified auditing.\n\n For more information on the configuration of auditing, refer to the following\n documents:\n \\\"Auditing Database Activity\\\" in the Oracle Database 2 Day + Security Guide:\n http://docs.oracle.com/database/121/TDPSG/tdpsg_auditing.htm#TDPSG50000\n \\\"Monitoring Database Activity with Auditing\\\" in the Oracle Database Security\n Guide:\n http://docs.oracle.com/database/121/DBSEG/part_6.htm#CCHEHCGI\n \\\"DBMS_AUDIT_MGMT\\\" in the Oracle Database PL/SQL Packages and Types Reference:\n http://docs.oracle.com/database/121/ARPLS/d_audit_mgmt.htm#ARPLS241\n Oracle Database Upgrade Guide:\n http://docs.oracle.com/database/121/UPGRD/afterup.htm#UPGRD52810\n\n If the site-specific audit requirements are not covered by the default audit\n options, deploy and configure Fine-Grained Auditing. For details, refer to\n Oracle documentation at the locations above.\n\n If this level of auditing does not meet site-specific requirements, consider\n deploying the Oracle Audit Vault. The Audit Vault is a highly configurable\n option from Oracle made specifically for performing the audit functions. It\n has reporting capabilities as well as user-defined rules that provide\n additional flexibility for complex auditing requirements.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n standard_auditing_used = input('standard_auditing_used')\n unified_auditing_used = input('unified_auditing_used')\n\n describe.one do\n describe 'Standard auditing is in use for audit purposes' do\n subject { standard_auditing_used }\n it { should be true }\n end\n\n describe 'Unified auditing is in use for audit purposes' do\n subject { unified_auditing_used }\n it { should be true }\n end\n end\n\n audit_trail = sql.query(\"select value from v$parameter where name = 'audit_trail';\").column('value')\n\n if standard_auditing_used\n describe 'The oracle database audit_trail parameter' do\n subject { audit_trail }\n it { should_not cmp 'NONE' }\n end\n end\n\n unified_auditing = sql.query(\"SELECT value FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';\").column('value')\n\n if unified_auditing_used\n describe 'The oracle database unified auditing parameter' do\n subject { unified_auditing }\n it { should_not cmp 'FALSE' }\n end\n end\nend\n", + "code": "control 'V-61411' do\n title \"Access to default accounts used to support replication must be\n restricted to authorized DBAs.\"\n desc \"Replication database accounts are used for database connections\n between databases. Replication requires the configuration of these accounts\n using the same username and password on all databases participating in the\n replication. Replication connections use fixed user database links. This means\n that access to the replication account on one server provides access to the\n other servers participating in the replication. Granting unauthorized access to\n the replication account provides unauthorized and privileged access to all\n databases participating in the replication group.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000516-DB-999900'\n tag \"gid\": 'V-61411'\n tag \"rid\": 'SV-75901r1_rule'\n tag \"stig_id\": 'O121-BP-021200'\n tag \"fix_id\": 'F-67327r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"From SQL*Plus:\n\n select 'The number of replication objects defined is: '||\n count(*) from all_tables\n where table_name like 'REPCAT%';\n\n If the count returned is 0, then Oracle Replication is not installed and this\n check is not a finding.\n\n Otherwise:\n\n From SQL*Plus:\n\n select count(*) from sys.dba_repcatlog;\n\n If the count returned is 0, then Oracle Replication is not in use and this\n check is not a finding.\n\n If any results are returned, ask the ISSO or DBA if the replication account\n (the default is REPADMIN, but may be customized) is restricted to\n ISSO-authorized personnel only.\n\n If it is not, this is a finding.\n\n If there are multiple replication accounts, confirm that all are justified and\n documented with the ISSO.\n\n If they are not, this is a finding.\n\n Note: Oracle Database Advanced Replication is deprecated in Oracle Database\n 12c. Use Oracle GoldenGate to replace all features of Advanced Replication,\n including multimaster replication, updatable materialized views, hierarchical\n materialized views, and deployment templates.\"\n tag \"fix\": \"Change the password for default and custom replication accounts\n and provide the password to ISSO-authorized users only.\"\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n is_oracle_replication_used = sql.query(\"select count(*) from all_tables\n where table_name like 'REPCAT%';\").column('count(*)')\n\n oracle_replication_accounts = sql.query('select * from sys.dba_repcatlog;').column('gname')\n\n if !is_oracle_replication_used.include?('0')\n describe \"The ISSO or DBA must manually ensure the following replication accounts are justified: #{oracle_replication_accounts}\" do\n skip \"The ISSO or DBA must manually ensure the following replication accounts are justified: #{oracle_replication_accounts}\"\n end\n else\n describe 'The number of replication accounts defined' do\n subject { is_oracle_replication_used }\n it { should cmp 0 }\n end\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61887.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61411.rb", "line": 1 }, - "id": "V-61887" + "id": "V-61411" }, { - "title": "The DBMS must provide the ability to write specified audit record\n content to a centralized audit log repository.", - "desc": "Information system auditing capability is critical for accurate\n forensic analysis. Audit record content that may be necessary to satisfy the\n requirement of this control includes but is not limited: timestamps, source\n and destination IP addresses, user/process identifiers, event descriptions,\n application specific events, success/fail indications, file names involved,\n access control or flow control rules invoked.\n\n Centralized management of audit records and logs provides for efficiency in\n maintenance and management of records, as well as, the backup and archiving of\n those records. When organizations define application components requiring\n centralized audit log management, applications need to support that requirement.\n\n Database audit records not stored in a centralized audit log management\n tool may be overlooked during investigation of a security incident or may be\n subject to intentional or accidental manipulation by privileged users of the\n database.", + "title": "The DBMS must protect against an individual who uses a shared account\n falsely denying having performed a particular action.", + "desc": "Non-repudiation of actions taken is required in order to maintain\n application integrity. Examples of particular actions taken by individuals\n include creating information, sending a message, approving information (e.g.,\n indicating concurrence or signing a contract), and receiving a message.\n\n Non-repudiation protects individuals against later claims by an author of\n not having authored a particular document, a sender of not having transmitted a\n message, a receiver of not having received a message, or a signatory of not\n having signed a document.\n\n Authentication via shared accounts does not provide individual\n accountability for actions taken on the DBMS or data. Whenever a single\n database account is used to connect to the database, a secondary authentication\n method that provides individual accountability is required. This scenario most\n frequently occurs when an externally hosted application authenticates\n individual users to the application and the application uses a single account\n to retrieve or update database information on behalf of the individual users.\n\n When shared accounts are utilized without another means of identifying\n individual users, users may deny having performed a particular action.\n\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure operation\n of databases that they must not be ignored. At a minimum, the DBA must attempt\n to obtain assurances from the development organization that this issue has been\n addressed and must document what has been discovered.", "descriptions": { - "default": "Information system auditing capability is critical for accurate\n forensic analysis. Audit record content that may be necessary to satisfy the\n requirement of this control includes but is not limited: timestamps, source\n and destination IP addresses, user/process identifiers, event descriptions,\n application specific events, success/fail indications, file names involved,\n access control or flow control rules invoked.\n\n Centralized management of audit records and logs provides for efficiency in\n maintenance and management of records, as well as, the backup and archiving of\n those records. When organizations define application components requiring\n centralized audit log management, applications need to support that requirement.\n\n Database audit records not stored in a centralized audit log management\n tool may be overlooked during investigation of a security incident or may be\n subject to intentional or accidental manipulation by privileged users of the\n database." + "default": "Non-repudiation of actions taken is required in order to maintain\n application integrity. Examples of particular actions taken by individuals\n include creating information, sending a message, approving information (e.g.,\n indicating concurrence or signing a contract), and receiving a message.\n\n Non-repudiation protects individuals against later claims by an author of\n not having authored a particular document, a sender of not having transmitted a\n message, a receiver of not having received a message, or a signatory of not\n having signed a document.\n\n Authentication via shared accounts does not provide individual\n accountability for actions taken on the DBMS or data. Whenever a single\n database account is used to connect to the database, a secondary authentication\n method that provides individual accountability is required. This scenario most\n frequently occurs when an externally hosted application authenticates\n individual users to the application and the application uses a single account\n to retrieve or update database information on behalf of the individual users.\n\n When shared accounts are utilized without another means of identifying\n individual users, users may deny having performed a particular action.\n\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure operation\n of databases that they must not be ignored. At a minimum, the DBA must attempt\n to obtain assurances from the development organization that this issue has been\n addressed and must document what has been discovered." }, - "impact": 0.5, + "impact": 0.3, "refs": [], "tags": { - "gtitle": "SRG-APP-000102-DB-000045", - "gid": "V-61871", - "rid": "SV-76361r1_rule", - "stig_id": "O121-P2-008100", - "fix_id": "F-67787r1_fix", + "gtitle": "SRG-APP-000080-DB-000063", + "gid": "V-61887", + "rid": "SV-76377r2_rule", + "stig_id": "O121-P3-006200", + "fix_id": "F-67803r2_fix", "cci": [ - "CCI-001844" + "CCI-000166" ], "nist": [ - "AU-3 (2)", + "AU-10", "Rev_4" ], "false_negatives": null, @@ -595,39 +595,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If the organization does not require the use of a centralized\n audit log repository, this is not a finding.\n\n If the organization requires the use of a centralized audit log repository,\n continue.\n\n Check that Oracle PL/SQL code or other software is in place to copy or transfer\n the specified audit record content to a centralized audit log repository. If\n it is not, this is a finding.\n\n Check that permissions are set on the Oracle audit trail tables and on the\n target repository to enable the required transfer of audit data. If they are\n not, this is a finding.\n\n Verify that the specified audit record content is indeed copied or transferred\n to the central repository. If it is not, this is a finding.", - "fix": "If the organization requires the use of a centralized audit log\n repository, employ PL/SQL code or other software to copy or transfer the\n specified audit record content to the repository.\n\n Ensure that permissions are set to enable transfer of the data.\n\n If, after the preceding steps, the transfer is not succeeding, diagnose and\n repair the problem.\n\n For more information on the configuration of auditing, refer to the following\n documents:\n \"Auditing Database Activity\" in the Oracle Database 2 Day + Security Guide:\n http://docs.oracle.com/database/121/TDPSG/tdpsg_auditing.htm#TDPSG50000\n \"Monitoring Database Activity with Auditing\" in the Oracle Database Security\n Guide:\n http://docs.oracle.com/database/121/DBSEG/part_6.htm#CCHEHCGI\n \"DBMS_AUDIT_MGMT\" in the Oracle Database PL/SQL Packages and Types Reference:\n http://docs.oracle.com/database/121/ARPLS/d_audit_mgmt.htm#ARPLS241" + "check": "If there are no shared accounts available to more than one\n user, this is not a finding.\n\n If a shared account is used by an application to interact with the database,\n review the System Security Plan, the tables in the database, and the\n application source code/documentation to determine whether the application\n captures the individual user's identity and stores that identity along with all\n data inserted and updated (also with all records of reads and/or deletions, if\n these are required to be logged).\n\n If there are gaps in the application's ability to do this, and the gaps and the\n risk are not defined in the system documentation and accepted by the AO, this\n is a finding.\n\n If users are sharing a group account to log on to Oracle tools or third-party\n products that access the database, this is a finding.\n\n If Standard Auditing is used:\n To ensure that user activities other than SELECT, INSERT, UPDATE, and DELETE\n are also monitored and attributed to individuals, verify that Oracle auditing\n is enabled. To see if Oracle is configured to capture audit data, enter the\n following SQL*Plus command:\n SHOW PARAMETER AUDIT_TRAIL\n or the following SQL query:\n SELECT * FROM SYS.V$PARAMETER WHERE NAME = 'audit_trail';\n If Oracle returns the value 'NONE', this is a finding.\n\n If Unified Auditing is used:\n To ensure that user activities other than SELECT, INSERT, UPDATE, and DELETE\n are also monitored and attributed to individuals, verify that Oracle auditing\n is enabled. To see if Oracle is configured to capture audit data, enter the\n following SQL*Plus command:\n SELECT * FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';\n If Oracle returns the value \"TRUE\", this is not a finding.", + "fix": "Use accounts assigned to individual users where feasible.\n Configure DBMS to provide individual accountability at the DBMS level, and in\n audit logs, for actions performed under a shared database account.\n\n Modify applications and data tables that are not capturing individual user\n identity to do so.\n\n Create and enforce the use of individual user IDs for logging on to Oracle\n tools and third-party products.\n\n If Oracle auditing is not already enabled, enable it.\n\n If Standard Auditing is used:\n If Oracle (or third-party) auditing is not already enabled, enable it. For\n Oracle auditing, use this query:\n ALTER SYSTEM SET AUDIT_TRAIL= SCOPE=SPFILE;\n Audit trail type can be 'OS', 'DB', 'DB,EXTENDED', 'XML' or 'XML,EXTENDED'.\n After executing this statement, it may be necessary to shut down and restart\n the Oracle database.\n\n If Unified Auditing is used:\n Link the oracle binary with uniaud_on, and then restart the database. Oracle\n Database Upgrade Guide describes how to enable unified auditing.\n\n For more information on the configuration of auditing, refer to the following\n documents:\n \"Auditing Database Activity\" in the Oracle Database 2 Day + Security Guide:\n http://docs.oracle.com/database/121/TDPSG/tdpsg_auditing.htm#TDPSG50000\n \"Monitoring Database Activity with Auditing\" in the Oracle Database Security\n Guide:\n http://docs.oracle.com/database/121/DBSEG/part_6.htm#CCHEHCGI\n \"DBMS_AUDIT_MGMT\" in the Oracle Database PL/SQL Packages and Types Reference:\n http://docs.oracle.com/database/121/ARPLS/d_audit_mgmt.htm#ARPLS241\n Oracle Database Upgrade Guide:\n http://docs.oracle.com/database/121/UPGRD/afterup.htm#UPGRD52810\n\n If the site-specific audit requirements are not covered by the default audit\n options, deploy and configure Fine-Grained Auditing. For details, refer to\n Oracle documentation at the locations above.\n\n If this level of auditing does not meet site-specific requirements, consider\n deploying the Oracle Audit Vault. The Audit Vault is a highly configurable\n option from Oracle made specifically for performing the audit functions. It\n has reporting capabilities as well as user-defined rules that provide\n additional flexibility for complex auditing requirements." }, - "code": "control 'V-61871' do\n title \"The DBMS must provide the ability to write specified audit record\n content to a centralized audit log repository.\"\n desc \"Information system auditing capability is critical for accurate\n forensic analysis. Audit record content that may be necessary to satisfy the\n requirement of this control includes but is not limited: timestamps, source\n and destination IP addresses, user/process identifiers, event descriptions,\n application specific events, success/fail indications, file names involved,\n access control or flow control rules invoked.\n\n Centralized management of audit records and logs provides for efficiency in\n maintenance and management of records, as well as, the backup and archiving of\n those records. When organizations define application components requiring\n centralized audit log management, applications need to support that requirement.\n\n Database audit records not stored in a centralized audit log management\n tool may be overlooked during investigation of a security incident or may be\n subject to intentional or accidental manipulation by privileged users of the\n database.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000102-DB-000045'\n tag \"gid\": 'V-61871'\n tag \"rid\": 'SV-76361r1_rule'\n tag \"stig_id\": 'O121-P2-008100'\n tag \"fix_id\": 'F-67787r1_fix'\n tag \"cci\": ['CCI-001844']\n tag \"nist\": ['AU-3 (2)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the organization does not require the use of a centralized\n audit log repository, this is not a finding.\n\n If the organization requires the use of a centralized audit log repository,\n continue.\n\n Check that Oracle PL/SQL code or other software is in place to copy or transfer\n the specified audit record content to a centralized audit log repository. If\n it is not, this is a finding.\n\n Check that permissions are set on the Oracle audit trail tables and on the\n target repository to enable the required transfer of audit data. If they are\n not, this is a finding.\n\n Verify that the specified audit record content is indeed copied or transferred\n to the central repository. If it is not, this is a finding.\"\n tag \"fix\": \"If the organization requires the use of a centralized audit log\n repository, employ PL/SQL code or other software to copy or transfer the\n specified audit record content to the repository.\n\n Ensure that permissions are set to enable transfer of the data.\n\n If, after the preceding steps, the transfer is not succeeding, diagnose and\n repair the problem.\n\n For more information on the configuration of auditing, refer to the following\n documents:\n \\\"Auditing Database Activity\\\" in the Oracle Database 2 Day + Security Guide:\n http://docs.oracle.com/database/121/TDPSG/tdpsg_auditing.htm#TDPSG50000\n \\\"Monitoring Database Activity with Auditing\\\" in the Oracle Database Security\n Guide:\n http://docs.oracle.com/database/121/DBSEG/part_6.htm#CCHEHCGI\n \\\"DBMS_AUDIT_MGMT\\\" in the Oracle Database PL/SQL Packages and Types Reference:\n http://docs.oracle.com/database/121/ARPLS/d_audit_mgmt.htm#ARPLS241\"\n describe 'A manual review is required to ensure the DBMS provides the ability to write specified audit record\n content to a centralized audit log repository' do\n skip 'A manual review is required to ensure the DBMS provides the ability to write specified audit record\n content to a centralized audit log repository'\n end\nend\n", + "code": "control 'V-61887' do\n title \"The DBMS must protect against an individual who uses a shared account\n falsely denying having performed a particular action.\"\n desc \"Non-repudiation of actions taken is required in order to maintain\n application integrity. Examples of particular actions taken by individuals\n include creating information, sending a message, approving information (e.g.,\n indicating concurrence or signing a contract), and receiving a message.\n\n Non-repudiation protects individuals against later claims by an author of\n not having authored a particular document, a sender of not having transmitted a\n message, a receiver of not having received a message, or a signatory of not\n having signed a document.\n\n Authentication via shared accounts does not provide individual\n accountability for actions taken on the DBMS or data. Whenever a single\n database account is used to connect to the database, a secondary authentication\n method that provides individual accountability is required. This scenario most\n frequently occurs when an externally hosted application authenticates\n individual users to the application and the application uses a single account\n to retrieve or update database information on behalf of the individual users.\n\n When shared accounts are utilized without another means of identifying\n individual users, users may deny having performed a particular action.\n\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure operation\n of databases that they must not be ignored. At a minimum, the DBA must attempt\n to obtain assurances from the development organization that this issue has been\n addressed and must document what has been discovered.\n \"\n impact 0.3\n tag \"gtitle\": 'SRG-APP-000080-DB-000063'\n tag \"gid\": 'V-61887'\n tag \"rid\": 'SV-76377r2_rule'\n tag \"stig_id\": 'O121-P3-006200'\n tag \"fix_id\": 'F-67803r2_fix'\n tag \"cci\": ['CCI-000166']\n tag \"nist\": ['AU-10', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If there are no shared accounts available to more than one\n user, this is not a finding.\n\n If a shared account is used by an application to interact with the database,\n review the System Security Plan, the tables in the database, and the\n application source code/documentation to determine whether the application\n captures the individual user's identity and stores that identity along with all\n data inserted and updated (also with all records of reads and/or deletions, if\n these are required to be logged).\n\n If there are gaps in the application's ability to do this, and the gaps and the\n risk are not defined in the system documentation and accepted by the AO, this\n is a finding.\n\n If users are sharing a group account to log on to Oracle tools or third-party\n products that access the database, this is a finding.\n\n If Standard Auditing is used:\n To ensure that user activities other than SELECT, INSERT, UPDATE, and DELETE\n are also monitored and attributed to individuals, verify that Oracle auditing\n is enabled. To see if Oracle is configured to capture audit data, enter the\n following SQL*Plus command:\n SHOW PARAMETER AUDIT_TRAIL\n or the following SQL query:\n SELECT * FROM SYS.V$PARAMETER WHERE NAME = 'audit_trail';\n If Oracle returns the value 'NONE', this is a finding.\n\n If Unified Auditing is used:\n To ensure that user activities other than SELECT, INSERT, UPDATE, and DELETE\n are also monitored and attributed to individuals, verify that Oracle auditing\n is enabled. To see if Oracle is configured to capture audit data, enter the\n following SQL*Plus command:\n SELECT * FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';\n If Oracle returns the value \\\"TRUE\\\", this is not a finding.\"\n tag \"fix\": \"Use accounts assigned to individual users where feasible.\n Configure DBMS to provide individual accountability at the DBMS level, and in\n audit logs, for actions performed under a shared database account.\n\n Modify applications and data tables that are not capturing individual user\n identity to do so.\n\n Create and enforce the use of individual user IDs for logging on to Oracle\n tools and third-party products.\n\n If Oracle auditing is not already enabled, enable it.\n\n If Standard Auditing is used:\n If Oracle (or third-party) auditing is not already enabled, enable it. For\n Oracle auditing, use this query:\n ALTER SYSTEM SET AUDIT_TRAIL= SCOPE=SPFILE;\n Audit trail type can be 'OS', 'DB', 'DB,EXTENDED', 'XML' or 'XML,EXTENDED'.\n After executing this statement, it may be necessary to shut down and restart\n the Oracle database.\n\n If Unified Auditing is used:\n Link the oracle binary with uniaud_on, and then restart the database. Oracle\n Database Upgrade Guide describes how to enable unified auditing.\n\n For more information on the configuration of auditing, refer to the following\n documents:\n \\\"Auditing Database Activity\\\" in the Oracle Database 2 Day + Security Guide:\n http://docs.oracle.com/database/121/TDPSG/tdpsg_auditing.htm#TDPSG50000\n \\\"Monitoring Database Activity with Auditing\\\" in the Oracle Database Security\n Guide:\n http://docs.oracle.com/database/121/DBSEG/part_6.htm#CCHEHCGI\n \\\"DBMS_AUDIT_MGMT\\\" in the Oracle Database PL/SQL Packages and Types Reference:\n http://docs.oracle.com/database/121/ARPLS/d_audit_mgmt.htm#ARPLS241\n Oracle Database Upgrade Guide:\n http://docs.oracle.com/database/121/UPGRD/afterup.htm#UPGRD52810\n\n If the site-specific audit requirements are not covered by the default audit\n options, deploy and configure Fine-Grained Auditing. For details, refer to\n Oracle documentation at the locations above.\n\n If this level of auditing does not meet site-specific requirements, consider\n deploying the Oracle Audit Vault. The Audit Vault is a highly configurable\n option from Oracle made specifically for performing the audit functions. It\n has reporting capabilities as well as user-defined rules that provide\n additional flexibility for complex auditing requirements.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n standard_auditing_used = input('standard_auditing_used')\n unified_auditing_used = input('unified_auditing_used')\n\n describe.one do\n describe 'Standard auditing is in use for audit purposes' do\n subject { standard_auditing_used }\n it { should be true }\n end\n\n describe 'Unified auditing is in use for audit purposes' do\n subject { unified_auditing_used }\n it { should be true }\n end\n end\n\n audit_trail = sql.query(\"select value from v$parameter where name = 'audit_trail';\").column('value')\n\n if standard_auditing_used\n describe 'The oracle database audit_trail parameter' do\n subject { audit_trail }\n it { should_not cmp 'NONE' }\n end\n end\n\n unified_auditing = sql.query(\"SELECT value FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';\").column('value')\n\n if unified_auditing_used\n describe 'The oracle database unified auditing parameter' do\n subject { unified_auditing }\n it { should_not cmp 'FALSE' }\n end\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61871.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61887.rb", "line": 1 }, - "id": "V-61871" + "id": "V-61887" }, { - "title": "Remote administration must be disabled for the Oracle connection\n manager.", - "desc": "Remote administration provides a potential opportunity for malicious\n users to make unauthorized changes to the Connection Manager configuration or\n interrupt its service.", + "title": "The DBMS must uniquely identify and authenticate organizational users\n (or processes acting on behalf of organizational users).", + "desc": "To assure accountability and prevent unauthorized access,\n organizational users shall be identified and authenticated.\n\n Organizational users include organizational employees or individuals the\n organization deems to have equivalent status of employees (e.g., contractors,\n guest researchers, individuals from allied nations).\n\n Users (and any processes acting on behalf of users) are uniquely identified\n and authenticated for all accesses other than those accesses explicitly\n identified and documented by the organization which outlines specific user\n actions that can be performed on the information system without identification\n or authentication.", "descriptions": { - "default": "Remote administration provides a potential opportunity for malicious\n users to make unauthorized changes to the Connection Manager configuration or\n interrupt its service." + "default": "To assure accountability and prevent unauthorized access,\n organizational users shall be identified and authenticated.\n\n Organizational users include organizational employees or individuals the\n organization deems to have equivalent status of employees (e.g., contractors,\n guest researchers, individuals from allied nations).\n\n Users (and any processes acting on behalf of users) are uniquely identified\n and authenticated for all accesses other than those accesses explicitly\n identified and documented by the organization which outlines specific user\n actions that can be performed on the information system without identification\n or authentication." }, - "impact": 0, - "refs": [ - { - "ref": [] - } - ], + "impact": 0.5, + "refs": [], "tags": { - "gtitle": "SRG-APP-000516-DB-999900", - "gid": "V-61533", - "rid": "SV-76023r1_rule", - "stig_id": "O121-BP-026500", - "fix_id": "F-67449r1_fix", + "gtitle": "SRG-APP-000148-DB-000103", + "gid": "V-61879", + "rid": "SV-76369r1_rule", + "stig_id": "O121-P2-012800", + "fix_id": "F-67795r1_fix", "cci": [ - "CCI-000366" + "CCI-000764" ], "nist": [ - "CM-6 b", + "IA-2", "Rev_4" ], "false_negatives": null, @@ -640,39 +636,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "View the cman.ora file in the ORACLE_HOME/network/admin\n directory.\n\n If the file does not exist, the database is not accessed via Oracle Connection\n Manager and this check is not a finding.\n\n If the entry and value for REMOTE_ADMIN is not listed or is not set to a value\n of NO (REMOTE_ADMIN = NO), this is a finding.", - "fix": "View the cman.ora file in the ORACLE_HOME/network/admin directory\n of the Connection Manager.\n\n Include the following line in the file:\n\n REMOTE_ADMIN = NO" + "check": "Review DBMS settings, OS settings, and/or enterprise-level\n authentication/access mechanism settings, and site practices, to determine\n whether organizational users are uniquely identified and authenticated when\n logging on to the system.\n\n If organizational users are not uniquely identified and authenticated, this is\n a finding.", + "fix": "Configure DBMS, OS and/or enterprise-level authentication/access\n mechanism to uniquely identify and authenticate all organizational users who\n log on to the system. Ensure that each user has a separate account from all\n other users." }, - "code": " control 'V-61533' do\n impact 0.0\n describe 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on' do\n skip 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on'\n end\n end\n", + "code": "control 'V-61879' do\n title \"The DBMS must uniquely identify and authenticate organizational users\n (or processes acting on behalf of organizational users).\"\n desc \"To assure accountability and prevent unauthorized access,\n organizational users shall be identified and authenticated.\n\n Organizational users include organizational employees or individuals the\n organization deems to have equivalent status of employees (e.g., contractors,\n guest researchers, individuals from allied nations).\n\n Users (and any processes acting on behalf of users) are uniquely identified\n and authenticated for all accesses other than those accesses explicitly\n identified and documented by the organization which outlines specific user\n actions that can be performed on the information system without identification\n or authentication.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000148-DB-000103'\n tag \"gid\": 'V-61879'\n tag \"rid\": 'SV-76369r1_rule'\n tag \"stig_id\": 'O121-P2-012800'\n tag \"fix_id\": 'F-67795r1_fix'\n tag \"cci\": ['CCI-000764']\n tag \"nist\": ['IA-2', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review DBMS settings, OS settings, and/or enterprise-level\n authentication/access mechanism settings, and site practices, to determine\n whether organizational users are uniquely identified and authenticated when\n logging on to the system.\n\n If organizational users are not uniquely identified and authenticated, this is\n a finding.\"\n tag \"fix\": \"Configure DBMS, OS and/or enterprise-level authentication/access\n mechanism to uniquely identify and authenticate all organizational users who\n log on to the system. Ensure that each user has a separate account from all\n other users.\"\n describe 'A manual review is required to ensure the DBMS uniquely identifies and authenticates organizational users\n (or processes acting on behalf of organizational users).' do\n skip 'A manual review is required to ensure the DBMS uniquely identifies and authenticates organizational users\n (or processes acting on behalf of organizational users).'\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61533.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61879.rb", "line": 1 }, - "id": "V-61533" + "id": "V-61879" }, { - "title": "The DBMS must support organizational requirements to enforce the\n number of characters that get changed when passwords are changed.", - "desc": "Passwords need to be changed at specific policy-based intervals.\n\n If the information system or application allows the user to consecutively\n reuse extensive portions of their password when they change their password, the\n end result is a password that has not had enough elements changed to meet the\n policy requirements.\n\n Changing passwords frequently can thwart password-guessing attempts or\n re-establish protection of a compromised DBMS account. Minor changes to\n passwords may not accomplish this since password guessing may be able to\n continue to build on previous guesses, or the new password may be easily\n guessed using the old password.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP This requirement applies to cases where it is necessary to\n have accounts directly managed by Oracle.", + "title": "DBMS production application and data directories must be protected\n from developers on shared production/development DBMS host systems.", + "desc": "Developer roles must not be assigned DBMS administrative privileges to\n production DBMS application and data directories. The separation of production\n DBA and developer roles helps protect the production system from unauthorized,\n malicious or unintentional interruption due to development activities.", "descriptions": { - "default": "Passwords need to be changed at specific policy-based intervals.\n\n If the information system or application allows the user to consecutively\n reuse extensive portions of their password when they change their password, the\n end result is a password that has not had enough elements changed to meet the\n policy requirements.\n\n Changing passwords frequently can thwart password-guessing attempts or\n re-establish protection of a compromised DBMS account. Minor changes to\n passwords may not accomplish this since password guessing may be able to\n continue to build on previous guesses, or the new password may be easily\n guessed using the old password.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP This requirement applies to cases where it is necessary to\n have accounts directly managed by Oracle." + "default": "Developer roles must not be assigned DBMS administrative privileges to\n production DBMS application and data directories. The separation of production\n DBA and developer roles helps protect the production system from unauthorized,\n malicious or unintentional interruption due to development activities." }, "impact": 0.5, - "refs": [ - { - "ref": [] - } - ], + "refs": [], "tags": { - "gtitle": "SRG-APP-000170-DB-000073", - "gid": "V-61731", - "rid": "SV-76221r1_rule", - "stig_id": "O121-C2-014500", - "fix_id": "F-67647r1_fix", + "gtitle": "SRG-APP-000516-DB-999900", + "gid": "V-61487", + "rid": "SV-75977r1_rule", + "stig_id": "O121-BP-024100", + "fix_id": "F-67403r1_fix", "cci": [ - "CCI-000195" + "CCI-000366" ], "nist": [ - "IA-5 (1) (b)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -685,35 +677,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If all user accounts are managed and authenticated by the OS or\n an enterprise-level authentication/access mechanism, and not by Oracle, this is\n not a finding.\n\n For each profile that can be applied to accounts where authentication is under\n Oracle's control, determine the password verification function, if any, that is\n in use:\n\n SELECT * FROM SYS.DBA_PROFILES\n WHERE RESOURCE_NAME = 'PASSWORD_VERIFY_FUNCTION'\n [AND PROFILE NOT IN ()] ORDER BY PROFILE;\n\n Bearing in mind that a profile can inherit from another profile, and the root\n profile is called DEFAULT, determine the name of the password verification\n function effective for each profile.\n\n If, for any profile, the function name is null, this is a finding.\n\n For each password verification function, examine its source code.\n\n If it does not enforce the organization-defined minimum number of characters by\n which the password must differ from the previous password (eight of the\n characters unless otherwise specified), this is a finding.", - "fix": "If any user accounts are managed by Oracle: Develop, test and\n implement a password verification function that enforces DoD requirements.\n\n (Oracle supplies a sample function called ORA12C_STRONG_VERIFY_FUNCTION, in the\n script file /RDBMS/ADMIN/utlpwdmg.sql. This can be used as the\n starting point for a customized function.)" + "check": "If the DBMS or DBMS host is not shared by production and\n development activities, this check is not a finding.\n\n Review OS DBA group membership.\n\n If any developer accounts, as identified in the System Security Plan, have been\n assigned DBA privileges, this is a finding.\n\n Note: Though shared production/non-production DBMS installations was allowed\n under previous database STIG guidance, doing so may place it in violation of\n OS, Application, Network or Enclave STIG guidance. Ensure that any shared\n production/non-production DBMS installation meets STIG guidance requirements at\n all levels or mitigate any conflicts in STIG guidance with the AO.", + "fix": "Create separate DBMS host OS groups for developer and production\n DBAs.\n\n Do not assign production DBA OS group membership to accounts used for\n development.\n\n Remove development accounts from production DBA OS group membership.\n\n Recommend establishing a dedicated DBMS host for production DBMS installations.\n A dedicated host system in this case refers to an instance of the operating\n system at a minimum. The operating system may reside on a virtual host machine\n where supported by the DBMS vendor." }, - "code": "control 'V-61731' do\n title \"The DBMS must support organizational requirements to enforce the\n number of characters that get changed when passwords are changed.\"\n desc \"Passwords need to be changed at specific policy-based intervals.\n\n If the information system or application allows the user to consecutively\n reuse extensive portions of their password when they change their password, the\n end result is a password that has not had enough elements changed to meet the\n policy requirements.\n\n Changing passwords frequently can thwart password-guessing attempts or\n re-establish protection of a compromised DBMS account. Minor changes to\n passwords may not accomplish this since password guessing may be able to\n continue to build on previous guesses, or the new password may be easily\n guessed using the old password.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP This requirement applies to cases where it is necessary to\n have accounts directly managed by Oracle.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000170-DB-000073'\n tag \"gid\": 'V-61731'\n tag \"rid\": 'SV-76221r1_rule'\n tag \"stig_id\": 'O121-C2-014500'\n tag \"fix_id\": 'F-67647r1_fix'\n tag \"cci\": ['CCI-000195']\n tag \"nist\": ['IA-5 (1) (b)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If all user accounts are managed and authenticated by the OS or\n an enterprise-level authentication/access mechanism, and not by Oracle, this is\n not a finding.\n\n For each profile that can be applied to accounts where authentication is under\n Oracle's control, determine the password verification function, if any, that is\n in use:\n\n SELECT * FROM SYS.DBA_PROFILES\n WHERE RESOURCE_NAME = 'PASSWORD_VERIFY_FUNCTION'\n [AND PROFILE NOT IN ()] ORDER BY PROFILE;\n\n Bearing in mind that a profile can inherit from another profile, and the root\n profile is called DEFAULT, determine the name of the password verification\n function effective for each profile.\n\n If, for any profile, the function name is null, this is a finding.\n\n For each password verification function, examine its source code.\n\n If it does not enforce the organization-defined minimum number of characters by\n which the password must differ from the previous password (eight of the\n characters unless otherwise specified), this is a finding.\"\n tag \"fix\": \"If any user accounts are managed by Oracle: Develop, test and\n implement a password verification function that enforces DoD requirements.\n\n (Oracle supplies a sample function called ORA12C_STRONG_VERIFY_FUNCTION, in the\n script file /RDBMS/ADMIN/utlpwdmg.sql. This can be used as the\n starting point for a customized function.)\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n query = %{\n SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE PROFILE =\n '%s' AND RESOURCE_NAME = 'PASSWORD_VERIFY_FUNCTION'\n }\n\n user_profiles = sql.query('SELECT profile FROM dba_users;').column('profile').uniq\n\n user_profiles.each do |profile|\n next if profile == \"RDSADMIN\"\n password_verify_function = sql.query(format(query, profile: profile)).column('limit')\n\n describe \"The oracle database account password verify function for profile: #{profile}\" do\n subject { password_verify_function }\n it { should_not eq ['NULL'] }\n end\n end\n if user_profiles.empty?\n describe 'There are no user profiles, therefore this control is NA' do\n skip 'There are no user profiles, therefore this control is NA'\n end\n end\nend\n", + "code": "control 'V-61487' do\n title \"DBMS production application and data directories must be protected\n from developers on shared production/development DBMS host systems.\"\n desc \"Developer roles must not be assigned DBMS administrative privileges to\n production DBMS application and data directories. The separation of production\n DBA and developer roles helps protect the production system from unauthorized,\n malicious or unintentional interruption due to development activities.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000516-DB-999900'\n tag \"gid\": 'V-61487'\n tag \"rid\": 'SV-75977r1_rule'\n tag \"stig_id\": 'O121-BP-024100'\n tag \"fix_id\": 'F-67403r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the DBMS or DBMS host is not shared by production and\n development activities, this check is not a finding.\n\n Review OS DBA group membership.\n\n If any developer accounts, as identified in the System Security Plan, have been\n assigned DBA privileges, this is a finding.\n\n Note: Though shared production/non-production DBMS installations was allowed\n under previous database STIG guidance, doing so may place it in violation of\n OS, Application, Network or Enclave STIG guidance. Ensure that any shared\n production/non-production DBMS installation meets STIG guidance requirements at\n all levels or mitigate any conflicts in STIG guidance with the AO.\"\n tag \"fix\": \"Create separate DBMS host OS groups for developer and production\n DBAs.\n\n Do not assign production DBA OS group membership to accounts used for\n development.\n\n Remove development accounts from production DBA OS group membership.\n\n Recommend establishing a dedicated DBMS host for production DBMS installations.\n A dedicated host system in this case refers to an instance of the operating\n system at a minimum. The operating system may reside on a virtual host machine\n where supported by the DBMS vendor.\"\n describe 'A manual review is required to ensure DBMS production application and data directories are protected\n from developers on shared production/development DBMS host systems.' do\n skip 'A manual review is required to ensure DBMS production application and data directories are protected\n from developers on shared production/development DBMS host systems.'\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61731.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61487.rb", "line": 1 }, - "id": "V-61731" + "id": "V-61487" }, { - "title": "The DBMS data files, transaction logs and audit files must be stored\n in dedicated directories or disk partitions separate from software or other\n application files.", - "desc": "Protection of DBMS data, transaction and audit data files stored by\n the host operating system is dependent on OS controls. When different\n applications share the same database process, resource contention and differing\n security controls may be required to isolate and protect one application's data\n and audit logs from another. DBMS software libraries and configuration files\n also require differing access control lists.", + "title": "The DBMS must notify appropriate individuals when account disabling\n actions are taken.", + "desc": "When application accounts are disabled, user accessibility is\n affected. Accounts are utilized for identifying individual application users or\n for identifying the application processes themselves.\n\n In order to detect and respond to events that affect user accessibility and\n application processing, applications must audit account disabling actions and,\n as required, notify the appropriate individuals so they can investigate the\n event. Such a capability greatly reduces the risk that application\n accessibility will be negatively affected for extended periods of time and also\n provides logging that can be used for forensic purposes.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP. This requirement applies to cases where accounts are\n directly managed by Oracle.\n\n Notwithstanding how accounts are normally managed, the DBMS must support\n the requirement to notify appropriate individuals upon the disabling of an\n account within Oracle. Indeed, in a configuration where accounts are managed\n externally, the manipulation of an account within Oracle may indicate hostile\n activity.", "descriptions": { - "default": "Protection of DBMS data, transaction and audit data files stored by\n the host operating system is dependent on OS controls. When different\n applications share the same database process, resource contention and differing\n security controls may be required to isolate and protect one application's data\n and audit logs from another. DBMS software libraries and configuration files\n also require differing access control lists." + "default": "When application accounts are disabled, user accessibility is\n affected. Accounts are utilized for identifying individual application users or\n for identifying the application processes themselves.\n\n In order to detect and respond to events that affect user accessibility and\n application processing, applications must audit account disabling actions and,\n as required, notify the appropriate individuals so they can investigate the\n event. Such a capability greatly reduces the risk that application\n accessibility will be negatively affected for extended periods of time and also\n provides logging that can be used for forensic purposes.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP. This requirement applies to cases where accounts are\n directly managed by Oracle.\n\n Notwithstanding how accounts are normally managed, the DBMS must support\n the requirement to notify appropriate individuals upon the disabling of an\n account within Oracle. Indeed, in a configuration where accounts are managed\n externally, the manipulation of an account within Oracle may indicate hostile\n activity." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000516-DB-999900", - "gid": "V-61963", - "rid": "SV-76453r1_rule", - "stig_id": "O121-BP-025100", - "fix_id": "F-67883r1_fix", + "gtitle": "SRG-APP-000293-DB-000130", + "gid": "V-61801", + "rid": "SV-76291r2_rule", + "stig_id": "O121-C2-020600", + "fix_id": "F-67717r1_fix", "cci": [ - "CCI-000366" + "CCI-001685" ], "nist": [ - "CM-6 b", + "AC-2 (4)", "Rev_4" ], "false_negatives": null, @@ -726,35 +718,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Review the disk/directory specification where database data,\n transaction log and audit files are stored.\n\n If DBMS data, transaction or audit data files are stored in the same directory,\n this is a finding.\n\n If separation of data, transaction and audit data is not supported by the DBMS,\n this check is not a finding.\n\n If stored separately and access permissions for each directory is the same,\n this is a finding.", - "fix": "Product-specific fix pending development. Use Generic Fix listed\n below:\n\n Specify dedicated host system disk directories to store database data,\n transaction and audit files.\n\n Configure DBMS default file storage locations to use dedicated disk directories\n where supported by the DBMS." + "check": "Check DBMS settings to determine whether it will notify\n appropriate individuals when account disabling actions are taken.\n\n If the DBMS does not notify appropriate individuals when account disabling\n actions are taken, this is a finding.", + "fix": "Working with the DBA and site management, determine the\n appropriate individuals (by job role) to be notified.\n\n If Oracle Audit Vault is available, configure it to notify the appropriate\n individuals when accounts are disabled.\n\n If Oracle Audit Vault is not available, configure the Oracle DBMS's auditing\n feature to record disabling of accounts.\n\n If Standard Auditing is used:\n Create and deploy a mechanism, such as a frequently-run job, to monitor the\n SYS.AUD$ table for these records and notify the appropriate individuals.\n\n If unified Auditing is used:\n Create and deploy a mechanism, such as a frequently-run job, to monitor the\n SYS.UNIFIED_AUDIT_TRAIL view for these records and notify the appropriate\n individuals." }, - "code": "control 'V-61963' do\n title \"The DBMS data files, transaction logs and audit files must be stored\n in dedicated directories or disk partitions separate from software or other\n application files.\"\n desc \"Protection of DBMS data, transaction and audit data files stored by\n the host operating system is dependent on OS controls. When different\n applications share the same database process, resource contention and differing\n security controls may be required to isolate and protect one application's data\n and audit logs from another. DBMS software libraries and configuration files\n also require differing access control lists.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000516-DB-999900'\n tag \"gid\": 'V-61963'\n tag \"rid\": 'SV-76453r1_rule'\n tag \"stig_id\": 'O121-BP-025100'\n tag \"fix_id\": 'F-67883r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review the disk/directory specification where database data,\n transaction log and audit files are stored.\n\n If DBMS data, transaction or audit data files are stored in the same directory,\n this is a finding.\n\n If separation of data, transaction and audit data is not supported by the DBMS,\n this check is not a finding.\n\n If stored separately and access permissions for each directory is the same,\n this is a finding.\"\n tag \"fix\": \"Product-specific fix pending development. Use Generic Fix listed\n below:\n\n Specify dedicated host system disk directories to store database data,\n transaction and audit files.\n\n Configure DBMS default file storage locations to use dedicated disk directories\n where supported by the DBMS.\"\n describe 'A manual review is required to ensure the DBMS data files, transaction logs and audit files are stored\n in dedicated directories or disk partitions separate from software or other\n application files' do\n skip 'A manual review is required to ensure the DBMS data files, transaction logs and audit files are stored\n in dedicated directories or disk partitions separate from software or other\n application files'\n end\nend\n", + "code": "control 'V-61801' do\n title \"The DBMS must notify appropriate individuals when account disabling\n actions are taken.\"\n desc \"When application accounts are disabled, user accessibility is\n affected. Accounts are utilized for identifying individual application users or\n for identifying the application processes themselves.\n\n In order to detect and respond to events that affect user accessibility and\n application processing, applications must audit account disabling actions and,\n as required, notify the appropriate individuals so they can investigate the\n event. Such a capability greatly reduces the risk that application\n accessibility will be negatively affected for extended periods of time and also\n provides logging that can be used for forensic purposes.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP. This requirement applies to cases where accounts are\n directly managed by Oracle.\n\n Notwithstanding how accounts are normally managed, the DBMS must support\n the requirement to notify appropriate individuals upon the disabling of an\n account within Oracle. Indeed, in a configuration where accounts are managed\n externally, the manipulation of an account within Oracle may indicate hostile\n activity.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000293-DB-000130'\n tag \"gid\": 'V-61801'\n tag \"rid\": 'SV-76291r2_rule'\n tag \"stig_id\": 'O121-C2-020600'\n tag \"fix_id\": 'F-67717r1_fix'\n tag \"cci\": ['CCI-001685']\n tag \"nist\": ['AC-2 (4)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Check DBMS settings to determine whether it will notify\n appropriate individuals when account disabling actions are taken.\n\n If the DBMS does not notify appropriate individuals when account disabling\n actions are taken, this is a finding.\"\n tag \"fix\": \"Working with the DBA and site management, determine the\n appropriate individuals (by job role) to be notified.\n\n If Oracle Audit Vault is available, configure it to notify the appropriate\n individuals when accounts are disabled.\n\n If Oracle Audit Vault is not available, configure the Oracle DBMS's auditing\n feature to record disabling of accounts.\n\n If Standard Auditing is used:\n Create and deploy a mechanism, such as a frequently-run job, to monitor the\n SYS.AUD$ table for these records and notify the appropriate individuals.\n\n If unified Auditing is used:\n Create and deploy a mechanism, such as a frequently-run job, to monitor the\n SYS.UNIFIED_AUDIT_TRAIL view for these records and notify the appropriate\n individuals.\"\n describe 'A manual review is required to ensure the DBMS notifies the appropriate individuals when account disabling\n actions are taken' do\n skip 'A manual review is required to ensure the DBMS notifies the appropriate individuals when account disabling\n actions are taken'\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61963.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61801.rb", "line": 1 }, - "id": "V-61963" + "id": "V-61801" }, { - "title": "Database software directories, including DBMS configuration files,\n must be stored in dedicated directories, or DASD pools, separate from the host\n OS and other applications.", - "desc": "When dealing with change control issues, it should be noted, any\n changes to the hardware, software, and/or firmware components of the\n information system and/or application can potentially have significant effects\n on the overall security of the system.\n\n Multiple applications can provide a cumulative negative effect. A\n vulnerability and subsequent exploit to one application can lead to an exploit\n of other applications sharing the same security context. For example, an\n exploit to a web server process that leads to unauthorized administrative\n access to host system directories can most likely lead to a compromise of all\n applications hosted by the same system. Database software not installed using\n dedicated directories both threatens and is threatened by other hosted\n applications. Access controls defined for one application may by default\n provide access to the other application's database objects or directories. Any\n method that provides any level of separation of security context assists in the\n protection between applications.", + "title": "The DBMS must include organization-defined additional, more detailed\n information in the audit records for audit events identified by type, location,\n or subject.", + "desc": "Information system auditing capability is critical for accurate\n forensic analysis. Audit record content that may be necessary to satisfy the\n requirement of this control includes: timestamps, source and destination\n addresses, user/process identifiers, event descriptions, success/fail\n indications, file names involved, and access control or flow control rules\n invoked.\n\n In addition, the application must have the capability to include\n organization-defined additional, more detailed information in the audit records\n for audit events. These events may be identified by type, location, or subject.\n\n An example of detailed information the organization may require in audit\n records is full-text recording of privileged commands or the individual\n identities of shared account users.\n\n Some organizations may determine that more detailed information is required\n for specific database event types. If this information is not available, it\n could negatively impact forensic investigations into user actions or other\n malicious events.", "descriptions": { - "default": "When dealing with change control issues, it should be noted, any\n changes to the hardware, software, and/or firmware components of the\n information system and/or application can potentially have significant effects\n on the overall security of the system.\n\n Multiple applications can provide a cumulative negative effect. A\n vulnerability and subsequent exploit to one application can lead to an exploit\n of other applications sharing the same security context. For example, an\n exploit to a web server process that leads to unauthorized administrative\n access to host system directories can most likely lead to a compromise of all\n applications hosted by the same system. Database software not installed using\n dedicated directories both threatens and is threatened by other hosted\n applications. Access controls defined for one application may by default\n provide access to the other application's database objects or directories. Any\n method that provides any level of separation of security context assists in the\n protection between applications." + "default": "Information system auditing capability is critical for accurate\n forensic analysis. Audit record content that may be necessary to satisfy the\n requirement of this control includes: timestamps, source and destination\n addresses, user/process identifiers, event descriptions, success/fail\n indications, file names involved, and access control or flow control rules\n invoked.\n\n In addition, the application must have the capability to include\n organization-defined additional, more detailed information in the audit records\n for audit events. These events may be identified by type, location, or subject.\n\n An example of detailed information the organization may require in audit\n records is full-text recording of privileged commands or the individual\n identities of shared account users.\n\n Some organizations may determine that more detailed information is required\n for specific database event types. If this information is not available, it\n could negatively impact forensic investigations into user actions or other\n malicious events." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000133-DB-000199", - "gid": "V-61875", - "rid": "SV-76365r1_rule", - "stig_id": "O121-P2-010900", - "fix_id": "F-67791r1_fix", + "gtitle": "SRG-APP-000101-DB-000044", + "gid": "V-61641", + "rid": "SV-76131r1_rule", + "stig_id": "O121-C2-008000", + "fix_id": "F-67553r2_fix", "cci": [ - "CCI-001499" + "CCI-000135" ], "nist": [ - "CM-5 (6)", + "AU-3 (1)", "Rev_4" ], "false_negatives": null, @@ -767,35 +759,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Review the DBMS software library directory and note other root\n directories located on the same disk directory or any subdirectories. If any\n non-DBMS software directories exist on the disk directory, examine or\n investigate their use.\n\n If any of the directories are used by other applications, including third-party\n applications that use the DBMS, this is a finding.\n\n Only applications that are required for the functioning and administration, not\n use, of the DBMS should be located on the same disk directory as the DBMS\n software libraries.\n\n For databases located on mainframes, confirm that the database and its\n configuration files are isolated in their own DASD pools.\n\n If database software and database configuration files share DASD with other\n applications, this is a finding.", - "fix": "Install all applications on directories, or pools, separate from\n the DBMS software library directory. Re-locate any directories or re-install\n other application software that currently shares the DBMS software library\n directory to separate directories.\n\n For mainframe-based databases, locate database software and configuration files\n in separate DASD pools from other mainframe applications." + "check": "Verify, using vendor and system documentation if necessary,\n that the DBMS is configured to use Oracle's auditing features, or that a\n third-party product or custom code is deployed and configured to satisfy this\n requirement.\n\n If a third-party product or custom code is used, compare its current\n configuration with the audit requirements. If any of the requirements is not\n covered by the configuration, this is a finding.\n\n The remainder of this Check is applicable specifically where Oracle auditing is\n in use.\n\n If Standard Auditing is used:\n To see if Oracle is configured to capture audit data, enter the following\n SQL*Plus command:\n\n SHOW PARAMETER AUDIT_TRAIL\n\n or the following SQL query:\n\n SELECT * FROM SYS.V$PARAMETER WHERE NAME = 'audit_trail';\n\n If Oracle returns the value \"NONE\", this is a finding.\n\n Compare the organization-defined auditable events with the Oracle documentation\n to determine whether standard auditing covers all the requirements.\n\n If it does, this is not a finding.\n\n Compare those organization-defined auditable events that are not covered by the\n standard auditing, with the existing Fine-Grained Auditing (FGA) specifications\n returned by the following query:\n\n SELECT * FROM SYS.DBA_FGA_AUDIT_TRAIL;\n\n If any such auditable event is not covered by the existing FGA specifications,\n this is a finding.\n\n If Unified Auditing is used:\n To see if Oracle is configured to capture audit data, enter the following\n SQL*Plus command:\n\n SELECT * FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';\n\n If Oracle returns the value \"TRUE\", this is not a finding.\n\n Compare the organization-defined auditable events with the Oracle documentation\n to determine whether standard auditing covers all the requirements.\n\n If it does, this is not a finding.\n\n Compare those organization-defined auditable events that are not covered by the\n standard auditing, with the existing Fine-Grained Auditing (FGA) specifications\n returned by the following query:\n\n SELECT * FROM SYS.UNIFIED_AUDIT_TRAIL WHERE AUDIT_TYPE = 'FineGrainedAudit';\n\n If any such auditable event is not covered by the existing FGA specifications,\n this is a finding.", + "fix": "Either configure the DBMS's auditing to audit\n organization-defined auditable events, or, if preferred, use a third-party or\n custom tool. The tool must provide the minimum capability to audit the required\n events.\n\n If using a third-party product, proceed in accordance with the product\n documentation. If using Oracle's capabilities, proceed as follows.\n\n If Standard Auditing is used:\n Use this process to ensure auditable events are captured:\n\n ALTER SYSTEM SET AUDIT_TRAIL= SCOPE=SPFILE;\n\n Audit trail type can be \"OS\", \"DB\", \"DB,EXTENDED\", \"XML\" or\n \"XML,EXTENDED\".\n\n After executing this statement, it may be necessary to shut down and restart\n the Oracle database.\n\n If the organization-defined additional audit requirements are not covered by\n the default audit options, deploy and configure Fine-Grained Auditing. For\n details, refer to Oracle documentation at the location below.\n\n If the site-specific audit requirements are not covered by the default audit\n options, deploy and configure Fine-Grained Auditing. For details, refer to\n Oracle documentation, at the location below.\n\n If Unified Auditing is used:\n Use this process to ensure auditable events are captured:\n\n SELECT * FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';\n\n If Oracle returns the value \"TRUE\", this is not a finding.\n\n Otherwise,\n Link the oracle binary with uniaud_on, and then restart the database. Oracle\n Database Upgrade Guide describes how to enable unified auditing.\n\n If the organization-defined additional audit requirements are not covered by\n the default audit options, deploy and configure Fine-Grained Auditing. For\n details, refer to Oracle documentation at the location below.\n\n If the site-specific audit requirements are not covered by the default audit\n options, deploy and configure Fine-Grained Auditing. For details, refer to\n Oracle documentation, at the location below.\n\n For more information on the configuration of auditing, refer to the following\n documents:\n \"Auditing Database Activity\" in the Oracle Database 2 Day + Security Guide:\n http://docs.oracle.com/database/121/TDPSG/tdpsg_auditing.htm#TDPSG50000\n \"Monitoring Database Activity with Auditing\" in the Oracle Database Security\n Guide:\n http://docs.oracle.com/database/121/DBSEG/part_6.htm#CCHEHCGI\n \"DBMS_AUDIT_MGMT\" in the Oracle Database PL/SQL Packages and Types Reference:\n http://docs.oracle.com/database/121/ARPLS/d_audit_mgmt.htm#ARPLS241\n Oracle Database Upgrade Guide:\n http://docs.oracle.com/database/121/UPGRD/afterup.htm#UPGRD52810" }, - "code": "control 'V-61875' do\n title \"Database software directories, including DBMS configuration files,\n must be stored in dedicated directories, or DASD pools, separate from the host\n OS and other applications.\"\n desc \"When dealing with change control issues, it should be noted, any\n changes to the hardware, software, and/or firmware components of the\n information system and/or application can potentially have significant effects\n on the overall security of the system.\n\n Multiple applications can provide a cumulative negative effect. A\n vulnerability and subsequent exploit to one application can lead to an exploit\n of other applications sharing the same security context. For example, an\n exploit to a web server process that leads to unauthorized administrative\n access to host system directories can most likely lead to a compromise of all\n applications hosted by the same system. Database software not installed using\n dedicated directories both threatens and is threatened by other hosted\n applications. Access controls defined for one application may by default\n provide access to the other application's database objects or directories. Any\n method that provides any level of separation of security context assists in the\n protection between applications.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000133-DB-000199'\n tag \"gid\": 'V-61875'\n tag \"rid\": 'SV-76365r1_rule'\n tag \"stig_id\": 'O121-P2-010900'\n tag \"fix_id\": 'F-67791r1_fix'\n tag \"cci\": ['CCI-001499']\n tag \"nist\": ['CM-5 (6)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review the DBMS software library directory and note other root\n directories located on the same disk directory or any subdirectories. If any\n non-DBMS software directories exist on the disk directory, examine or\n investigate their use.\n\n If any of the directories are used by other applications, including third-party\n applications that use the DBMS, this is a finding.\n\n Only applications that are required for the functioning and administration, not\n use, of the DBMS should be located on the same disk directory as the DBMS\n software libraries.\n\n For databases located on mainframes, confirm that the database and its\n configuration files are isolated in their own DASD pools.\n\n If database software and database configuration files share DASD with other\n applications, this is a finding.\"\n tag \"fix\": \"Install all applications on directories, or pools, separate from\n the DBMS software library directory. Re-locate any directories or re-install\n other application software that currently shares the DBMS software library\n directory to separate directories.\n\n For mainframe-based databases, locate database software and configuration files\n in separate DASD pools from other mainframe applications.\"\n describe 'A manual review is required to ensure Database software directories, including DBMS configuration files,\n are stored in dedicated directories, or DASD pools, separate from the host\n OS and other applications' do\n skip 'A manual review is required to ensure Database software directories, including DBMS configuration files,\n are stored in dedicated directories, or DASD pools, separate from the host\n OS and other applications'\n end\nend\n", + "code": "control 'V-61641' do\n title \"The DBMS must include organization-defined additional, more detailed\n information in the audit records for audit events identified by type, location,\n or subject.\"\n desc \"Information system auditing capability is critical for accurate\n forensic analysis. Audit record content that may be necessary to satisfy the\n requirement of this control includes: timestamps, source and destination\n addresses, user/process identifiers, event descriptions, success/fail\n indications, file names involved, and access control or flow control rules\n invoked.\n\n In addition, the application must have the capability to include\n organization-defined additional, more detailed information in the audit records\n for audit events. These events may be identified by type, location, or subject.\n\n An example of detailed information the organization may require in audit\n records is full-text recording of privileged commands or the individual\n identities of shared account users.\n\n Some organizations may determine that more detailed information is required\n for specific database event types. If this information is not available, it\n could negatively impact forensic investigations into user actions or other\n malicious events.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000101-DB-000044'\n tag \"gid\": 'V-61641'\n tag \"rid\": 'SV-76131r1_rule'\n tag \"stig_id\": 'O121-C2-008000'\n tag \"fix_id\": 'F-67553r2_fix'\n tag \"cci\": ['CCI-000135']\n tag \"nist\": ['AU-3 (1)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Verify, using vendor and system documentation if necessary,\n that the DBMS is configured to use Oracle's auditing features, or that a\n third-party product or custom code is deployed and configured to satisfy this\n requirement.\n\n If a third-party product or custom code is used, compare its current\n configuration with the audit requirements. If any of the requirements is not\n covered by the configuration, this is a finding.\n\n The remainder of this Check is applicable specifically where Oracle auditing is\n in use.\n\n If Standard Auditing is used:\n To see if Oracle is configured to capture audit data, enter the following\n SQL*Plus command:\n\n SHOW PARAMETER AUDIT_TRAIL\n\n or the following SQL query:\n\n SELECT * FROM SYS.V$PARAMETER WHERE NAME = 'audit_trail';\n\n If Oracle returns the value \\\"NONE\\\", this is a finding.\n\n Compare the organization-defined auditable events with the Oracle documentation\n to determine whether standard auditing covers all the requirements.\n\n If it does, this is not a finding.\n\n Compare those organization-defined auditable events that are not covered by the\n standard auditing, with the existing Fine-Grained Auditing (FGA) specifications\n returned by the following query:\n\n SELECT * FROM SYS.DBA_FGA_AUDIT_TRAIL;\n\n If any such auditable event is not covered by the existing FGA specifications,\n this is a finding.\n\n If Unified Auditing is used:\n To see if Oracle is configured to capture audit data, enter the following\n SQL*Plus command:\n\n SELECT * FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';\n\n If Oracle returns the value \\\"TRUE\\\", this is not a finding.\n\n Compare the organization-defined auditable events with the Oracle documentation\n to determine whether standard auditing covers all the requirements.\n\n If it does, this is not a finding.\n\n Compare those organization-defined auditable events that are not covered by the\n standard auditing, with the existing Fine-Grained Auditing (FGA) specifications\n returned by the following query:\n\n SELECT * FROM SYS.UNIFIED_AUDIT_TRAIL WHERE AUDIT_TYPE = 'FineGrainedAudit';\n\n If any such auditable event is not covered by the existing FGA specifications,\n this is a finding.\"\n tag \"fix\": \"Either configure the DBMS's auditing to audit\n organization-defined auditable events, or, if preferred, use a third-party or\n custom tool. The tool must provide the minimum capability to audit the required\n events.\n\n If using a third-party product, proceed in accordance with the product\n documentation. If using Oracle's capabilities, proceed as follows.\n\n If Standard Auditing is used:\n Use this process to ensure auditable events are captured:\n\n ALTER SYSTEM SET AUDIT_TRAIL= SCOPE=SPFILE;\n\n Audit trail type can be \\\"OS\\\", \\\"DB\\\", \\\"DB,EXTENDED\\\", \\\"XML\\\" or\n \\\"XML,EXTENDED\\\".\n\n After executing this statement, it may be necessary to shut down and restart\n the Oracle database.\n\n If the organization-defined additional audit requirements are not covered by\n the default audit options, deploy and configure Fine-Grained Auditing. For\n details, refer to Oracle documentation at the location below.\n\n If the site-specific audit requirements are not covered by the default audit\n options, deploy and configure Fine-Grained Auditing. For details, refer to\n Oracle documentation, at the location below.\n\n If Unified Auditing is used:\n Use this process to ensure auditable events are captured:\n\n SELECT * FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';\n\n If Oracle returns the value \\\"TRUE\\\", this is not a finding.\n\n Otherwise,\n Link the oracle binary with uniaud_on, and then restart the database. Oracle\n Database Upgrade Guide describes how to enable unified auditing.\n\n If the organization-defined additional audit requirements are not covered by\n the default audit options, deploy and configure Fine-Grained Auditing. For\n details, refer to Oracle documentation at the location below.\n\n If the site-specific audit requirements are not covered by the default audit\n options, deploy and configure Fine-Grained Auditing. For details, refer to\n Oracle documentation, at the location below.\n\n For more information on the configuration of auditing, refer to the following\n documents:\n \\\"Auditing Database Activity\\\" in the Oracle Database 2 Day + Security Guide:\n http://docs.oracle.com/database/121/TDPSG/tdpsg_auditing.htm#TDPSG50000\n \\\"Monitoring Database Activity with Auditing\\\" in the Oracle Database Security\n Guide:\n http://docs.oracle.com/database/121/DBSEG/part_6.htm#CCHEHCGI\n \\\"DBMS_AUDIT_MGMT\\\" in the Oracle Database PL/SQL Packages and Types Reference:\n http://docs.oracle.com/database/121/ARPLS/d_audit_mgmt.htm#ARPLS241\n Oracle Database Upgrade Guide:\n http://docs.oracle.com/database/121/UPGRD/afterup.htm#UPGRD52810\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n standard_auditing_used = input('standard_auditing_used')\n unified_auditing_used = input('unified_auditing_used')\n\n describe.one do\n describe 'Standard auditing is in use for audit purposes' do\n subject { standard_auditing_used }\n it { should be true }\n end\n\n describe 'Unified auditing is in use for audit purposes' do\n subject { unified_auditing_used }\n it { should be true }\n end\n end\n\n audit_trail = sql.query(\"select value from v$parameter where name = 'audit_trail';\").column('value')\n audit_info_captured = sql.query('SELECT EVENT_TIMESTAMP FROM UNIFIED_AUDIT_TRAIL ORDER BY EVENT_TIMESTAMP DESC FETCH FIRST 10 ROWS ONLY;').column('event_timestamp')\n fga_audit_events = sql.query(\" SELECT * FROM SYS.UNIFIED_AUDIT_TRAIL WHERE AUDIT_TYPE = 'FineGrainedAudit';\").column('TIMESTAMP')\n\n if standard_auditing_used\n describe 'The oracle database audit_trail parameter' do\n subject { audit_trail }\n it { should_not cmp 'NONE' }\n end\n end\n\n unified_auditing = sql.query(\"SELECT value FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';\").column('value')\n\n if unified_auditing_used\n describe 'The oracle database unified auditing parameter' do\n subject { unified_auditing }\n it { should_not cmp 'FALSE' }\n end\n\n describe 'The oracle database unified auditing events captured' do\n subject { audit_info_captured }\n it { should_not be_empty }\n end\n\n describe 'The oracle database fine grained auditing events captured' do\n subject { fga_audit_events }\n it { should_not be_empty }\n end\n\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61875.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61641.rb", "line": 1 }, - "id": "V-61875" + "id": "V-61641" }, { - "title": "The DBMS must enforce password maximum lifetime restrictions.", - "desc": "Password maximum lifetime is the maximum period of time, (typically in\n days) a user's password may be in effect before the user is forced to change it.\n\n Passwords need to be changed at specific policy-based intervals as per\n policy. Any password, no matter how complex, can eventually be cracked.\n\n One method of minimizing this risk is to use complex passwords and\n periodically change them. If the application does not limit the lifetime of\n passwords and force users to change their passwords, there is the risk that the\n system and/or application passwords could be compromised.\n\n The “PASSWORD_LIFE_TIME” parameter defines the number of days a password\n remains valid. This can, but must not be, set to “UNLIMITED”. Further, the\n “PASSWORD_GRACE_TIME” parameter, if set to “UNLIMITED”, can nullify the\n “PASSWORD_LIFE_TIME”. “PASSWORD_GRACE_TIME” must be set to “0” days (or another\n small integer).\n\n Note: User authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP. With respect to Oracle, this requirement applies to cases\n where it is necessary to have accounts directly managed by Oracle.", + "title": "The Oracle REMOTE_OS_ROLES parameter must be set to FALSE.", + "desc": "Setting REMOTE_OS_ROLES to TRUE allows operating system groups to\n control Oracle roles. The default value of FALSE causes roles to be identified\n and managed by the database. If REMOTE_OS_ROLES is set to TRUE, a remote user\n could impersonate another operating system user over a network connection.", "descriptions": { - "default": "Password maximum lifetime is the maximum period of time, (typically in\n days) a user's password may be in effect before the user is forced to change it.\n\n Passwords need to be changed at specific policy-based intervals as per\n policy. Any password, no matter how complex, can eventually be cracked.\n\n One method of minimizing this risk is to use complex passwords and\n periodically change them. If the application does not limit the lifetime of\n passwords and force users to change their passwords, there is the risk that the\n system and/or application passwords could be compromised.\n\n The “PASSWORD_LIFE_TIME” parameter defines the number of days a password\n remains valid. This can, but must not be, set to “UNLIMITED”. Further, the\n “PASSWORD_GRACE_TIME” parameter, if set to “UNLIMITED”, can nullify the\n “PASSWORD_LIFE_TIME”. “PASSWORD_GRACE_TIME” must be set to “0” days (or another\n small integer).\n\n Note: User authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP. With respect to Oracle, this requirement applies to cases\n where it is necessary to have accounts directly managed by Oracle." + "default": "Setting REMOTE_OS_ROLES to TRUE allows operating system groups to\n control Oracle roles. The default value of FALSE causes roles to be identified\n and managed by the database. If REMOTE_OS_ROLES is set to TRUE, a remote user\n could impersonate another operating system user over a network connection." }, - "impact": 0.5, + "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-APP-000174-DB-000080", - "gid": "V-61739", - "rid": "SV-76229r3_rule", - "stig_id": "O121-C2-015200", - "fix_id": "F-67655r5_fix", + "gtitle": "SRG-APP-000516-DB-999900", + "gid": "V-61427", + "rid": "SV-75917r1_rule", + "stig_id": "O121-BP-022000", + "fix_id": "F-67343r1_fix", "cci": [ - "CCI-000199" + "CCI-000366" ], "nist": [ - "IA-5 (1) (d)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -808,35 +800,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If all user accounts are authenticated by the OS or an\n enterprise-level authentication/access mechanism, and not by Oracle, this is\n not a finding.\n\n Review DBMS settings to determine if passwords must be changed periodically. If\n not, this is a finding:\n\n SELECT p1.profile,\n CASE p1.limit WHEN 'UNLIMITED' THEN 'UNLIMITED' ELSE\n CASE p2.limit WHEN 'UNLIMITED' THEN 'UNLIMITED' ELSE\n CASE p3.limit WHEN 'UNLIMITED' THEN 'UNLIMITED' ELSE\n CASE p4.limit WHEN 'UNLIMITED' THEN 'UNLIMITED' ELSE\n TO_CHAR(DECODE(p1.limit, 'DEFAULT', p3.limit, p1.limit) + DECODE(p2.limit,\n 'DEFAULT', p4.limit, p2.limit))\n END\n END\n END\n END effective_life_time\n FROM dba_profiles p1, dba_profiles p2, dba_profiles p3, dba_profiles p4\n WHERE p1.profile=p2.profile\n AND p3.profile='DEFAULT'\n AND p4.profile='DEFAULT'\n AND p1.resource_name='PASSWORD_LIFE_TIME'\n AND p2.resource_name='PASSWORD_GRACE_TIME'\n AND p3.resource_name='PASSWORD_LIFE_TIME' -- from DEFAULT profile\n AND p4.resource_name='PASSWORD_GRACE_TIME' -- from DEFAULT profile\n order by 1;\n\n If the “effective_life_time” is greater than “60” for any profile applied to\n user accounts, and the need for this has not been documented and approved by\n the ISSO, this is a finding.\n\n If the value is greater than 35 for any profile applied to user accounts, and\n the DBMS is configured to use Password Lifetime to disable inactive accounts,\n this is a finding.", - "fix": "For user accounts managed by Oracle: Modify DBMS settings to\n force users to periodically change their passwords. For example, using PPPPPP\n to stand for a profile name:\n ALTER PROFILE PPPPPP LIMIT PASSWORD_LIFE_TIME 35 PASSWORD_GRACE_TIME 0;\n Do this for each profile applied to user accounts.\n\n (Note: Although the DoD requirement is for a password change every 60 days,\n using a value of “35” facilitates the use of “PASSWORD_LIFE_TIME” as a means of\n locking accounts inactive for 35 days. But if “35” is not a practical or\n acceptable limit for password lifetime, set it to the standard DoD value of\n “60”.)\n\n Where a password lifetime longer than “60” is needed, document the reasons and\n obtain ISSO approval." + "check": "From SQL*Plus:\n\n select value from v$parameter where name = 'remote_os_roles';\n\n If the returned value is not FALSE or not documented in the System Security\n Plan as required, this is a finding.", + "fix": "Document remote OS roles in the System Security Plan.\n\n If not required, disable use of remote OS roles.\n\n From SQL*Plus:\n\n alter system set remote_os_roles = FALSE scope = spfile;\n\n The above SQL*Plus command will set the parameter to take effect at next system\n startup." }, - "code": "control 'V-61739' do\n title 'The DBMS must enforce password maximum lifetime restrictions.'\n desc \"Password maximum lifetime is the maximum period of time, (typically in\n days) a user's password may be in effect before the user is forced to change it.\n\n Passwords need to be changed at specific policy-based intervals as per\n policy. Any password, no matter how complex, can eventually be cracked.\n\n One method of minimizing this risk is to use complex passwords and\n periodically change them. If the application does not limit the lifetime of\n passwords and force users to change their passwords, there is the risk that the\n system and/or application passwords could be compromised.\n\n The “PASSWORD_LIFE_TIME” parameter defines the number of days a password\n remains valid. This can, but must not be, set to “UNLIMITED”. Further, the\n “PASSWORD_GRACE_TIME” parameter, if set to “UNLIMITED”, can nullify the\n “PASSWORD_LIFE_TIME”. “PASSWORD_GRACE_TIME” must be set to “0” days (or another\n small integer).\n\n Note: User authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP. With respect to Oracle, this requirement applies to cases\n where it is necessary to have accounts directly managed by Oracle.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000174-DB-000080'\n tag \"gid\": 'V-61739'\n tag \"rid\": 'SV-76229r3_rule'\n tag \"stig_id\": 'O121-C2-015200'\n tag \"fix_id\": 'F-67655r5_fix'\n tag \"cci\": ['CCI-000199']\n tag \"nist\": ['IA-5 (1) (d)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If all user accounts are authenticated by the OS or an\n enterprise-level authentication/access mechanism, and not by Oracle, this is\n not a finding.\n\n Review DBMS settings to determine if passwords must be changed periodically. If\n not, this is a finding:\n\n SELECT p1.profile,\n CASE p1.limit WHEN 'UNLIMITED' THEN 'UNLIMITED' ELSE\n CASE p2.limit WHEN 'UNLIMITED' THEN 'UNLIMITED' ELSE\n CASE p3.limit WHEN 'UNLIMITED' THEN 'UNLIMITED' ELSE\n CASE p4.limit WHEN 'UNLIMITED' THEN 'UNLIMITED' ELSE\n TO_CHAR(DECODE(p1.limit, 'DEFAULT', p3.limit, p1.limit) + DECODE(p2.limit,\n 'DEFAULT', p4.limit, p2.limit))\n END\n END\n END\n END effective_life_time\n FROM dba_profiles p1, dba_profiles p2, dba_profiles p3, dba_profiles p4\n WHERE p1.profile=p2.profile\n AND p3.profile='DEFAULT'\n AND p4.profile='DEFAULT'\n AND p1.resource_name='PASSWORD_LIFE_TIME'\n AND p2.resource_name='PASSWORD_GRACE_TIME'\n AND p3.resource_name='PASSWORD_LIFE_TIME' -- from DEFAULT profile\n AND p4.resource_name='PASSWORD_GRACE_TIME' -- from DEFAULT profile\n order by 1;\n\n If the “effective_life_time” is greater than “60” for any profile applied to\n user accounts, and the need for this has not been documented and approved by\n the ISSO, this is a finding.\n\n If the value is greater than 35 for any profile applied to user accounts, and\n the DBMS is configured to use Password Lifetime to disable inactive accounts,\n this is a finding.\"\n tag \"fix\": \"For user accounts managed by Oracle: Modify DBMS settings to\n force users to periodically change their passwords. For example, using PPPPPP\n to stand for a profile name:\n ALTER PROFILE PPPPPP LIMIT PASSWORD_LIFE_TIME 35 PASSWORD_GRACE_TIME 0;\n Do this for each profile applied to user accounts.\n\n (Note: Although the DoD requirement is for a password change every 60 days,\n using a value of “35” facilitates the use of “PASSWORD_LIFE_TIME” as a means of\n locking accounts inactive for 35 days. But if “35” is not a practical or\n acceptable limit for password lifetime, set it to the standard DoD value of\n “60”.)\n\n Where a password lifetime longer than “60” is needed, document the reasons and\n obtain ISSO approval.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n get_effective_life_time = sql.query(\"SELECT p1.profile,\n CASE p1.limit WHEN 'UNLIMITED' THEN 'UNLIMITED' ELSE\n CASE p2.limit WHEN 'UNLIMITED' THEN 'UNLIMITED' ELSE\n CASE p3.limit WHEN 'UNLIMITED' THEN 'UNLIMITED' ELSE\n CASE p4.limit WHEN 'UNLIMITED' THEN 'UNLIMITED' ELSE\n TO_CHAR(DECODE(p1.limit, 'DEFAULT', p3.limit, p1.limit) + DECODE(p2.limit,\n 'DEFAULT', p4.limit, p2.limit))\n END\n END\n END\n END effective_life_time\n FROM dba_profiles p1, dba_profiles p2, dba_profiles p3, dba_profiles p4\n WHERE p1.profile=p2.profile\n AND p3.profile='DEFAULT'\n AND p4.profile='DEFAULT'\n AND p1.resource_name='PASSWORD_LIFE_TIME'\n AND p2.resource_name='PASSWORD_GRACE_TIME'\n AND p3.resource_name='PASSWORD_LIFE_TIME' -- from DEFAULT profile\n AND p4.resource_name='PASSWORD_GRACE_TIME' -- from DEFAULT profile\n order by 1;\").column('effective_life_time')\n\n get_effective_life_time.each do |effective_life_time|\n\n describe 'The oracle database account effective life time limit' do\n subject { effective_life_time }\n it { should cmp >= 60 }\n end\n end\n describe get_effective_life_time do\n it { should_not be_empty }\n end\nend\n", + "code": "control 'V-61427' do\n title 'The Oracle REMOTE_OS_ROLES parameter must be set to FALSE.'\n desc \"Setting REMOTE_OS_ROLES to TRUE allows operating system groups to\n control Oracle roles. The default value of FALSE causes roles to be identified\n and managed by the database. If REMOTE_OS_ROLES is set to TRUE, a remote user\n could impersonate another operating system user over a network connection.\"\n impact 0.7\n tag \"gtitle\": 'SRG-APP-000516-DB-999900'\n tag \"gid\": 'V-61427'\n tag \"rid\": 'SV-75917r1_rule'\n tag \"stig_id\": 'O121-BP-022000'\n tag \"fix_id\": 'F-67343r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"From SQL*Plus:\n\n select value from v$parameter where name = 'remote_os_roles';\n\n If the returned value is not FALSE or not documented in the System Security\n Plan as required, this is a finding.\"\n tag \"fix\": \"Document remote OS roles in the System Security Plan.\n\n If not required, disable use of remote OS roles.\n\n From SQL*Plus:\n\n alter system set remote_os_roles = FALSE scope = spfile;\n\n The above SQL*Plus command will set the parameter to take effect at next system\n startup.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n parameter = sql.query(\"select value from v$parameter where name = 'remote_os_roles';\").column('value')\n\n describe 'The oracle database REMOTE_OS_ROLES parameter' do\n subject { parameter }\n it { should cmp 'FALSE' }\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61739.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61427.rb", "line": 1 }, - "id": "V-61739" + "id": "V-61427" }, { - "title": "The DBMS must protect audit data records and integrity by using\n cryptographic mechanisms.", - "desc": "Protection of audit records and audit data is of critical importance.\n Cryptographic mechanisms are the industry-established standard used to protect\n the integrity of audit data. An example of a cryptographic mechanism is the\n computation and application of a cryptographic-signed hash using asymmetric\n cryptography.\n\n Non-repudiation protects individuals against later claims by an author of\n not having performed a particular action, a sender of not having transmitted a\n message, a receiver of not having received a message, or a signatory of not\n having signed a document.", + "title": "The DBMS must check the validity of data inputs.", + "desc": "Invalid user input occurs when a user inserts data or characters into\n an application's data entry fields and the application is unprepared to process\n that data. This results in unanticipated application behavior, potentially\n leading to an application or information system compromise. Invalid user input\n is one of the primary methods employed when attempting to compromise an\n application.\n\n All applications need to validate the data users attempt to input to the\n application for processing. Rules for checking the valid syntax and semantics\n of information system inputs (e.g., character set, length, numerical range,\n acceptable values) are in place to verify inputs match specified definitions\n for format and content. Inputs passed to interpreters are prescreened to\n prevent the content from being unintentionally interpreted as commands.\n\n\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure operation\n of databases that they must not be ignored. At a minimum, the DBA must attempt\n to obtain assurances from the development organization that this issue has been\n addressed and must document what has been discovered.", "descriptions": { - "default": "Protection of audit records and audit data is of critical importance.\n Cryptographic mechanisms are the industry-established standard used to protect\n the integrity of audit data. An example of a cryptographic mechanism is the\n computation and application of a cryptographic-signed hash using asymmetric\n cryptography.\n\n Non-repudiation protects individuals against later claims by an author of\n not having performed a particular action, a sender of not having transmitted a\n message, a receiver of not having received a message, or a signatory of not\n having signed a document." + "default": "Invalid user input occurs when a user inserts data or characters into\n an application's data entry fields and the application is unprepared to process\n that data. This results in unanticipated application behavior, potentially\n leading to an application or information system compromise. Invalid user input\n is one of the primary methods employed when attempting to compromise an\n application.\n\n All applications need to validate the data users attempt to input to the\n application for processing. Rules for checking the valid syntax and semantics\n of information system inputs (e.g., character set, length, numerical range,\n acceptable values) are in place to verify inputs match specified definitions\n for format and content. Inputs passed to interpreters are prescreened to\n prevent the content from being unintentionally interpreted as commands.\n\n\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure operation\n of databases that they must not be ignored. At a minimum, the DBA must attempt\n to obtain assurances from the development organization that this issue has been\n addressed and must document what has been discovered." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000126-DB-000171", - "gid": "V-61667", - "rid": "SV-76157r2_rule", - "stig_id": "O121-C2-010100", - "fix_id": "F-67581r5_fix", + "gtitle": "SRG-APP-000251-DB-000160", + "gid": "V-61785", + "rid": "SV-76275r2_rule", + "stig_id": "O121-C2-019500", + "fix_id": "F-67701r1_fix", "cci": [ - "CCI-001350" + "CCI-001310" ], "nist": [ - "AU-9 (3)", + "SI-10", "Rev_4" ], "false_negatives": null, @@ -849,35 +841,39 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Review the DBMS settings to determine whether audit logging is\n configured to produce logs consistent with the amount of space allocated for\n logging.\n\n If auditing will generate excessive logs so that they may outgrow the space\n reserved for logging, this is a finding.\n\n If file-based auditing is in use, check that the file(s) is/are encrypted by\n the operating system/file system.\n\n If not, this is a finding\n\n If standard, table-based auditing is used: The audit logs are written to a\n table called AUD$, and if a Virtual Private Database is deployed, we also\n create a table called FGA_LOG$. First check the current location of the audit\n trail tables.\n\n CONN / AS SYSDBA\n\n SELECT table_name, tablespace_name\n FROM dba_tables\n WHERE table_name IN ('AUD$', 'FGA_LOG$')\n ORDER BY table_name;\n\n TABLE_NAME TABLESPACE_NAME\n ------------------------------ ------------------------------\n AUD$ SYSTEM\n FGA_LOG$ SYSTEM\n\n If the tablespace name is SYSTEM, the table needs to be relocated to its own\n tablespace. Ensure that adequate space is allocated to that tablespace.\n\n If Unified Auditing is used:\n Audit logs are written to tables in the AUDSYS schema. The default tablespace\n for AUDSYS is USERS. A separate tablespace should be created to contain audit\n data. Ensure that adequate space is allocated to that tablespace.", - "fix": "For file-based auditing (OS, XML, or XML,EXTENDED), implement\n operating system/file system encryption for the audit file.\n\n For table-based auditing, deploy the audit tables in an encrypted tablespace.\n\n - - - - -\n If auditing is not enabled, use the following steps to enable auditing.\n\n sqlplus connect as sysdba\n\n Turn on Oracle audit\n\n a. If the database uses an spfile\n\n SQL> alter system set audit_trail=DB,EXTENDED scope=spfile ;\n System altered.\n\n b. if database uses pfile, modify init.ora directly.\n For these changes to take place, the database must be restarted.\n\n Next we create an encrypted tablespace. Before tablespaces can be encrypted or\n decrypted, a master encryption key must be generated or set. The tablespace\n master encryption key is stored in an external security module and is used to\n encrypt the TDE tablespace encryption keys.\n\n - - - - -\n\n Caution: Do not attempt to encrypt Oracle internal objects such as the SYSTEM,\n SYSAUX, UNDO, or TEMP tablespaces. Oracle does not support this with TDE.\n When moving AUD$ to a new tablespace, be aware that associated LOB objects will\n also need to be moved. Finally, when upgrading, the AUD$ table and LOBs will\n need to be moved back to the SYSTEM tablespace or the upgrade will fail.\n\n - - - - -\n\n Check to ensure that the ENCRYPTION_WALLET_LOCATION (or WALLET_LOCATION)\n parameter in the sqlnet.ora file points to the correct software wallet\n location. (Note: This assumes that a single sqlnet.ora file, in the default\n location, is in use. Please see the supplemental file \"Non-default sqlnet.ora\n configurations.pdf\" for how to find multiple and/or differently located\n sqlnet.ora files.) For example:\n\n ENCRYPTION_WALLET_LOCATION=\n (SOURCE=(METHOD=FILE)(METHOD_DATA=\n (DIRECTORY=/app/wallet)))\n\n If the ENCRYPTION_WALLET_LOCATION parameter is not set, then it attempts to use\n the keystore in the location that is specified by the parameter WALLET_LOCATION.\n\n If the WALLET_LOCATION parameter is also not set, then Oracle Database looks\n for a keystore at the default database location, which is\n ORACLE_BASE/admin/DB_UNIQUE_NAME/wallet or\n ORACLE_HOME/admin/DB_UNIQUE_NAME/wallet. (DB_UNIQUE_NAME is the unique name of\n the database specified in the initialization parameter file.) When the keystore\n location is not set in the sqlnet.ora file, then the V$ENCRYPTION_WALLET view\n displays the default location. Can check the location and status of the\n keystore in the V$ENCRYPTION_WALLET view.\n\n Oracle Database 12c Release 1 (12.1) uses the same master encryption key for\n both TDE column encryption and TDE tablespace encryption. When issuing the\n ALTER SYSTEM SET ENCRYPTION KEY command, a unified master encryption key is\n created for both TDE column encryption and TDE tablespace encryption.\n\n Resetting the Tablespace Master Encryption Key\n\n Oracle Database 12c Release 1 (12.1) uses a unified master encryption key for\n both TDE column encryption and TDE tablespace encryption. When resetting\n (rekeying) the master encryption key for TDE column encryption, the master\n encryption key for TDE tablespace encryption also gets reset. The ALTER SYSTEM\n SET ENCRYPTION KEY command resets the tablespace master encryption key. Before\n creating an encrypted tablespace, the Oracle wallet containing the tablespace\n master encryption key must be open. The wallet must also be open before\n accessing data in an encrypted tablespace. The security administrator needs to\n open the Oracle wallet after starting the Oracle instance. A restart of the\n Oracle instance requires the security administrator to open the wallet again.\n The security administrator also needs to open the wallet before performing\n database recovery operations. This is because background processes may require\n access to encrypted redo and undo logs. When performing database recovery, the\n wallet must be opened before opening the database. This is illustrated in the\n following statements:\n\n SQL> STARTUP MOUNT;\n SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY \"password\";\n SQL> ALTER DATABASE OPEN;\n\n Can also choose to use auto logon wallets if the environment does not require\n the extra security provided by a wallet that needs to be explicitly opened;\n however, this is not the recommended practice.\n\n Creating the wallet/keystore\n\n SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/app/wallet' IDENTIFIED BY\n password;\n\n keystore altered.\n\n Set the TDE Master Encryption Key in the Software Keystore\n\n SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY password WITH BACKUP USING\n 'backup_identifier';\n\n keystore altered.\n\n Creating an Encrypted Tablespace\n\n The CREATE TABLESPACE command enables the creation of an encrypted tablespace.\n The permanent_tablespace_clause enables choosing the encryption algorithm and\n the key length for encryption. The ENCRYPT keyword in the storage_clause\n encrypts the tablespace. The following syntax illustrates this:\n\n CREATE\n [ BIGFILE | SMALLFILE ]\n { permanent_tablespace_clause\n | temporary_tablespace_clause\n | undo_tablespace_clause\n } ;\n\n Where, permanent_tablespace_clause=TABLESPACE , ENCRYPTION [USING algorithm]\n storage_clause\n Where, storage_clause=[ENCRYPT] where:\n\n The encryption algorithm can have one of the following values:\n\n 3DES168\n AES128\n AES192\n AES256\n\n The key lengths are included in the names of the algorithms themselves. If no\n encryption algorithm is specified, the default encryption algorithm is used.\n The default encryption algorithm is AES128.\n\n Note: The ENCRYPTION keyword in the permanent_tablespace_clause is used to\n specify the encryption algorithm. The ENCRYPT keyword in the storage_clause\n actually encrypts the tablespace. For security reasons, a tablespace cannot be\n encrypted with the NO SALT option.\n\n Commands to create Encrypted Tablespace\n\n CREATE TABLESPACE securespace\n DATAFILE '/home/user/oradata/secure01.dbf'\n SIZE 150M\n ENCRYPTION USING '3DES168'\n DEFAULT STORAGE(ENCRYPT);\n\n This creates a tablespace called securespace2 using an algorithm of 3DES168.\n\n Cannot encrypt an existing tablespace. However, can import data into an\n encrypted tablespace using the Oracle Data Pump utility. Can also use SQL\n commands like CREATE TABLE...AS SELECT...or ALTER TABLE...MOVE... to move data\n into an encrypted tablespace. The CREATE TABLE...AS SELECT... command enables\n the creation of a table from an existing table. The ALTER TABLE...MOVE...\n command enables the move of a table into the encrypted tablespace.\n\n Then we move the sys.aud$ from system tablespace to securespace tablespace.\n\n SQL> exec DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION(audit_trail_type =>\n DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD, audit_trail_location_value =>\n 'securespace');\n\n PL/SQL procedure successfully completed.\n\n Then check the tablespace the table is stored in.\n\n SQL> SELECT table_name, tablespace_name FROM dba_tables WHERE table_name\n ='AUD$';\n\n TABLE_NAME TABLESPACE_NAME\n ---------------------------- ------------------------\n AUD$ SECURESPACE" + "check": "Review DBMS code, settings, field definitions, constraints, and\n triggers to determine whether or not data being input into the database is\n validated.\n\n If code exists that allows invalid data to be acted upon or input into the\n database, this is a finding.\n\n If field definitions do not exist in the database, this is a finding.\n\n If fields do not contain enabled constraints where required, this is a finding.\n\n - - - - -\n Oracle provides built-in processes to keep data and its integrity intact by\n using constraints.\n\n Integrity Constraint States\n Can specify that a constraint is enabled (ENABLE) or disabled (DISABLE). If a\n constraint is enabled, data is checked as it is entered or updated in the\n database, and data that does not conform to the constraint is prevented from\n being entered. If a constraint is disabled, then data that does not conform can\n be allowed to enter the database.\n\n Additionally, can specify that existing data in the table must conform to the\n constraint (VALIDATE). Conversely, if specified NOVALIDATE, are not ensured\n that existing data conforms.\n\n An integrity constraint defined on a table can be in one of the following\n states:\n ENABLE, VALIDATE\n ENABLE, NOVALIDATE\n DISABLE, VALIDATE\n DISABLE, NOVALIDATE\n\n For details about the meaning of these states and an understanding of their\n consequences, see the Oracle Database SQL Language Reference. Some of these\n consequences are discussed here.\n\n Disabling Constraints\n To enforce the rules defined by integrity constraints, the constraints should\n always be enabled. However, consider temporarily disabling the integrity\n constraints of a table for the following performance reasons:\n\n - When loading large amounts of data into a table\n\n - When performing batch operations that make massive changes to a table (for\n example, changing every employee's number by adding 1000 to the existing number)\n\n - When importing or exporting one table at a time\n\n In all three cases, temporarily disabling integrity constraints can improve the\n performance of the operation, especially in data warehouse configurations.\n\n It is possible to enter data that violates a constraint while that constraint\n is disabled. Thus, always enable the constraint after completing any of the\n operations listed in the preceding bullet list.\n\n Enabling Constraints\n While a constraint is enabled, no row violating the constraint can be inserted\n into the table. However, while the constraint is disabled, such a row can be\n inserted. This row is known as an exception to the constraint. If the\n constraint is in the ENABLE, NOVALIDATE state, violations resulting from data\n entered while the constraint was disabled remain. The rows that violate the\n constraint must be either updated or deleted in order for the constraint to be\n put in the validated state.\n\n Can identify exceptions to a specific integrity constraint while attempting to\n enable the constraint. See \"Reporting Constraint Exceptions\". All rows\n violating constraints are noted in an EXCEPTIONS table, which can be examined.\n\n ENABLE, NOVALIDATE Constraint State\n When a constraint is in the ENABLE, NOVALIDATE state, all subsequent statements\n are checked for conformity to the constraint. However, any existing data in the\n table is not checked. A table with ENABLE, NOVALIDATE constraints can contain\n invalid data, but it is not possible to add new invalid data to it. Constraints\n in the ENABLE, NOVALIDATE state is most useful in data warehouse configurations\n that are uploading valid OLTP data.\n\n Enabling a constraint does not require validation. Enabling a constraint\n novalidate is much faster than enabling and validating a constraint. Also,\n validating a constraint that is already enabled does not require any DML locks\n during validation (unlike validating a previously disabled constraint).\n Enforcement guarantees that no violations are introduced during the validation.\n Hence, enabling without validating reduces the downtime typically associated\n with enabling a constraint.\n\n Efficient Use of Integrity Constraints: A Procedure\n\n Using integrity constraint states in the following order can ensure the best\n benefits:\n Disable state.\n Perform the operation (load, export, import).\n ENABLE, NOVALIDATE state.\n Enable state.\n\n Some benefits of using constraints in this order are:\n No locks are held.\n All constraints can go to enable state concurrently.\n Constraint enabling is done in parallel.\n Concurrent activity on table is permitted.\n\n Setting Integrity Constraints Upon Definition\n When an integrity constraint is defined in a CREATE TABLE or ALTER TABLE\n statement, it can be enabled, disabled, or validated or not validated as\n determined by the specification of the ENABLE/DISABLE clause. If the\n ENABLE/DISABLE clause is not specified in a constraint definition, the database\n automatically enables and validates the constraint.\n\n Disabling Constraints Upon Definition\n The following CREATE TABLE and ALTER TABLE statements both define and disable\n integrity constraints:\n\n CREATE TABLE emp (\n empno NUMBER(5) PRIMARY KEY DISABLE, . . . ;\n\n ALTER TABLE emp\n ADD PRIMARY KEY (empno) DISABLE;\n\n An ALTER TABLE statement that defines and disables an integrity constraint\n never fails because of rows in the table that violate the integrity constraint.\n The definition of the constraint is allowed because its rule is not enforced.\n\n Enabling Constraints Upon Definition\n\n The following CREATE TABLE and ALTER TABLE statements both define and enable\n integrity constraints:\n\n CREATE TABLE emp (\n empno NUMBER(5) CONSTRAINT emp.pk PRIMARY KEY, . . . ;\n\n ALTER TABLE emp\n ADD CONSTRAINT emp.pk PRIMARY KEY (empno);\n\n An ALTER TABLE statement that defines and attempts to enable an integrity\n constraint can fail because rows of the table violate the integrity constraint.\n If this case, the statement is rolled back, and the constraint definition is\n not stored and not enabled.\n\n When enabling a UNIQUE or PRIMARY KEY constraint, an associated index is\n created.", + "fix": "Modify database code to properly validate data before it is put\n into the database or acted upon by the database.\n\n Modify database to contain field definitions for each field in the database.\n\n Modify database to contain constraints on database columns and tables that\n require them for data validity.\n\n Review the application schemas implemented on the system. Check the DDL for\n the tables that are created for the applications to see if constraints have\n been enabled.\n\n - - - - -\n Enabling Constraints Upon Definition\n The following CREATE TABLE and ALTER TABLE statements both define and enable\n integrity constraints:\n CREATE TABLE emp (\n empno NUMBER(5) CONSTRAINT emp.pk PRIMARY KEY, . . . ) ;\n ALTER TABLE emp\n ADD CONSTRAINT emp.pk PRIMARY KEY (empno);\n\n An ALTER TABLE statement that defines and attempts to enable an integrity\n constraint can fail because existing rows of the table violate the integrity\n constraint. In this case, the statement is rolled back, and the constraint\n definition is not stored and not enabled.\n\n When enabling a UNIQUE or PRIMARY KEY constraint, an associated index is\n created." }, - "code": "control 'V-61667' do\n title \"The DBMS must protect audit data records and integrity by using\n cryptographic mechanisms.\"\n desc \"Protection of audit records and audit data is of critical importance.\n Cryptographic mechanisms are the industry-established standard used to protect\n the integrity of audit data. An example of a cryptographic mechanism is the\n computation and application of a cryptographic-signed hash using asymmetric\n cryptography.\n\n Non-repudiation protects individuals against later claims by an author of\n not having performed a particular action, a sender of not having transmitted a\n message, a receiver of not having received a message, or a signatory of not\n having signed a document.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000126-DB-000171'\n tag \"gid\": 'V-61667'\n tag \"rid\": 'SV-76157r2_rule'\n tag \"stig_id\": 'O121-C2-010100'\n tag \"fix_id\": 'F-67581r5_fix'\n tag \"cci\": ['CCI-001350']\n tag \"nist\": ['AU-9 (3)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review the DBMS settings to determine whether audit logging is\n configured to produce logs consistent with the amount of space allocated for\n logging.\n\n If auditing will generate excessive logs so that they may outgrow the space\n reserved for logging, this is a finding.\n\n If file-based auditing is in use, check that the file(s) is/are encrypted by\n the operating system/file system.\n\n If not, this is a finding\n\n If standard, table-based auditing is used: The audit logs are written to a\n table called AUD$, and if a Virtual Private Database is deployed, we also\n create a table called FGA_LOG$. First check the current location of the audit\n trail tables.\n\n CONN / AS SYSDBA\n\n SELECT table_name, tablespace_name\n FROM dba_tables\n WHERE table_name IN ('AUD$', 'FGA_LOG$')\n ORDER BY table_name;\n\n TABLE_NAME TABLESPACE_NAME\n ------------------------------ ------------------------------\n AUD$ SYSTEM\n FGA_LOG$ SYSTEM\n\n If the tablespace name is SYSTEM, the table needs to be relocated to its own\n tablespace. Ensure that adequate space is allocated to that tablespace.\n\n If Unified Auditing is used:\n Audit logs are written to tables in the AUDSYS schema. The default tablespace\n for AUDSYS is USERS. A separate tablespace should be created to contain audit\n data. Ensure that adequate space is allocated to that tablespace.\"\n tag \"fix\": \"For file-based auditing (OS, XML, or XML,EXTENDED), implement\n operating system/file system encryption for the audit file.\n\n For table-based auditing, deploy the audit tables in an encrypted tablespace.\n\n - - - - -\n If auditing is not enabled, use the following steps to enable auditing.\n\n sqlplus connect as sysdba\n\n Turn on Oracle audit\n\n a. If the database uses an spfile\n\n SQL> alter system set audit_trail=DB,EXTENDED scope=spfile ;\n System altered.\n\n b. if database uses pfile, modify init.ora directly.\n For these changes to take place, the database must be restarted.\n\n Next we create an encrypted tablespace. Before tablespaces can be encrypted or\n decrypted, a master encryption key must be generated or set. The tablespace\n master encryption key is stored in an external security module and is used to\n encrypt the TDE tablespace encryption keys.\n\n - - - - -\n\n Caution: Do not attempt to encrypt Oracle internal objects such as the SYSTEM,\n SYSAUX, UNDO, or TEMP tablespaces. Oracle does not support this with TDE.\n When moving AUD$ to a new tablespace, be aware that associated LOB objects will\n also need to be moved. Finally, when upgrading, the AUD$ table and LOBs will\n need to be moved back to the SYSTEM tablespace or the upgrade will fail.\n\n - - - - -\n\n Check to ensure that the ENCRYPTION_WALLET_LOCATION (or WALLET_LOCATION)\n parameter in the sqlnet.ora file points to the correct software wallet\n location. (Note: This assumes that a single sqlnet.ora file, in the default\n location, is in use. Please see the supplemental file \\\"Non-default sqlnet.ora\n configurations.pdf\\\" for how to find multiple and/or differently located\n sqlnet.ora files.) For example:\n\n ENCRYPTION_WALLET_LOCATION=\n (SOURCE=(METHOD=FILE)(METHOD_DATA=\n (DIRECTORY=/app/wallet)))\n\n If the ENCRYPTION_WALLET_LOCATION parameter is not set, then it attempts to use\n the keystore in the location that is specified by the parameter WALLET_LOCATION.\n\n If the WALLET_LOCATION parameter is also not set, then Oracle Database looks\n for a keystore at the default database location, which is\n ORACLE_BASE/admin/DB_UNIQUE_NAME/wallet or\n ORACLE_HOME/admin/DB_UNIQUE_NAME/wallet. (DB_UNIQUE_NAME is the unique name of\n the database specified in the initialization parameter file.) When the keystore\n location is not set in the sqlnet.ora file, then the V$ENCRYPTION_WALLET view\n displays the default location. Can check the location and status of the\n keystore in the V$ENCRYPTION_WALLET view.\n\n Oracle Database 12c Release 1 (12.1) uses the same master encryption key for\n both TDE column encryption and TDE tablespace encryption. When issuing the\n ALTER SYSTEM SET ENCRYPTION KEY command, a unified master encryption key is\n created for both TDE column encryption and TDE tablespace encryption.\n\n Resetting the Tablespace Master Encryption Key\n\n Oracle Database 12c Release 1 (12.1) uses a unified master encryption key for\n both TDE column encryption and TDE tablespace encryption. When resetting\n (rekeying) the master encryption key for TDE column encryption, the master\n encryption key for TDE tablespace encryption also gets reset. The ALTER SYSTEM\n SET ENCRYPTION KEY command resets the tablespace master encryption key. Before\n creating an encrypted tablespace, the Oracle wallet containing the tablespace\n master encryption key must be open. The wallet must also be open before\n accessing data in an encrypted tablespace. The security administrator needs to\n open the Oracle wallet after starting the Oracle instance. A restart of the\n Oracle instance requires the security administrator to open the wallet again.\n The security administrator also needs to open the wallet before performing\n database recovery operations. This is because background processes may require\n access to encrypted redo and undo logs. When performing database recovery, the\n wallet must be opened before opening the database. This is illustrated in the\n following statements:\n\n SQL> STARTUP MOUNT;\n SQL> ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY \\\"password\\\";\n SQL> ALTER DATABASE OPEN;\n\n Can also choose to use auto logon wallets if the environment does not require\n the extra security provided by a wallet that needs to be explicitly opened;\n however, this is not the recommended practice.\n\n Creating the wallet/keystore\n\n SQL> ADMINISTER KEY MANAGEMENT CREATE KEYSTORE '/app/wallet' IDENTIFIED BY\n password;\n\n keystore altered.\n\n Set the TDE Master Encryption Key in the Software Keystore\n\n SQL> ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY password WITH BACKUP USING\n 'backup_identifier';\n\n keystore altered.\n\n Creating an Encrypted Tablespace\n\n The CREATE TABLESPACE command enables the creation of an encrypted tablespace.\n The permanent_tablespace_clause enables choosing the encryption algorithm and\n the key length for encryption. The ENCRYPT keyword in the storage_clause\n encrypts the tablespace. The following syntax illustrates this:\n\n CREATE\n [ BIGFILE | SMALLFILE ]\n { permanent_tablespace_clause\n | temporary_tablespace_clause\n | undo_tablespace_clause\n } ;\n\n Where, permanent_tablespace_clause=TABLESPACE , ENCRYPTION [USING algorithm]\n storage_clause\n Where, storage_clause=[ENCRYPT] where:\n\n The encryption algorithm can have one of the following values:\n\n 3DES168\n AES128\n AES192\n AES256\n\n The key lengths are included in the names of the algorithms themselves. If no\n encryption algorithm is specified, the default encryption algorithm is used.\n The default encryption algorithm is AES128.\n\n Note: The ENCRYPTION keyword in the permanent_tablespace_clause is used to\n specify the encryption algorithm. The ENCRYPT keyword in the storage_clause\n actually encrypts the tablespace. For security reasons, a tablespace cannot be\n encrypted with the NO SALT option.\n\n Commands to create Encrypted Tablespace\n\n CREATE TABLESPACE securespace\n DATAFILE '/home/user/oradata/secure01.dbf'\n SIZE 150M\n ENCRYPTION USING '3DES168'\n DEFAULT STORAGE(ENCRYPT);\n\n This creates a tablespace called securespace2 using an algorithm of 3DES168.\n\n Cannot encrypt an existing tablespace. However, can import data into an\n encrypted tablespace using the Oracle Data Pump utility. Can also use SQL\n commands like CREATE TABLE...AS SELECT...or ALTER TABLE...MOVE... to move data\n into an encrypted tablespace. The CREATE TABLE...AS SELECT... command enables\n the creation of a table from an existing table. The ALTER TABLE...MOVE...\n command enables the move of a table into the encrypted tablespace.\n\n Then we move the sys.aud$ from system tablespace to securespace tablespace.\n\n SQL> exec DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION(audit_trail_type =>\n DBMS_AUDIT_MGMT.AUDIT_TRAIL_AUD_STD, audit_trail_location_value =>\n 'securespace');\n\n PL/SQL procedure successfully completed.\n\n Then check the tablespace the table is stored in.\n\n SQL> SELECT table_name, tablespace_name FROM dba_tables WHERE table_name\n ='AUD$';\n\n TABLE_NAME TABLESPACE_NAME\n ---------------------------- ------------------------\n AUD$ SECURESPACE\"\n describe 'A manual review is required to ensure the DBMS must protect audit data records and integrity by using\n cryptographic mechanisms' do\n skip 'A manual review is required to ensure the DBMS must protect audit data records and integrity by using\n cryptographic mechanisms'\n end\nend\n", + "code": "control 'V-61785' do\n title 'The DBMS must check the validity of data inputs.'\n desc \"Invalid user input occurs when a user inserts data or characters into\n an application's data entry fields and the application is unprepared to process\n that data. This results in unanticipated application behavior, potentially\n leading to an application or information system compromise. Invalid user input\n is one of the primary methods employed when attempting to compromise an\n application.\n\n All applications need to validate the data users attempt to input to the\n application for processing. Rules for checking the valid syntax and semantics\n of information system inputs (e.g., character set, length, numerical range,\n acceptable values) are in place to verify inputs match specified definitions\n for format and content. Inputs passed to interpreters are prescreened to\n prevent the content from being unintentionally interpreted as commands.\n\n\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure operation\n of databases that they must not be ignored. At a minimum, the DBA must attempt\n to obtain assurances from the development organization that this issue has been\n addressed and must document what has been discovered.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000251-DB-000160'\n tag \"gid\": 'V-61785'\n tag \"rid\": 'SV-76275r2_rule'\n tag \"stig_id\": 'O121-C2-019500'\n tag \"fix_id\": 'F-67701r1_fix'\n tag \"cci\": ['CCI-001310']\n tag \"nist\": ['SI-10', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review DBMS code, settings, field definitions, constraints, and\n triggers to determine whether or not data being input into the database is\n validated.\n\n If code exists that allows invalid data to be acted upon or input into the\n database, this is a finding.\n\n If field definitions do not exist in the database, this is a finding.\n\n If fields do not contain enabled constraints where required, this is a finding.\n\n - - - - -\n Oracle provides built-in processes to keep data and its integrity intact by\n using constraints.\n\n Integrity Constraint States\n Can specify that a constraint is enabled (ENABLE) or disabled (DISABLE). If a\n constraint is enabled, data is checked as it is entered or updated in the\n database, and data that does not conform to the constraint is prevented from\n being entered. If a constraint is disabled, then data that does not conform can\n be allowed to enter the database.\n\n Additionally, can specify that existing data in the table must conform to the\n constraint (VALIDATE). Conversely, if specified NOVALIDATE, are not ensured\n that existing data conforms.\n\n An integrity constraint defined on a table can be in one of the following\n states:\n ENABLE, VALIDATE\n ENABLE, NOVALIDATE\n DISABLE, VALIDATE\n DISABLE, NOVALIDATE\n\n For details about the meaning of these states and an understanding of their\n consequences, see the Oracle Database SQL Language Reference. Some of these\n consequences are discussed here.\n\n Disabling Constraints\n To enforce the rules defined by integrity constraints, the constraints should\n always be enabled. However, consider temporarily disabling the integrity\n constraints of a table for the following performance reasons:\n\n - When loading large amounts of data into a table\n\n - When performing batch operations that make massive changes to a table (for\n example, changing every employee's number by adding 1000 to the existing number)\n\n - When importing or exporting one table at a time\n\n In all three cases, temporarily disabling integrity constraints can improve the\n performance of the operation, especially in data warehouse configurations.\n\n It is possible to enter data that violates a constraint while that constraint\n is disabled. Thus, always enable the constraint after completing any of the\n operations listed in the preceding bullet list.\n\n Enabling Constraints\n While a constraint is enabled, no row violating the constraint can be inserted\n into the table. However, while the constraint is disabled, such a row can be\n inserted. This row is known as an exception to the constraint. If the\n constraint is in the ENABLE, NOVALIDATE state, violations resulting from data\n entered while the constraint was disabled remain. The rows that violate the\n constraint must be either updated or deleted in order for the constraint to be\n put in the validated state.\n\n Can identify exceptions to a specific integrity constraint while attempting to\n enable the constraint. See \\\"Reporting Constraint Exceptions\\\". All rows\n violating constraints are noted in an EXCEPTIONS table, which can be examined.\n\n ENABLE, NOVALIDATE Constraint State\n When a constraint is in the ENABLE, NOVALIDATE state, all subsequent statements\n are checked for conformity to the constraint. However, any existing data in the\n table is not checked. A table with ENABLE, NOVALIDATE constraints can contain\n invalid data, but it is not possible to add new invalid data to it. Constraints\n in the ENABLE, NOVALIDATE state is most useful in data warehouse configurations\n that are uploading valid OLTP data.\n\n Enabling a constraint does not require validation. Enabling a constraint\n novalidate is much faster than enabling and validating a constraint. Also,\n validating a constraint that is already enabled does not require any DML locks\n during validation (unlike validating a previously disabled constraint).\n Enforcement guarantees that no violations are introduced during the validation.\n Hence, enabling without validating reduces the downtime typically associated\n with enabling a constraint.\n\n Efficient Use of Integrity Constraints: A Procedure\n\n Using integrity constraint states in the following order can ensure the best\n benefits:\n Disable state.\n Perform the operation (load, export, import).\n ENABLE, NOVALIDATE state.\n Enable state.\n\n Some benefits of using constraints in this order are:\n No locks are held.\n All constraints can go to enable state concurrently.\n Constraint enabling is done in parallel.\n Concurrent activity on table is permitted.\n\n Setting Integrity Constraints Upon Definition\n When an integrity constraint is defined in a CREATE TABLE or ALTER TABLE\n statement, it can be enabled, disabled, or validated or not validated as\n determined by the specification of the ENABLE/DISABLE clause. If the\n ENABLE/DISABLE clause is not specified in a constraint definition, the database\n automatically enables and validates the constraint.\n\n Disabling Constraints Upon Definition\n The following CREATE TABLE and ALTER TABLE statements both define and disable\n integrity constraints:\n\n CREATE TABLE emp (\n empno NUMBER(5) PRIMARY KEY DISABLE, . . . ;\n\n ALTER TABLE emp\n ADD PRIMARY KEY (empno) DISABLE;\n\n An ALTER TABLE statement that defines and disables an integrity constraint\n never fails because of rows in the table that violate the integrity constraint.\n The definition of the constraint is allowed because its rule is not enforced.\n\n Enabling Constraints Upon Definition\n\n The following CREATE TABLE and ALTER TABLE statements both define and enable\n integrity constraints:\n\n CREATE TABLE emp (\n empno NUMBER(5) CONSTRAINT emp.pk PRIMARY KEY, . . . ;\n\n ALTER TABLE emp\n ADD CONSTRAINT emp.pk PRIMARY KEY (empno);\n\n An ALTER TABLE statement that defines and attempts to enable an integrity\n constraint can fail because rows of the table violate the integrity constraint.\n If this case, the statement is rolled back, and the constraint definition is\n not stored and not enabled.\n\n When enabling a UNIQUE or PRIMARY KEY constraint, an associated index is\n created.\"\n tag \"fix\": \"Modify database code to properly validate data before it is put\n into the database or acted upon by the database.\n\n Modify database to contain field definitions for each field in the database.\n\n Modify database to contain constraints on database columns and tables that\n require them for data validity.\n\n Review the application schemas implemented on the system. Check the DDL for\n the tables that are created for the applications to see if constraints have\n been enabled.\n\n - - - - -\n Enabling Constraints Upon Definition\n The following CREATE TABLE and ALTER TABLE statements both define and enable\n integrity constraints:\n CREATE TABLE emp (\n empno NUMBER(5) CONSTRAINT emp.pk PRIMARY KEY, . . . ) ;\n ALTER TABLE emp\n ADD CONSTRAINT emp.pk PRIMARY KEY (empno);\n\n An ALTER TABLE statement that defines and attempts to enable an integrity\n constraint can fail because existing rows of the table violate the integrity\n constraint. In this case, the statement is rolled back, and the constraint\n definition is not stored and not enabled.\n\n When enabling a UNIQUE or PRIMARY KEY constraint, an associated index is\n created.\"\n describe 'A manual review is required to ensure the DBMS checks the validity of data inputs' do\n skip 'A manual review is required to ensure the DBMS checks the validity of data inputs'\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61667.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61785.rb", "line": 1 }, - "id": "V-61667" + "id": "V-61785" }, { - "title": "The DBMS must restrict error messages so only authorized personnel may\n view them.", - "desc": "If the application provides too much information in error logs and\n administrative messages to the screen, this could lead to compromise. The\n structure and content of error messages need to be carefully considered by the\n organization and development team. The extent to which the information system\n is able to identify and handle error conditions is guided by organizational\n policy and operational requirements.\n\n Some default DBMS error messages can contain information that could aid an\n attacker in, among others things, identifying the database type, host address,\n or state of the database. Custom errors may contain sensitive customer\n information. It is important that error messages are displayed only to those\n who are authorized to view them.\n\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure operation\n of databases that they must not be ignored. At a minimum, the DBA must attempt\n to obtain assurances from the development organization that this issue has been\n addressed and must document what has been discovered.", + "title": "The DBMS must use multifactor authentication for local access to\n non-privileged accounts.", + "desc": "Multifactor authentication is defined as using two or more factors to\n achieve authentication.\n\n Factors include:\n (i) Something a user knows (e.g., password/PIN);\n (ii) Something a user has (e.g., cryptographic identification device,\n token); or\n (iii) Something a user is (e.g., biometric).\n\n A non-privileged account is defined as an information system account with\n authorizations of a regular or non-privileged user.\n\n Local Access is defined as access to an organizational information system\n by a user (or process acting on behalf of a user) communicating through a\n direct connection without the use of a network.\n\n The lack of multifactor authentication makes it much easier for an attacker\n to gain unauthorized access to a system.\n\n Transport Layer Security (TLS) is the successor protocol to Secure Sockets\n Layer (SSL). Although the Oracle configuration parameters have names including\n 'SSL', such as SSL_VERSION and SSL_CIPHER_SUITES, they refer to TLS.", "descriptions": { - "default": "If the application provides too much information in error logs and\n administrative messages to the screen, this could lead to compromise. The\n structure and content of error messages need to be carefully considered by the\n organization and development team. The extent to which the information system\n is able to identify and handle error conditions is guided by organizational\n policy and operational requirements.\n\n Some default DBMS error messages can contain information that could aid an\n attacker in, among others things, identifying the database type, host address,\n or state of the database. Custom errors may contain sensitive customer\n information. It is important that error messages are displayed only to those\n who are authorized to view them.\n\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure operation\n of databases that they must not be ignored. At a minimum, the DBA must attempt\n to obtain assurances from the development organization that this issue has been\n addressed and must document what has been discovered." + "default": "Multifactor authentication is defined as using two or more factors to\n achieve authentication.\n\n Factors include:\n (i) Something a user knows (e.g., password/PIN);\n (ii) Something a user has (e.g., cryptographic identification device,\n token); or\n (iii) Something a user is (e.g., biometric).\n\n A non-privileged account is defined as an information system account with\n authorizations of a regular or non-privileged user.\n\n Local Access is defined as access to an organizational information system\n by a user (or process acting on behalf of a user) communicating through a\n direct connection without the use of a network.\n\n The lack of multifactor authentication makes it much easier for an attacker\n to gain unauthorized access to a system.\n\n Transport Layer Security (TLS) is the successor protocol to Secure Sockets\n Layer (SSL). Although the Oracle configuration parameters have names including\n 'SSL', such as SSL_VERSION and SSL_CIPHER_SUITES, they refer to TLS." }, - "impact": 0.5, - "refs": [], + "impact": 0, + "refs": [ + { + "ref": [] + } + ], "tags": { - "gtitle": "SRG-APP-000267-DB-000163", - "gid": "V-61793", - "rid": "SV-76283r2_rule", - "stig_id": "O121-C2-020000", - "fix_id": "F-67709r2_fix", + "gtitle": "SRG-APP-000152-DB-000107", + "gid": "V-61709", + "rid": "SV-76199r2_rule", + "stig_id": "O121-C2-013200", + "fix_id": "F-67625r1_fix", "cci": [ - "CCI-001314" + "CCI-000768" ], "nist": [ - "SI-11 b", + "IA-2 (4)", "Rev_4" ], "false_negatives": null, @@ -890,35 +886,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Check DBMS settings and custom database code to determine if\n error messages are ever displayed to unauthorized individuals:\n\n i) Review all end-user-facing applications that use the database, to determine\n whether they display any DBMS-generated error messages to general users. If\n they do, this is a finding.\n\n ii) Review whether the database is accessible to users who are not authorized\n system administrators or database administrators, via the following types of\n software:\n iia) Oracle SQL*Plus\n iib) Reporting and analysis tools\n iic) Database management and/or development tools, such as, but not limited to,\n Toad.\n iid) Application development tools, such as, but not limited to, Oracle\n JDeveloper, Microsoft Visual Studio, PowerBuilder, or Eclipse.\n\n If the answer to the preceding question (iia through iid) is Yes, inquire\n whether, for each role or individual with respect to each tool, this access is\n required to enable the user(s) to perform authorized job duties. If No, this\n is a finding. If Yes, continue:\n\n For each tool in use, determine whether it is capable of suppressing\n DBMS-generated error messages, and if it is, whether it is configured to do so.\n\n Determine whether the role or individual, with respect to each tool, needs to\n see detailed DBMS-generated error messages.\n\n If No, and if the tool is not configured to suppress such messages, this is a\n finding.\n\n If Yes, determine whether the role/user's need to see such messages is\n documented in the System Security Plan. If so, this is not a finding. If not,\n this is a finding.", - "fix": "i) For each end-user-facing application that displays\n DBMS-generated error messages, configure or recode it to suppress these\n messages.\n\n If the application is coded in Oracle PL/SQL, the EXCEPTION block can be used\n to suppress or divert error messages. Most other programming languages provide\n comparable facilities, such as TRY ... CATCH.\n\n ii) For each unauthorized user of each tool, remove the ability to access it.\n For each tool where access to DBMS error messages is not required and can be\n configured, suppress the messages. For each role/user that needs access to the\n error messages, or needs a tool where the messages cannot be suppressed,\n document the need in the system security plan." + "check": "Review DBMS settings, OS settings, and/or enterprise-level\n authentication/access mechanism settings to determine whether users logging on\n to non-privileged accounts locally are required to use multifactor\n authentication.\n\n If users logging on to privileged accounts locally are not required to use\n multifactor authentication, this is a finding.\n\n Use authentication to prove the identities of users who are attempting to log\n on to the database. Authenticating user identity is imperative in distributed\n environments, without which there can be little confidence in network security.\n Passwords are the most common means of authentication. Oracle Database enables\n strong authentication with Oracle authentication adapters that support various\n third-party authentication services, including TLS with digital certificates.\n\n If the $ORACLE_HOME/network/admin/sqlnet.ora contains entries similar to the\n following, TLS is enabled.\n (Note: This assumes that a single sqlnet.ora file, in the default location, is\n in use. Please see the supplemental file \"Non-default sqlnet.ora\n configurations.pdf\" for how to find multiple and/or differently located\n sqlnet.ora files.)\n\n SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)\n SSL_VERSION = 1.2 or 1.1\n SSL_CLIENT_AUTHENTICATION = TRUE\n WALLET_LOCATION =\n (SOURCE =\n (METHOD = FILE)\n (METHOD_DATA =\n (DIRECTORY = /u01/app/oracle/product/12.1.0/dbhome_1/owm/wallets)\n )\n )\n SSL_CIPHER_SUITES= (SSL_RSA_WITH_AES_256_CBC_SHA384)\n ADR_BASE = /u01/app/oracle\n\n Note: \"SSL_VERSION = 1.2 or 1.1\" is the actual value, not a suggestion to\n use one or the other.", + "fix": "Configure DBMS, OS and/or enterprise-level authentication/access\n mechanism to require multifactor authentication for local users logging on to\n non-privileged accounts.\n\n If appropriate, enable support for Transport Layer Security (TLS) protocols and\n multifactor authentication through the use of Smart Cards (CAC/PIV)." }, - "code": "control 'V-61793' do\n title \"The DBMS must restrict error messages so only authorized personnel may\n view them.\"\n desc \"If the application provides too much information in error logs and\n administrative messages to the screen, this could lead to compromise. The\n structure and content of error messages need to be carefully considered by the\n organization and development team. The extent to which the information system\n is able to identify and handle error conditions is guided by organizational\n policy and operational requirements.\n\n Some default DBMS error messages can contain information that could aid an\n attacker in, among others things, identifying the database type, host address,\n or state of the database. Custom errors may contain sensitive customer\n information. It is important that error messages are displayed only to those\n who are authorized to view them.\n\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure operation\n of databases that they must not be ignored. At a minimum, the DBA must attempt\n to obtain assurances from the development organization that this issue has been\n addressed and must document what has been discovered.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000267-DB-000163'\n tag \"gid\": 'V-61793'\n tag \"rid\": 'SV-76283r2_rule'\n tag \"stig_id\": 'O121-C2-020000'\n tag \"fix_id\": 'F-67709r2_fix'\n tag \"cci\": ['CCI-001314']\n tag \"nist\": ['SI-11 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Check DBMS settings and custom database code to determine if\n error messages are ever displayed to unauthorized individuals:\n\n i) Review all end-user-facing applications that use the database, to determine\n whether they display any DBMS-generated error messages to general users. If\n they do, this is a finding.\n\n ii) Review whether the database is accessible to users who are not authorized\n system administrators or database administrators, via the following types of\n software:\n iia) Oracle SQL*Plus\n iib) Reporting and analysis tools\n iic) Database management and/or development tools, such as, but not limited to,\n Toad.\n iid) Application development tools, such as, but not limited to, Oracle\n JDeveloper, Microsoft Visual Studio, PowerBuilder, or Eclipse.\n\n If the answer to the preceding question (iia through iid) is Yes, inquire\n whether, for each role or individual with respect to each tool, this access is\n required to enable the user(s) to perform authorized job duties. If No, this\n is a finding. If Yes, continue:\n\n For each tool in use, determine whether it is capable of suppressing\n DBMS-generated error messages, and if it is, whether it is configured to do so.\n\n Determine whether the role or individual, with respect to each tool, needs to\n see detailed DBMS-generated error messages.\n\n If No, and if the tool is not configured to suppress such messages, this is a\n finding.\n\n If Yes, determine whether the role/user's need to see such messages is\n documented in the System Security Plan. If so, this is not a finding. If not,\n this is a finding.\"\n tag \"fix\": \"i) For each end-user-facing application that displays\n DBMS-generated error messages, configure or recode it to suppress these\n messages.\n\n If the application is coded in Oracle PL/SQL, the EXCEPTION block can be used\n to suppress or divert error messages. Most other programming languages provide\n comparable facilities, such as TRY ... CATCH.\n\n ii) For each unauthorized user of each tool, remove the ability to access it.\n For each tool where access to DBMS error messages is not required and can be\n configured, suppress the messages. For each role/user that needs access to the\n error messages, or needs a tool where the messages cannot be suppressed,\n document the need in the system security plan.\"\n describe 'A manual review is required to ensure the DBMS restricts error messages so only authorized personnel may\n view them' do\n skip 'A manual review is required to ensure the DBMS restricts error messages so only authorized personnel may\n view them'\n end\nend\n", + "code": " control 'V-61709' do\n impact 0.0\n describe 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on' do\n skip 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on'\n end\n end\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61793.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61709.rb", "line": 1 }, - "id": "V-61793" + "id": "V-61709" }, { - "title": "System privileges granted using the WITH ADMIN OPTION must not be\n granted to unauthorized user accounts.", - "desc": "The WITH ADMIN OPTION allows the grantee to grant a privilege to\n another database account. Best security practice restricts the privilege of\n assigning privileges to authorized personnel. Authorized personnel include\n DBAs, object owners, and, where designed and included in the application's\n functions, application administrators. Restricting privilege-granting functions\n to authorized accounts can help decrease mismanagement of privileges and\n wrongful assignments to unauthorized accounts.", + "title": "The DBMS must employ strong identification and authentication\n techniques when establishing nonlocal maintenance and diagnostic sessions.", + "desc": "Non-local maintenance and diagnostic activities are those activities\n conducted by individuals communicating through a network, either an external\n network (e.g., the Internet) or an internal network.\n\n The act of managing systems and applications includes the ability to access\n sensitive application information, such as system configuration details,\n diagnostic information, user information, and potentially sensitive application\n data.\n\n When applications provide a remote management capability inherent to the\n application, the application needs to ensure the identification and\n authentication techniques used to remotely access the system are strong enough\n to protect the system. If the communication channel is not adequately\n protected, authentication information, application data, and configuration\n information could be compromised.", "descriptions": { - "default": "The WITH ADMIN OPTION allows the grantee to grant a privilege to\n another database account. Best security practice restricts the privilege of\n assigning privileges to authorized personnel. Authorized personnel include\n DBAs, object owners, and, where designed and included in the application's\n functions, application administrators. Restricting privilege-granting functions\n to authorized accounts can help decrease mismanagement of privileges and\n wrongful assignments to unauthorized accounts." + "default": "Non-local maintenance and diagnostic activities are those activities\n conducted by individuals communicating through a network, either an external\n network (e.g., the Internet) or an internal network.\n\n The act of managing systems and applications includes the ability to access\n sensitive application information, such as system configuration details,\n diagnostic information, user information, and potentially sensitive application\n data.\n\n When applications provide a remote management capability inherent to the\n application, the application needs to ensure the identification and\n authentication techniques used to remotely access the system are strong enough\n to protect the system. If the communication channel is not adequately\n protected, authentication information, application data, and configuration\n information could be compromised." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000516-DB-999900", - "gid": "V-61433", - "rid": "SV-75923r3_rule", - "stig_id": "O121-BP-022300", - "fix_id": "F-67349r1_fix", + "gtitle": "SRG-APP-000185-DB-000116", + "gid": "V-61751", + "rid": "SV-76241r1_rule", + "stig_id": "O121-C2-016100", + "fix_id": "F-67667r1_fix", "cci": [ - "CCI-000366" + "CCI-000877" ], "nist": [ - "CM-6 b", + "MA-4 c)", "Rev_4" ], "false_negatives": null, @@ -931,35 +927,40 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "A default Oracle Database installation provides a set of\n predefined administrative accounts and non-administrative accounts. These are\n accounts that have special privileges required to administer areas of the\n database, such as the CREATE ANY TABLE or ALTER SESSION privilege, or EXECUTE\n privileges on packages owned by the SYS schema. The default tablespace for\n administrative accounts is either SYSTEM or SYSAUX. Non-administrative user\n accounts only have the minimum privileges needed to perform their jobs. Their\n default tablespace is USERS.\n\n To protect these accounts from unauthorized access, the installation process\n expires and locks most of these accounts, except where noted below. The\n database administrator is responsible for unlocking and resetting these\n accounts, as required.\n\n Non-Administrative Accounts - Expired and locked:\n APEX_PUBLIC_USER, DIP, FLOWS_040100*, FLOWS_FILES, MDDATA, ORACLE_OCM,\n SPATIAL_CSW_ADMIN_USR, SPATIAL_WFS_ADMIN_USR, XS$NULL\n\n Administrative Accounts - Expired and Locked:\n ANONYMOUS, CTXSTS, EXFSYS, LBACSYS, MDSYS, OLAPSYS, OEDDATA, OWBSYS,\n ORDPLUGINS, ORDSYS, OUTLN, SI_INFORMTN_SCHEMA, WK_TEST, WK_SYS, WKPROXY, WMSYS,\n XDB\n\n Administrative Accounts - Open:\n DBSNMP, MGMT_VIEW, SYS, SYSMAN, SYSTEM, SYSKM\n\n * Subject to change based on version installed\n\n Run the SQL query:\n\n From SQL*Plus:\n select grantee, privilege from dba_sys_privs\n where grantee not in ()\n and admin_option = 'YES'\n and grantee not in\n (select grantee from dba_role_privs where granted_role = 'DBA');\n\n (With respect to the list of special accounts that are excluded from this\n requirement, it is expected that the DBA will maintain the list to suit local\n circumstances, adding special accounts as necessary and removing any that are\n not supposed to be in use in the Oracle deployment that is under review.)\n\n If any accounts that are not authorized to have the ADMIN OPTION are listed,\n this is a finding.", - "fix": "Revoke assignment of privileges with the WITH ADMIN OPTION from\n unauthorized users and re-grant them without the option.\n\n From SQL*Plus:\n\n revoke [privilege name] from user [username];\n\n Replace [privilege name] with the named privilege and [username] with the named\n user.\n\n Restrict use of the WITH ADMIN OPTION to authorized administrators.\n\n Document authorized privilege assignments with the WITH ADMIN OPTION in the\n System Security Plan." + "check": "Review DBMS settings to determine whether strong identification\n and authentication techniques are required for nonlocal maintenance and\n diagnostic sessions.\n\n If strong identification and authentication techniques are not required, this\n is a finding.", + "fix": "Configure DBMS settings to use strong identification and\n authentication techniques for nonlocal maintenance and diagnostic sessions." }, - "code": "control 'V-61433' do\n title \"System privileges granted using the WITH ADMIN OPTION must not be\n granted to unauthorized user accounts.\"\n desc \"The WITH ADMIN OPTION allows the grantee to grant a privilege to\n another database account. Best security practice restricts the privilege of\n assigning privileges to authorized personnel. Authorized personnel include\n DBAs, object owners, and, where designed and included in the application's\n functions, application administrators. Restricting privilege-granting functions\n to authorized accounts can help decrease mismanagement of privileges and\n wrongful assignments to unauthorized accounts.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000516-DB-999900'\n tag \"gid\": 'V-61433'\n tag \"rid\": 'SV-75923r3_rule'\n tag \"stig_id\": 'O121-BP-022300'\n tag \"fix_id\": 'F-67349r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"A default Oracle Database installation provides a set of\n predefined administrative accounts and non-administrative accounts. These are\n accounts that have special privileges required to administer areas of the\n database, such as the CREATE ANY TABLE or ALTER SESSION privilege, or EXECUTE\n privileges on packages owned by the SYS schema. The default tablespace for\n administrative accounts is either SYSTEM or SYSAUX. Non-administrative user\n accounts only have the minimum privileges needed to perform their jobs. Their\n default tablespace is USERS.\n\n To protect these accounts from unauthorized access, the installation process\n expires and locks most of these accounts, except where noted below. The\n database administrator is responsible for unlocking and resetting these\n accounts, as required.\n\n Non-Administrative Accounts - Expired and locked:\n APEX_PUBLIC_USER, DIP, FLOWS_040100*, FLOWS_FILES, MDDATA, ORACLE_OCM,\n SPATIAL_CSW_ADMIN_USR, SPATIAL_WFS_ADMIN_USR, XS$NULL\n\n Administrative Accounts - Expired and Locked:\n ANONYMOUS, CTXSTS, EXFSYS, LBACSYS, MDSYS, OLAPSYS, OEDDATA, OWBSYS,\n ORDPLUGINS, ORDSYS, OUTLN, SI_INFORMTN_SCHEMA, WK_TEST, WK_SYS, WKPROXY, WMSYS,\n XDB\n\n Administrative Accounts - Open:\n DBSNMP, MGMT_VIEW, SYS, SYSMAN, SYSTEM, SYSKM\n\n * Subject to change based on version installed\n\n Run the SQL query:\n\n From SQL*Plus:\n select grantee, privilege from dba_sys_privs\n where grantee not in ()\n and admin_option = 'YES'\n and grantee not in\n (select grantee from dba_role_privs where granted_role = 'DBA');\n\n (With respect to the list of special accounts that are excluded from this\n requirement, it is expected that the DBA will maintain the list to suit local\n circumstances, adding special accounts as necessary and removing any that are\n not supposed to be in use in the Oracle deployment that is under review.)\n\n If any accounts that are not authorized to have the ADMIN OPTION are listed,\n this is a finding.\"\n tag \"fix\": \"Revoke assignment of privileges with the WITH ADMIN OPTION from\n unauthorized users and re-grant them without the option.\n\n From SQL*Plus:\n\n revoke [privilege name] from user [username];\n\n Replace [privilege name] with the named privilege and [username] with the named\n user.\n\n Restrict use of the WITH ADMIN OPTION to authorized administrators.\n\n Document authorized privilege assignments with the WITH ADMIN OPTION in the\n System Security Plan.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n dba_users = sql.query(\"select grantee from dba_sys_privs\n where admin_option = 'YES' and grantee not in (select grantee from dba_role_privs where granted_role = 'DBA');\").column('grantee').uniq\n if dba_users.empty?\n impact 0.0\n describe 'There are no oracle DBA users, control N/A' do\n skip 'There are no oracle DBA users, control N/A'\n end\n else\n dba_users.each do |user|\n describe \"oracle DBA users: #{user}\" do\n subject { user }\n it { should be_in input('allowed_dbadmin_users') }\n end\n end\n end\nend\n", + "code": "control 'V-61751' do\n title \"The DBMS must employ strong identification and authentication\n techniques when establishing nonlocal maintenance and diagnostic sessions.\"\n desc \"Non-local maintenance and diagnostic activities are those activities\n conducted by individuals communicating through a network, either an external\n network (e.g., the Internet) or an internal network.\n\n The act of managing systems and applications includes the ability to access\n sensitive application information, such as system configuration details,\n diagnostic information, user information, and potentially sensitive application\n data.\n\n When applications provide a remote management capability inherent to the\n application, the application needs to ensure the identification and\n authentication techniques used to remotely access the system are strong enough\n to protect the system. If the communication channel is not adequately\n protected, authentication information, application data, and configuration\n information could be compromised.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000185-DB-000116'\n tag \"gid\": 'V-61751'\n tag \"rid\": 'SV-76241r1_rule'\n tag \"stig_id\": 'O121-C2-016100'\n tag \"fix_id\": 'F-67667r1_fix'\n tag \"cci\": ['CCI-000877']\n tag \"nist\": ['MA-4 c)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review DBMS settings to determine whether strong identification\n and authentication techniques are required for nonlocal maintenance and\n diagnostic sessions.\n\n If strong identification and authentication techniques are not required, this\n is a finding.\"\n tag \"fix\": \"Configure DBMS settings to use strong identification and\n authentication techniques for nonlocal maintenance and diagnostic sessions.\"\n describe 'A manual review is required to ensure the DBMS employs strong identification and authentication\n techniques when establishing nonlocal maintenance and diagnostic sessions' do\n skip 'A manual review is required to ensure the DBMS employs strong identification and authentication\n techniques when establishing nonlocal maintenance and diagnostic sessions'\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61433.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61751.rb", "line": 1 }, - "id": "V-61433" + "id": "V-61751" }, { - "title": "Use of external executables must be authorized.", - "desc": "Information systems are capable of providing a wide variety of\n functions and services. Some of the functions and services, provided by\n default, may not be necessary to support essential organizational operations\n (e.g., key missions, functions).\n\n It is detrimental for applications to provide, or install by default,\n functionality exceeding requirements or mission objectives. Examples include,\n but are not limited to, installing advertising software, demonstrations, or\n browser plugins not related to requirements or providing a wide array of\n functionality not required for the mission.\n\n Applications must adhere to the principles of least functionality by\n providing only essential capabilities.\n\n DBMS's may spawn additional external processes to execute procedures that\n are defined in the DBMS, but stored in external host files (external\n procedures). The spawned process used to execute the external procedure may\n operate within a different OS security context than the DBMS and provide\n unauthorized access to the host system.", + "title": "Administrative privileges must be assigned to database accounts via\n database roles.", + "desc": "Applications employ the concept of least privilege for specific duties\n and information systems (including specific functions, ports, protocols, and\n services). The concept of least privilege is also applied to information system\n processes, ensuring that the processes operate at privilege levels no higher\n than necessary to accomplish required organizational missions and/or functions.\n Organizations consider the creation of additional processes, roles, and\n information system accounts as necessary to achieve least privilege.\n Organizations also apply least privilege concepts to the design, development,\n implementation, and operations of information systems.\n Privileges granted outside the context of the application user job function\n are more likely to go unmanaged or without oversight for authorization.\n Maintenance of privileges using roles defined for discrete job functions offers\n improved oversight of application user privilege assignments and helps to\n protect against unauthorized privilege assignment.", "descriptions": { - "default": "Information systems are capable of providing a wide variety of\n functions and services. Some of the functions and services, provided by\n default, may not be necessary to support essential organizational operations\n (e.g., key missions, functions).\n\n It is detrimental for applications to provide, or install by default,\n functionality exceeding requirements or mission objectives. Examples include,\n but are not limited to, installing advertising software, demonstrations, or\n browser plugins not related to requirements or providing a wide array of\n functionality not required for the mission.\n\n Applications must adhere to the principles of least functionality by\n providing only essential capabilities.\n\n DBMS's may spawn additional external processes to execute procedures that\n are defined in the DBMS, but stored in external host files (external\n procedures). The spawned process used to execute the external procedure may\n operate within a different OS security context than the DBMS and provide\n unauthorized access to the host system." + "default": "Applications employ the concept of least privilege for specific duties\n and information systems (including specific functions, ports, protocols, and\n services). The concept of least privilege is also applied to information system\n processes, ensuring that the processes operate at privilege levels no higher\n than necessary to accomplish required organizational missions and/or functions.\n Organizations consider the creation of additional processes, roles, and\n information system accounts as necessary to achieve least privilege.\n Organizations also apply least privilege concepts to the design, development,\n implementation, and operations of information systems.\n Privileges granted outside the context of the application user job function\n are more likely to go unmanaged or without oversight for authorization.\n Maintenance of privileges using roles defined for discrete job functions offers\n improved oversight of application user privilege assignments and helps to\n protect against unauthorized privilege assignment." }, - "impact": 0, - "refs": [], + "impact": 0.5, + "refs": [ + { + "ref": [] + } + ], "tags": { - "gtitle": "SRG-APP-000141-DB-000093", - "gid": "V-61683", - "rid": "SV-76173r1_rule", - "stig_id": "O121-C2-011800", - "fix_id": "F-67597r1_fix", + "gtitle": "SRG-APP-000062-DB-000034", + "gid": "V-61591", + "rid": "SV-76081r3_rule", + "stig_id": "O121-C2-004000", + "fix_id": "F-67507r1_fix", "cci": [ - "CCI-000381" + "CCI-000366", + "CCI-002220" ], "nist": [ - "CM-7 a", + "AC-5 c", "Rev_4" ], "false_negatives": null, @@ -972,35 +973,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Review the database for definitions of application executable\n objects stored external to the database.\n\n Determine if there are methods to disable use or access, or to remove\n definitions for external executable objects.\n\n Verify any application executable objects listed are authorized by the ISSO.\n\n If any are not, this is a finding.\n\n - - - - -\n To check for external procedures, execute the following query which will\n provide the libraries containing external procedures, the owners of those\n libraries, users that have been granted access to those libraries, and the\n privileges they have been granted. If there are owners other than the owners\n that Oracle provides, then there may be executable objects stored either in the\n database or external to the database that are called by objects in the\n database. Check to see that those owners are authorized to access those\n libraries. If there are users that have been granted access to libraries\n provided by Oracle, check to see that they are authorized to access those\n libraries.\n\n (connect as sysdba)\n set linesize 130\n column library_name format a25\n column name format a15\n column owner format a15\n column grantee format a15\n column privilege format a15\n select library_name,owner, '' grantee, '' privilege\n from dba_libraries where file_spec is not null\n minus\n (\n select library_name,o.name owner, '' grantee, '' privilege\n from dba_libraries l,\n sys.user$ o,\n sys.user$ ge,\n sys.obj$ obj,\n sys.objauth$ oa\n where l.owner=o.name\n and obj.owner#=o.user#\n and obj.name=l.library_name\n and oa.obj#=obj.obj#\n and ge.user#=oa.grantee#\n and l.file_spec is not null\n )\n union all\n select library_name,o.name owner, --obj.obj#,oa.privilege#,\n ge.name grantee,\n tpm.name privilege\n from dba_libraries l,\n sys.user$ o,\n sys.user$ ge,\n sys.obj$ obj,\n sys.objauth$ oa,\n sys.table_privilege_map tpm\n where l.owner=o.name\n and obj.owner#=o.user#\n and obj.name=l.library_name\n and oa.obj#=obj.obj#\n and ge.user#=oa.grantee#\n and tpm.privilege=oa.privilege#\n and l.file_spec is not null;\n /", - "fix": "Disable use of or remove any external application executable\n object definitions that are not authorized.\n\n Revoke privileges granted to users that are not authorized access to external\n applications." + "check": "Review accounts for direct assignment of administrative\n privileges. Connected as SYSDBA, run the query:\n SELECT grantee, privilege\n FROM dba_sys_privs\n WHERE grantee IN\n (\n SELECT username\n FROM dba_users\n WHERE username NOT IN\n (\n 'XDB', 'SYSTEM', 'SYS', 'LBACSYS',\n 'DVSYS', 'DVF', 'SYSMAN_RO',\n 'SYSMAN_BIPLATFORM', 'SYSMAN_MDS',\n 'SYSMAN_OPSS', 'SYSMAN_STB', 'DBSNMP',\n 'SYSMAN', 'APEX_040200', 'WMSYS',\n 'SYSDG', 'SYSBACKUP', 'SPATIAL_WFS_ADMIN_USR',\n 'SPATIAL_CSW_ADMIN_US', 'GSMCATUSER',\n 'OLAPSYS', 'SI_INFORMTN_SCHEMA',\n 'OUTLN', 'ORDSYS', 'ORDDATA', 'OJVMSYS',\n 'ORACLE_OCM', 'MDSYS', 'ORDPLUGINS',\n 'GSMADMIN_INTERNAL', 'MDDATA', 'FLOWS_FILES',\n 'DIP', 'CTXSYS', 'AUDSYS',\n 'APPQOSSYS', 'APEX_PUBLIC_USER', 'ANONYMOUS',\n 'SPATIAL_CSW_ADMIN_USR', 'SYSKM',\n 'SYSMAN_TYPES', 'MGMT_VIEW',\n 'EUS_ENGINE_USER', 'EXFSYS', 'SYSMAN_APM'\n )\n )\n AND privilege NOT IN ('UNLIMITED TABLESPACE'\n , 'REFERENCES', 'INDEX', 'SYSDBA', 'SYSOPER'\n )\n ORDER BY 1, 2;\n If any administrative privileges have been assigned directly to a database\n account, this is a finding.\n (The list of special accounts that are excluded from this requirement may not\n be complete. It is expected that the DBA will edit the list to suit local\n circumstances, adding other special accounts as necessary, and removing any\n that are not supposed to be in use in the Oracle deployment that is under\n review.)", + "fix": "Create roles for administrative function assignments. Assign the\n necessary privileges for the administrative functions to a role. Do not assign\n administrative privileges directly to users, except for those that Oracle does\n not permit to be assigned via roles." }, - "code": "control 'V-61683' do\n title 'Use of external executables must be authorized.'\n desc \"Information systems are capable of providing a wide variety of\n functions and services. Some of the functions and services, provided by\n default, may not be necessary to support essential organizational operations\n (e.g., key missions, functions).\n\n It is detrimental for applications to provide, or install by default,\n functionality exceeding requirements or mission objectives. Examples include,\n but are not limited to, installing advertising software, demonstrations, or\n browser plugins not related to requirements or providing a wide array of\n functionality not required for the mission.\n\n Applications must adhere to the principles of least functionality by\n providing only essential capabilities.\n\n DBMS's may spawn additional external processes to execute procedures that\n are defined in the DBMS, but stored in external host files (external\n procedures). The spawned process used to execute the external procedure may\n operate within a different OS security context than the DBMS and provide\n unauthorized access to the host system.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000141-DB-000093'\n tag \"gid\": 'V-61683'\n tag \"rid\": 'SV-76173r1_rule'\n tag \"stig_id\": 'O121-C2-011800'\n tag \"fix_id\": 'F-67597r1_fix'\n tag \"cci\": ['CCI-000381']\n tag \"nist\": ['CM-7 a', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review the database for definitions of application executable\n objects stored external to the database.\n\n Determine if there are methods to disable use or access, or to remove\n definitions for external executable objects.\n\n Verify any application executable objects listed are authorized by the ISSO.\n\n If any are not, this is a finding.\n\n - - - - -\n To check for external procedures, execute the following query which will\n provide the libraries containing external procedures, the owners of those\n libraries, users that have been granted access to those libraries, and the\n privileges they have been granted. If there are owners other than the owners\n that Oracle provides, then there may be executable objects stored either in the\n database or external to the database that are called by objects in the\n database. Check to see that those owners are authorized to access those\n libraries. If there are users that have been granted access to libraries\n provided by Oracle, check to see that they are authorized to access those\n libraries.\n\n (connect as sysdba)\n set linesize 130\n column library_name format a25\n column name format a15\n column owner format a15\n column grantee format a15\n column privilege format a15\n select library_name,owner, '' grantee, '' privilege\n from dba_libraries where file_spec is not null\n minus\n (\n select library_name,o.name owner, '' grantee, '' privilege\n from dba_libraries l,\n sys.user$ o,\n sys.user$ ge,\n sys.obj$ obj,\n sys.objauth$ oa\n where l.owner=o.name\n and obj.owner#=o.user#\n and obj.name=l.library_name\n and oa.obj#=obj.obj#\n and ge.user#=oa.grantee#\n and l.file_spec is not null\n )\n union all\n select library_name,o.name owner, --obj.obj#,oa.privilege#,\n ge.name grantee,\n tpm.name privilege\n from dba_libraries l,\n sys.user$ o,\n sys.user$ ge,\n sys.obj$ obj,\n sys.objauth$ oa,\n sys.table_privilege_map tpm\n where l.owner=o.name\n and obj.owner#=o.user#\n and obj.name=l.library_name\n and oa.obj#=obj.obj#\n and ge.user#=oa.grantee#\n and tpm.privilege=oa.privilege#\n and l.file_spec is not null;\n /\"\n tag \"fix\": \"Disable use of or remove any external application executable\n object definitions that are not authorized.\n\n Revoke privileges granted to users that are not authorized access to external\n applications.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n dba_users = sql.query(\"select library_name,owner, '' grantee, '' privilege\n from dba_libraries where file_spec is not null\n minus\n (\n select library_name,o.name owner, '' grantee, '' privilege\n from dba_libraries l,\n sys.user$ o,\n sys.user$ ge,\n sys.obj$ obj,\n sys.objauth$ oa\n where l.owner=o.name\n and obj.owner#=o.user#\n and obj.name=l.library_name\n and oa.obj#=obj.obj#\n and ge.user#=oa.grantee#\n and l.file_spec is not null\n )\n union all\n select library_name,o.name owner, --obj.obj#,oa.privilege#,\n ge.name grantee,\n tpm.name privilege\n from dba_libraries l,\n sys.user$ o,\n sys.user$ ge,\n sys.obj$ obj,\n sys.objauth$ oa,\n sys.table_privilege_map tpm\n where l.owner=o.name\n and obj.owner#=o.user#\n and obj.name=l.library_name\n and oa.obj#=obj.obj#\n and ge.user#=oa.grantee#\n and tpm.privilege=oa.privilege#\n and l.file_spec is not null;\").column('owner').uniq\n if dba_users.empty?\n impact 0.0\n describe 'There are no oracle DBA users, control N/A' do\n skip 'There are no oracle DBA users, control N/A'\n end\n else\n dba_users.each do |user|\n describe \"oracle DBA users: #{user}\" do\n subject { user }\n it { should be_in input('allowed_dbadmin_users') }\n end\n end\n end\nend\n", + "code": "control 'V-61591' do\n title \"Administrative privileges must be assigned to database accounts via\n database roles.\"\n desc \"Applications employ the concept of least privilege for specific duties\n and information systems (including specific functions, ports, protocols, and\n services). The concept of least privilege is also applied to information system\n processes, ensuring that the processes operate at privilege levels no higher\n than necessary to accomplish required organizational missions and/or functions.\n Organizations consider the creation of additional processes, roles, and\n information system accounts as necessary to achieve least privilege.\n Organizations also apply least privilege concepts to the design, development,\n implementation, and operations of information systems.\n Privileges granted outside the context of the application user job function\n are more likely to go unmanaged or without oversight for authorization.\n Maintenance of privileges using roles defined for discrete job functions offers\n improved oversight of application user privilege assignments and helps to\n protect against unauthorized privilege assignment.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000062-DB-000034'\n tag \"gid\": 'V-61591'\n tag \"rid\": 'SV-76081r3_rule'\n tag \"stig_id\": 'O121-C2-004000'\n tag \"fix_id\": 'F-67507r1_fix'\n tag \"cci\": ['CCI-000366', 'CCI-002220']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"nist\": ['AC-5 c', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review accounts for direct assignment of administrative\n privileges. Connected as SYSDBA, run the query:\n SELECT grantee, privilege\n FROM dba_sys_privs\n WHERE grantee IN\n (\n SELECT username\n FROM dba_users\n WHERE username NOT IN\n (\n 'XDB', 'SYSTEM', 'SYS', 'LBACSYS',\n 'DVSYS', 'DVF', 'SYSMAN_RO',\n 'SYSMAN_BIPLATFORM', 'SYSMAN_MDS',\n 'SYSMAN_OPSS', 'SYSMAN_STB', 'DBSNMP',\n 'SYSMAN', 'APEX_040200', 'WMSYS',\n 'SYSDG', 'SYSBACKUP', 'SPATIAL_WFS_ADMIN_USR',\n 'SPATIAL_CSW_ADMIN_US', 'GSMCATUSER',\n 'OLAPSYS', 'SI_INFORMTN_SCHEMA',\n 'OUTLN', 'ORDSYS', 'ORDDATA', 'OJVMSYS',\n 'ORACLE_OCM', 'MDSYS', 'ORDPLUGINS',\n 'GSMADMIN_INTERNAL', 'MDDATA', 'FLOWS_FILES',\n 'DIP', 'CTXSYS', 'AUDSYS',\n 'APPQOSSYS', 'APEX_PUBLIC_USER', 'ANONYMOUS',\n 'SPATIAL_CSW_ADMIN_USR', 'SYSKM',\n 'SYSMAN_TYPES', 'MGMT_VIEW',\n 'EUS_ENGINE_USER', 'EXFSYS', 'SYSMAN_APM'\n )\n )\n AND privilege NOT IN ('UNLIMITED TABLESPACE'\n , 'REFERENCES', 'INDEX', 'SYSDBA', 'SYSOPER'\n )\n ORDER BY 1, 2;\n If any administrative privileges have been assigned directly to a database\n account, this is a finding.\n (The list of special accounts that are excluded from this requirement may not\n be complete. It is expected that the DBA will edit the list to suit local\n circumstances, adding other special accounts as necessary, and removing any\n that are not supposed to be in use in the Oracle deployment that is under\n review.)\"\n tag \"fix\": \"Create roles for administrative function assignments. Assign the\n necessary privileges for the administrative functions to a role. Do not assign\n administrative privileges directly to users, except for those that Oracle does\n not permit to be assigned via roles.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n database_accounts_with_administrative_privs = sql.query(\"SELECT grantee\n FROM dba_sys_privs\n WHERE grantee IN\n (\n SELECT username\n FROM dba_users\n WHERE username NOT IN\n (\n 'XDB', 'SYSTEM', 'SYS', 'LBACSYS',\n 'DVSYS', 'DVF', 'SYSMAN_RO',\n 'SYSMAN_BIPLATFORM', 'SYSMAN_MDS',\n 'SYSMAN_OPSS', 'SYSMAN_STB', 'DBSNMP',\n 'SYSMAN', 'APEX_040200', 'WMSYS',\n 'SYSDG', 'SYSBACKUP', 'SPATIAL_WFS_ADMIN_USR',\n 'SPATIAL_CSW_ADMIN_US', 'GSMCATUSER',\n 'OLAPSYS', 'SI_INFORMTN_SCHEMA',\n 'OUTLN', 'ORDSYS', 'ORDDATA', 'OJVMSYS',\n 'ORACLE_OCM', 'MDSYS', 'ORDPLUGINS',\n 'GSMADMIN_INTERNAL', 'MDDATA', 'FLOWS_FILES',\n 'DIP', 'CTXSYS', 'AUDSYS',\n 'APPQOSSYS', 'APEX_PUBLIC_USER', 'ANONYMOUS',\n 'SPATIAL_CSW_ADMIN_USR', 'SYSKM',\n 'SYSMAN_TYPES', 'MGMT_VIEW',\n 'EUS_ENGINE_USER', 'EXFSYS', 'SYSMAN_APM', 'RDSADMIN'\n )\n )\n AND privilege NOT IN ('UNLIMITED TABLESPACE'\n , 'REFERENCES', 'INDEX', 'SYSDBA', 'SYSOPER'\n );\").column('grantee').uniq\n\n describe 'Database accounts with administrative privileges' do\n subject { database_accounts_with_administrative_privs }\n it { should be_empty }\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61683.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61591.rb", "line": 1 }, - "id": "V-61683" + "id": "V-61591" }, { - "title": "Fixed user and public database links must be authorized for use.", - "desc": "Database links define connections that may be used by the local\n database to access remote Oracle databases. These links provide a means for a\n compromise to the local database to spread to remote databases in the\n distributed database environment. Limiting or eliminating use of database links\n where they are not required to support the operational system can help isolate\n compromises to the local or a limited number of databases.", + "title": "The DBMS must notify appropriate individuals when accounts are\n modified.", + "desc": "Once an attacker establishes initial access to a system, they often\n attempt to create a persistent method of re-establishing access. One way to\n accomplish this is for the attacker to modify an existing account for later use.\n\n Notification of account creation is one method and best practice for\n mitigating this risk. A comprehensive account management process will ensure an\n audit trail which documents the creation of application user accounts and\n notifies administrators and/or application owners that they exist. Such a\n process greatly reduces the risk that accounts will be surreptitiously created\n and provides logging that can be used for forensic purposes.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP. This requirement applies to cases where accounts are\n directly managed by Oracle.\n\n Notwithstanding how accounts are normally managed, the DBMS must support\n the requirement to notify appropriate individuals upon account modification\n within Oracle. Indeed, in a configuration where accounts are managed\n externally, the manipulation of an account within Oracle may indicate hostile\n activity.", "descriptions": { - "default": "Database links define connections that may be used by the local\n database to access remote Oracle databases. These links provide a means for a\n compromise to the local database to spread to remote databases in the\n distributed database environment. Limiting or eliminating use of database links\n where they are not required to support the operational system can help isolate\n compromises to the local or a limited number of databases." + "default": "Once an attacker establishes initial access to a system, they often\n attempt to create a persistent method of re-establishing access. One way to\n accomplish this is for the attacker to modify an existing account for later use.\n\n Notification of account creation is one method and best practice for\n mitigating this risk. A comprehensive account management process will ensure an\n audit trail which documents the creation of application user accounts and\n notifies administrators and/or application owners that they exist. Such a\n process greatly reduces the risk that accounts will be surreptitiously created\n and provides logging that can be used for forensic purposes.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP. This requirement applies to cases where accounts are\n directly managed by Oracle.\n\n Notwithstanding how accounts are normally managed, the DBMS must support\n the requirement to notify appropriate individuals upon account modification\n within Oracle. Indeed, in a configuration where accounts are managed\n externally, the manipulation of an account within Oracle may indicate hostile\n activity." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000516-DB-999900", - "gid": "V-61415", - "rid": "SV-75905r2_rule", - "stig_id": "O121-BP-021400", - "fix_id": "F-67331r1_fix", + "gtitle": "SRG-APP-000292-DB-000138", + "gid": "V-61799", + "rid": "SV-76289r2_rule", + "stig_id": "O121-C2-020500", + "fix_id": "F-67715r1_fix", "cci": [ - "CCI-000366" + "CCI-001684" ], "nist": [ - "CM-6 b", + "AC-2 (4)", "Rev_4" ], "false_negatives": null, @@ -1013,35 +1014,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "From SQL*Plus:\n\n select owner||': '||db_link from dba_db_links;\n\n If no records are returned from the first SQL statement, this check is not a\n finding.\n\n Confirm the public and fixed user database links listed are documented in the\n System Security Plan, are authorized by the ISSO, and are used for replication\n or operational system requirements.\n\n If any are not, this is a finding.\n ", - "fix": "Document all authorized connections from the database to remote\n databases in the System Security Plan.\n\n Remove all unauthorized remote database connection definitions from the\n database.\n\n From SQL*Plus:\n\n drop database link [link name];\n OR\n drop public database link [link name];\n\n Review remote database connection definitions periodically and confirm their\n use is still required and authorized." + "check": "Check DBMS settings to determine whether it will notify\n appropriate individuals when accounts are modified.\n\n If the DBMS does not notify appropriate individuals when accounts are modified,\n this is a finding.", + "fix": "Working with the DBA and site management, determine the\n appropriate individuals (by job role) to be notified.\n\n If Oracle Audit Vault is available, configure it to notify the appropriate\n individuals when accounts are modified.\n\n If Oracle Audit Vault is not available, configure the Oracle DBMS's auditing\n feature to record account-modification activity.\n\n If Standard Auditing is used:\n Create and deploy a mechanism, such as a frequently-run job, to monitor the\n SYS.AUD$ table for these records and notify the appropriate individuals.\n\n If unified Auditing is used:\n Create and deploy a mechanism, such as a frequently-run job, to monitor the\n SYS.UNIFIED_AUDIT_TRAIL view for these records and notify the appropriate\n individuals." }, - "code": "control 'V-61415' do\n title 'Fixed user and public database links must be authorized for use.'\n desc \"Database links define connections that may be used by the local\n database to access remote Oracle databases. These links provide a means for a\n compromise to the local database to spread to remote databases in the\n distributed database environment. Limiting or eliminating use of database links\n where they are not required to support the operational system can help isolate\n compromises to the local or a limited number of databases.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000516-DB-999900'\n tag \"gid\": 'V-61415'\n tag \"rid\": 'SV-75905r2_rule'\n tag \"stig_id\": 'O121-BP-021400'\n tag \"fix_id\": 'F-67331r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"From SQL*Plus:\n\n select owner||': '||db_link from dba_db_links;\n\n If no records are returned from the first SQL statement, this check is not a\n finding.\n\n Confirm the public and fixed user database links listed are documented in the\n System Security Plan, are authorized by the ISSO, and are used for replication\n or operational system requirements.\n\n If any are not, this is a finding.\n \"\n tag \"fix\": \"Document all authorized connections from the database to remote\n databases in the System Security Plan.\n\n Remove all unauthorized remote database connection definitions from the\n database.\n\n From SQL*Plus:\n\n drop database link [link name];\n OR\n drop public database link [link name];\n\n Review remote database connection definitions periodically and confirm their\n use is still required and authorized.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n db_links = sql.query('SELECT DB_LINK FROM DBA_DB_LINKS;').column('db_link').uniq\n if db_links.empty?\n impact 0.0\n describe 'There are no oracle database links defined, control N/A' do\n skip 'There are no oracle database links defined, control N/A'\n end\n else\n db_links.each do |link|\n describe \"The defined oracle database link: #{link}\" do\n subject { link }\n it { should be_in input('allowed_db_links') }\n end\n end\n end\nend\n", + "code": "control 'V-61799' do\n title \"The DBMS must notify appropriate individuals when accounts are\n modified.\"\n desc \"Once an attacker establishes initial access to a system, they often\n attempt to create a persistent method of re-establishing access. One way to\n accomplish this is for the attacker to modify an existing account for later use.\n\n Notification of account creation is one method and best practice for\n mitigating this risk. A comprehensive account management process will ensure an\n audit trail which documents the creation of application user accounts and\n notifies administrators and/or application owners that they exist. Such a\n process greatly reduces the risk that accounts will be surreptitiously created\n and provides logging that can be used for forensic purposes.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP. This requirement applies to cases where accounts are\n directly managed by Oracle.\n\n Notwithstanding how accounts are normally managed, the DBMS must support\n the requirement to notify appropriate individuals upon account modification\n within Oracle. Indeed, in a configuration where accounts are managed\n externally, the manipulation of an account within Oracle may indicate hostile\n activity.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000292-DB-000138'\n tag \"gid\": 'V-61799'\n tag \"rid\": 'SV-76289r2_rule'\n tag \"stig_id\": 'O121-C2-020500'\n tag \"fix_id\": 'F-67715r1_fix'\n tag \"cci\": ['CCI-001684']\n tag \"nist\": ['AC-2 (4)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Check DBMS settings to determine whether it will notify\n appropriate individuals when accounts are modified.\n\n If the DBMS does not notify appropriate individuals when accounts are modified,\n this is a finding.\"\n tag \"fix\": \"Working with the DBA and site management, determine the\n appropriate individuals (by job role) to be notified.\n\n If Oracle Audit Vault is available, configure it to notify the appropriate\n individuals when accounts are modified.\n\n If Oracle Audit Vault is not available, configure the Oracle DBMS's auditing\n feature to record account-modification activity.\n\n If Standard Auditing is used:\n Create and deploy a mechanism, such as a frequently-run job, to monitor the\n SYS.AUD$ table for these records and notify the appropriate individuals.\n\n If unified Auditing is used:\n Create and deploy a mechanism, such as a frequently-run job, to monitor the\n SYS.UNIFIED_AUDIT_TRAIL view for these records and notify the appropriate\n individuals.\"\n describe 'A manual review is required to ensure the DBMS notifies the appropriate individuals when accounts are\n modified' do\n skip 'A manual review is required to ensure the DBMS notifies the appropriate individuals when accounts are\n modified'\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61415.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61799.rb", "line": 1 }, - "id": "V-61415" + "id": "V-61799" }, { - "title": "The system must provide the capability to automatically process audit\n records for events of interest based upon selectable event criteria.", - "desc": "Before a security review, information systems and/or applications with\n an audit reduction capability may remove many audit records known to have\n little security significance.\n\n This is generally accomplished by removing records generated by specified\n classes of events, such as records generated by nightly backups.\n\n An audit reduction capability provides support for near real-time audit\n review and analysis based on policy requirements regarding what must be audited\n on the system and after-the-fact investigations of security incidents. It is\n important to recognize audit reduction does not alter original audit records.\n\n Audit reduction and reporting tools do not alter original audit records.\n\n To leverage the complete capability of audit reduction, the application\n must possess the ability to specify and automatically process certain event\n criteria that are selectable in nature. In other words, a system administrator\n (SA) may be performing a manual review of audit data to identify a particular\n problem. The SA has determined that backup activity and network connections\n from a particular host comprise the bulk of the events. However, these events\n are not related to the activity being investigated. The application must be\n able to automatically process these audit records for audit reduction purposes\n rather than making the administrator manually process them.\n\n The lack of audit reduction and reporting in a database can require the\n DBA, or others responsible for reviewing audit logs, to sort through large\n amounts of data in order to find relevant records. This can cause important\n audit records to be missed.\n\n Oracle offers the choice of storing audit data internally in database\n tables, or in external files. The WHERE clause in the SELECT statement\n provides the necessary functionality for a table-based audit. For an audit\n based on external files (or for a table-based audit trail archived to external\n files) Oracle Database does not provide tools for retrieving and managing the\n data once written. Therefore, an external tool is needed.", + "title": "The DBMS software libraries must be periodically backed up.", + "desc": "Information system backup is a critical step in maintaining data\n assurance and availability.\n\n System-level information includes: system-state information, operating\n system and application software, and licenses.\n\n Backups shall be consistent with organizational recovery time and recovery\n point objectives.\n\n The DBMS application depends upon the availability and integrity of its\n software libraries. Without backups, compromise or loss of the software\n libraries can prevent a successful recovery of DBMS operations.", "descriptions": { - "default": "Before a security review, information systems and/or applications with\n an audit reduction capability may remove many audit records known to have\n little security significance.\n\n This is generally accomplished by removing records generated by specified\n classes of events, such as records generated by nightly backups.\n\n An audit reduction capability provides support for near real-time audit\n review and analysis based on policy requirements regarding what must be audited\n on the system and after-the-fact investigations of security incidents. It is\n important to recognize audit reduction does not alter original audit records.\n\n Audit reduction and reporting tools do not alter original audit records.\n\n To leverage the complete capability of audit reduction, the application\n must possess the ability to specify and automatically process certain event\n criteria that are selectable in nature. In other words, a system administrator\n (SA) may be performing a manual review of audit data to identify a particular\n problem. The SA has determined that backup activity and network connections\n from a particular host comprise the bulk of the events. However, these events\n are not related to the activity being investigated. The application must be\n able to automatically process these audit records for audit reduction purposes\n rather than making the administrator manually process them.\n\n The lack of audit reduction and reporting in a database can require the\n DBA, or others responsible for reviewing audit logs, to sort through large\n amounts of data in order to find relevant records. This can cause important\n audit records to be missed.\n\n Oracle offers the choice of storing audit data internally in database\n tables, or in external files. The WHERE clause in the SELECT statement\n provides the necessary functionality for a table-based audit. For an audit\n based on external files (or for a table-based audit trail archived to external\n files) Oracle Database does not provide tools for retrieving and managing the\n data once written. Therefore, an external tool is needed." + "default": "Information system backup is a critical step in maintaining data\n assurance and availability.\n\n System-level information includes: system-state information, operating\n system and application software, and licenses.\n\n Backups shall be consistent with organizational recovery time and recovery\n point objectives.\n\n The DBMS application depends upon the availability and integrity of its\n software libraries. Without backups, compromise or loss of the software\n libraries can prevent a successful recovery of DBMS operations." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000115-DB-000055", - "gid": "V-61649", - "rid": "SV-76139r2_rule", - "stig_id": "O121-C2-008900", - "fix_id": "F-67563r2_fix", + "gtitle": "SRG-APP-000146-DB-000100", + "gid": "V-61877", + "rid": "SV-76367r1_rule", + "stig_id": "O121-P2-012700", + "fix_id": "F-67793r1_fix", "cci": [ - "CCI-000158" + "CCI-000537" ], "nist": [ - "AU-7 (1)", + "CP-9 (b)", "Rev_4" ], "false_negatives": null, @@ -1054,21 +1055,21 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Review the system (OS, applications external to Oracle, and/or\n a separate log aggregation and query server) to determine whether it provides\n the ability to automatically process audit records for events based on\n selectable event criteria. If the system does not provide these abilities, they\n may be handled by a separate application.\n\n If the ability to automatically process audit records for events based on\n selectable event criteria does not exist, this is a finding.", - "fix": "Utilize a tool, application or service that provides the ability\n to automatically process audit records for events based on selectable event\n criteria." + "check": "Review evidence of inclusion of the DBMS libraries in current\n backup records.\n\n If any DBMS library files are not included in regular backups, this is a\n finding.", + "fix": "Configure backups to include all DBMS application and third-party\n database application software libraries." }, - "code": "control 'V-61649' do\n title \"The system must provide the capability to automatically process audit\n records for events of interest based upon selectable event criteria.\"\n desc \"Before a security review, information systems and/or applications with\n an audit reduction capability may remove many audit records known to have\n little security significance.\n\n This is generally accomplished by removing records generated by specified\n classes of events, such as records generated by nightly backups.\n\n An audit reduction capability provides support for near real-time audit\n review and analysis based on policy requirements regarding what must be audited\n on the system and after-the-fact investigations of security incidents. It is\n important to recognize audit reduction does not alter original audit records.\n\n Audit reduction and reporting tools do not alter original audit records.\n\n To leverage the complete capability of audit reduction, the application\n must possess the ability to specify and automatically process certain event\n criteria that are selectable in nature. In other words, a system administrator\n (SA) may be performing a manual review of audit data to identify a particular\n problem. The SA has determined that backup activity and network connections\n from a particular host comprise the bulk of the events. However, these events\n are not related to the activity being investigated. The application must be\n able to automatically process these audit records for audit reduction purposes\n rather than making the administrator manually process them.\n\n The lack of audit reduction and reporting in a database can require the\n DBA, or others responsible for reviewing audit logs, to sort through large\n amounts of data in order to find relevant records. This can cause important\n audit records to be missed.\n\n Oracle offers the choice of storing audit data internally in database\n tables, or in external files. The WHERE clause in the SELECT statement\n provides the necessary functionality for a table-based audit. For an audit\n based on external files (or for a table-based audit trail archived to external\n files) Oracle Database does not provide tools for retrieving and managing the\n data once written. Therefore, an external tool is needed.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000115-DB-000055'\n tag \"gid\": 'V-61649'\n tag \"rid\": 'SV-76139r2_rule'\n tag \"stig_id\": 'O121-C2-008900'\n tag \"fix_id\": 'F-67563r2_fix'\n tag \"cci\": ['CCI-000158']\n tag \"nist\": ['AU-7 (1)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review the system (OS, applications external to Oracle, and/or\n a separate log aggregation and query server) to determine whether it provides\n the ability to automatically process audit records for events based on\n selectable event criteria. If the system does not provide these abilities, they\n may be handled by a separate application.\n\n If the ability to automatically process audit records for events based on\n selectable event criteria does not exist, this is a finding.\"\n tag \"fix\": \"Utilize a tool, application or service that provides the ability\n to automatically process audit records for events based on selectable event\n criteria.\"\n describe service('auditd') do\n it { should be_enabled }\n it { should be_running }\n end\nend\n", + "code": "control 'V-61877' do\n title 'The DBMS software libraries must be periodically backed up.'\n desc \"Information system backup is a critical step in maintaining data\n assurance and availability.\n\n System-level information includes: system-state information, operating\n system and application software, and licenses.\n\n Backups shall be consistent with organizational recovery time and recovery\n point objectives.\n\n The DBMS application depends upon the availability and integrity of its\n software libraries. Without backups, compromise or loss of the software\n libraries can prevent a successful recovery of DBMS operations.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000146-DB-000100'\n tag \"gid\": 'V-61877'\n tag \"rid\": 'SV-76367r1_rule'\n tag \"stig_id\": 'O121-P2-012700'\n tag \"fix_id\": 'F-67793r1_fix'\n tag \"cci\": ['CCI-000537']\n tag \"nist\": ['CP-9 (b)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review evidence of inclusion of the DBMS libraries in current\n backup records.\n\n If any DBMS library files are not included in regular backups, this is a\n finding.\"\n tag \"fix\": \"Configure backups to include all DBMS application and third-party\n database application software libraries.\"\n describe 'A manual review is required to ensure the DBMS software libraries are periodically backed up' do\n skip 'A manual review is required to ensure the DBMS software libraries are periodically backed up'\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61649.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61877.rb", "line": 1 }, - "id": "V-61649" + "id": "V-61877" }, { - "title": "The DBMS, when utilizing PKI-based authentication, must validate\n certificates by constructing a certification path with status information to an\n accepted trust anchor.", - "desc": "A trust anchor is an authoritative entity represented via a public key\n and associated data. It is used in the context of public key infrastructures,\n X.509 digital certificates, and DNSSEC.\n\n When there is a chain of trust, usually the top entity to be trusted\n becomes the trust anchor; it can be for example a Certification Authority (CA).\n A certification path starts with the Subject certificate and proceeds through a\n number of intermediate certificates up to a trusted root certificate, typically\n issued by a trusted CA.\n\n Path validation is necessary for a relying party to make an informed trust\n decision when presented with any certificate not already explicitly trusted.\n\n Status information for certification paths includes certificate revocation\n lists or online certificate status protocol responses.\n\n Database Management Systems that do not validate certificates to a trust\n anchor are in danger of accepting certificates that are invalid and/or\n counterfeit. This could allow unauthorized access to the database.\n\n Transport Layer Security (TLS) is the successor protocol to Secure Sockets\n Layer (SSL). Although the Oracle configuration parameters have names including\n 'SSL', such as SSL_VERSION and SSL_CIPHER_SUITES, they refer to TLS.", + "title": "The directory assigned to the AUDIT_FILE_DEST parameter must be\n protected from unauthorized access and must be stored in a dedicated directory\n or disk partition separate from software or other application files.", + "desc": "The AUDIT_FILE_DEST parameter specifies the directory where the\n database audit trail file is stored (when AUDIT_TRAIL parameter is set to ‘OS’,\n ‘xml’ or ‘xml, extended’ where supported by the DBMS). Unauthorized access or\n loss of integrity of the audit trail could result in loss of accountability or\n the ability to detect suspicious\n activity. This directory also contains the audit trail of the SYS and\n SYSTEM accounts that captures privileged database events when the database is\n not running (when AUDIT_SYS_OPERATIONS parameter is set to TRUE).", "descriptions": { - "default": "A trust anchor is an authoritative entity represented via a public key\n and associated data. It is used in the context of public key infrastructures,\n X.509 digital certificates, and DNSSEC.\n\n When there is a chain of trust, usually the top entity to be trusted\n becomes the trust anchor; it can be for example a Certification Authority (CA).\n A certification path starts with the Subject certificate and proceeds through a\n number of intermediate certificates up to a trusted root certificate, typically\n issued by a trusted CA.\n\n Path validation is necessary for a relying party to make an informed trust\n decision when presented with any certificate not already explicitly trusted.\n\n Status information for certification paths includes certificate revocation\n lists or online certificate status protocol responses.\n\n Database Management Systems that do not validate certificates to a trust\n anchor are in danger of accepting certificates that are invalid and/or\n counterfeit. This could allow unauthorized access to the database.\n\n Transport Layer Security (TLS) is the successor protocol to Secure Sockets\n Layer (SSL). Although the Oracle configuration parameters have names including\n 'SSL', such as SSL_VERSION and SSL_CIPHER_SUITES, they refer to TLS." + "default": "The AUDIT_FILE_DEST parameter specifies the directory where the\n database audit trail file is stored (when AUDIT_TRAIL parameter is set to ‘OS’,\n ‘xml’ or ‘xml, extended’ where supported by the DBMS). Unauthorized access or\n loss of integrity of the audit trail could result in loss of accountability or\n the ability to detect suspicious\n activity. This directory also contains the audit trail of the SYS and\n SYSTEM accounts that captures privileged database events when the database is\n not running (when AUDIT_SYS_OPERATIONS parameter is set to TRUE)." }, "impact": 0, "refs": [ @@ -1077,16 +1078,16 @@ } ], "tags": { - "gtitle": "SRG-APP-000175-DB-000067", - "gid": "V-61741", - "rid": "SV-76231r3_rule", - "stig_id": "O121-C2-015300", - "fix_id": "F-67657r1_fix", + "gtitle": "SRG-APP-000516-DB-999900", + "gid": "V-61965", + "rid": "SV-76455r3_rule", + "stig_id": "O121-BP-025101", + "fix_id": "F-67885r1_fix", "cci": [ - "CCI-000185" + "CCI-000366" ], "nist": [ - "IA-5 (2) (a)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -1099,35 +1100,39 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If PKI is not enabled in the Oracle Database, this is not a\n finding.\n\n If all accounts are authenticated by the OS or an enterprise-level\n authentication/access mechanism and not by Oracle, this is not a finding.\n\n Review DBMS configuration to verify the certificates being accepted by the DBMS\n have a valid certification path with status information to an accepted trust\n anchor.\n\n If certification paths are not being validated back to a trust anchor, this is\n a finding.\n\n - - - - -\n The database supports PKI-based authentication by using digital certificates\n over TLS in addition to the native encryption and data integrity capabilities\n of these protocols.\n\n Oracle provides a complete PKI that is based on RSA Security, Inc., Public-Key\n Cryptography Standards, and which interoperates with Oracle servers and\n clients. The database uses a wallet that is a container that is used to store\n authentication and signing credentials, including private keys, certificates,\n and trusted certificates needed by TLS. In an Oracle environment, every entity\n that communicates over TLS must have a wallet containing an X.509 version 3\n certificate, private key, and list of trusted certificates.\n\n If the $ORACLE_HOME/network/admin/sqlnet.ora contains the following entries,\n TLS is installed.\n\n WALLET_LOCATION = (SOURCE= (METHOD = FILE) (METHOD_DATA = DIRECTORY=/wallet)\n\n SSL_CIPHER_SUITES=(SSL_cipher_suiteExample)\n SSL_VERSION = 1.2 or 1.1\n SSL_CLIENT_AUTHENTICATION=TRUE\n\n (Note: This assumes that a single sqlnet.ora file, in the default location, is\n in use. Please see the supplemental file \"Non-default sqlnet.ora\n configurations.pdf\" for how to find multiple and/or differently located\n sqlnet.ora files.)\n\n Note: \"SSL_VERSION = 1.2 or 1.1\" is the actual value, not a suggestion to use\n one or the other.", - "fix": "Configure the DBMS to validate certificates by constructing a\n certification path with status information to an accepted trust anchor.\n\n Configure the database to support Transport Layer Security (TLS) protocols and\n the Oracle Wallet to store authentication and signing credentials, including\n private keys." + "check": "If Standard Auditing is used:\n\n From SQL*Plus:\n\n select value from v$parameter where name = 'audit_trail';\n select value from v$parameter where name = 'audit_file_dest';\n\n If audit_trail is NOT set to OS, XML or XML EXTENDED, this is not applicable\n (NA).\n\n If audit_trail is set to OS, but the audit records are routed directly to a\n separate log server without writing to the local file system, this is not a\n finding.\n\n On UNIX Systems:\n\n ls -ld [pathname]\n\n Replace [pathname] with the directory path listed from the above SQL command\n for audit_file_dest.\n\n If permissions are granted for world access, this is a finding.\n\n If any groups that include members other than the Oracle process and software\n owner accounts, DBAs, auditors, or backup accounts are listed, this is a\n finding.\n\n Compare path to $ORACLE_HOME. If audit_file_dest is a subdirectory of\n $ORACLE_HOME, this is a finding.\n\n On Windows Systems (From Windows Explorer):\n\n Browse to the directory specified. Select and right-click on the directory,\n select Properties, select the Security tab. On Windows hosts, records are also\n written to the Windows application event log. The location of the application\n event log is listed under Properties for the log under the Windows console. The\n default location is C:\\WINDOWS\\system32\\config\\EventLogs\\AppEvent.Evt.\n\n If permissions are granted to everyone, this is a finding. If any accounts\n other than the Administrators, DBAs, System group, auditors or backup operators\n are listed, this is a finding.\n\n Compare path to %ORACLE_HOME%. If audit_file_dest is a subdirectory of\n %ORACLE_HOME%, this is a finding.\n\n If Unified Auditing is used:\n AUDIT_FILE_DEST parameter is not used in Unified Auditing", + "fix": "For file-based auditing, establish an audit file directory\n separate from the Oracle Home.\n\n Alter host system permissions to the AUDIT_FILE_DEST directory to the Oracle\n process and software owner accounts, DBAs, backup accounts, SAs (if required),\n and auditors.\n\n Authorize and document user access requirements to the directory outside of the\n Oracle, DBA, and SA account list in the System Security Plan." }, - "code": " control 'V-61741' do\n impact 0.0\n describe 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on' do\n skip 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on'\n end\n end\n", + "code": " control 'V-61965' do\n impact 0.0\n describe 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on' do\n skip 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on'\n end\n end\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61741.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61965.rb", "line": 1 }, - "id": "V-61741" + "id": "V-61965" }, { - "title": "The system must protect audit information from any type of\n unauthorized access.", - "desc": "If audit data were to become compromised, then competent forensic\n analysis and discovery of the true source of potentially malicious system\n activity is difficult, if not impossible, to achieve. In addition, access to\n audit records provides information an attacker could potentially use to his or\n her advantage.\n\n To ensure the veracity of audit data, the information system and/or the\n application must protect audit information from any and all unauthorized\n access. This includes read, write, copy, etc.\n\n This requirement can be achieved through multiple methods which will depend\n upon system architecture and design. Some commonly employed methods include\n ensuring log files enjoy the proper file system permissions utilizing file\n system protections and limiting log data location.\n\n Additionally, applications with user interfaces to audit records must not\n allow for the unfettered manipulation of or access to those records via the\n application. If the application provides access to the audit data, the\n application becomes accountable for ensuring that audit information is\n protected from unauthorized access.\n\n Audit information includes all information (e.g., audit records, audit\n settings, and audit reports) needed to successfully audit information system\n activity.", + "title": "Network client connections must be restricted to supported versions.", + "desc": "Unsupported Oracle network client installations may introduce\n vulnerabilities to the database. Restriction to use of supported versions helps\n to protect the database and helps to enforce newer, more robust security\n controls.", "descriptions": { - "default": "If audit data were to become compromised, then competent forensic\n analysis and discovery of the true source of potentially malicious system\n activity is difficult, if not impossible, to achieve. In addition, access to\n audit records provides information an attacker could potentially use to his or\n her advantage.\n\n To ensure the veracity of audit data, the information system and/or the\n application must protect audit information from any and all unauthorized\n access. This includes read, write, copy, etc.\n\n This requirement can be achieved through multiple methods which will depend\n upon system architecture and design. Some commonly employed methods include\n ensuring log files enjoy the proper file system permissions utilizing file\n system protections and limiting log data location.\n\n Additionally, applications with user interfaces to audit records must not\n allow for the unfettered manipulation of or access to those records via the\n application. If the application provides access to the audit data, the\n application becomes accountable for ensuring that audit information is\n protected from unauthorized access.\n\n Audit information includes all information (e.g., audit records, audit\n settings, and audit reports) needed to successfully audit information system\n activity." + "default": "Unsupported Oracle network client installations may introduce\n vulnerabilities to the database. Restriction to use of supported versions helps\n to protect the database and helps to enforce newer, more robust security\n controls." }, "impact": 0, - "refs": [], + "refs": [ + { + "ref": [] + } + ], "tags": { - "gtitle": "SRG-APP-000118-DB-000059", - "gid": "V-61653", - "rid": "SV-76143r2_rule", - "stig_id": "O121-C2-009300", - "fix_id": "F-67567r3_fix", + "gtitle": "SRG-APP-000516-DB-999900", + "gid": "V-61535", + "rid": "SV-76025r2_rule", + "stig_id": "O121-BP-026600", + "fix_id": "F-67451r1_fix", "cci": [ - "CCI-000162" + "CCI-000366" ], "nist": [ - "AU-9", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -1140,35 +1145,39 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Review locations of audit logs, both internal to the database\n and database audit logs located at the operating system-level. Verify there are\n appropriate controls and permissions to protect the audit information from\n unauthorized access.\n\n If appropriate controls and permissions do not exist, this is a finding.\n\n - - - - -\n If Standard Auditing is used:\n DBA_TAB_PRIVS describes all object grants in the database. Check to see who\n has permissions on the AUD$ table.\n\n Related View\n\n DBA_TAB_PRIVS describes the object grants for which the current user is the\n object owner, grantor, or grantee.\n Column Datatype NULL Description\n GRANTEE VARCHAR2(30) NOT NULL Name of the user to whom access was granted\n OWNER VARCHAR2(30) NOT NULL Owner of the object\n TABLE_NAME VARCHAR2(30) NOT NULL Name of the object\n GRANTOR VARCHAR2(30) NOT NULL Name of the user who performed the grant\n PRIVILEGE VARCHAR2(40) NOT NULL Privilege on the object\n GRANTABLE VARCHAR2(3) Indicates whether the privilege was granted with the\n GRANT OPTION (YES) or not (NO)\n HIERARCHY VARCHAR2(3) Indicates whether the privilege was granted with the\n HIERARCHY OPTION (YES) or not (NO)\n COMMON VARCHAR2(3)\n TYPE VARCHAR2(24)\n\n sqlplus connect as sysdba;\n\n SQL> SELECT GRANTEE, TABLE_NAME, PRIVILEGE\n FROM DBA_TAB_PRIVS where table_name = 'AUD$';\n\n If Unified Auditing is used:\n DBA_TAB_PRIVS describes all object grants in the database. Check to see who\n has permissions on the AUDSYS tables.\n\n Related View\n\n DBA_TAB_PRIVS describes the object grants for which the current user is the\n object owner, grantor, or grantee.\n Column Datatype NULL Description\n GRANTEE VARCHAR2(30) NOT NULL Name of the user to whom access was\n granted\n OWNER VARCHAR2(30) NOT NULL Owner of the object\n TABLE_NAME VARCHAR2(30) NOT NULL Name of the object\n GRANTOR VARCHAR2(30) NOT NULL Name of the user who performed the grant\n PRIVILEGE VARCHAR2(40) NOT NULL Privilege on the object\n GRANTABLE VARCHAR2(3) Indicates whether the privilege was granted with\n the GRANT OPTION (YES) or not (NO)\n HIERARCHY VARCHAR2(3) Indicates whether the privilege was granted with\n the HIERARCHY OPTION (YES) or not (NO)\n COMMON VARCHAR2(3)\n TYPE VARCHAR2(24)\n\n sqlplus connect as sysdba;\n\n SQL> SELECT GRANTEE, TABLE_NAME, PRIVILEGE\n FROM DBA_TAB_PRIVS where owner='AUDSYS';", - "fix": "Add controls and modify permissions to protect database audit log\n data from unauthorized access, whether stored in the database itself or at the\n OS level." + "check": "Note: The SQLNET.ALLOWED_LOGON_VERSION parameter is deprecated\n in Oracle Database 12c. This parameter has been replaced with two new Oracle\n Net Services parameters:\n\n SQLNET.ALLOWED_LOGON_VERSION_SERVER\n SQLNET.ALLOWED_LOGON_VERSION_CLIENT\n\n View the SQLNET.ORA file in the ORACLE_HOME/network/admin directory or the\n directory specified in the TNS_ADMIN environment variable. (Please see the\n supplemental file \"Non-default sqlnet.ora configurations.pdf\" for how to find\n multiple and/or differently located sqlnet.ora files.)\n\n Locate the following entries:\n\n SQLNET.ALLOWED_LOGON_VERSION_SERVER = 11\n SQLNET.ALLOWED_LOGON_VERSION_CLIENT=11\n\n If the parameters do not exist, this is a finding.\n\n If the parameters are not set to a value of 11 or higher, this is a finding.\n\n Note: Attempting to connect with a client version lower than specified in these\n parameters may result in a misleading error:\n ORA-01017: invalid username/password: logon denied", + "fix": "Edit the SQLNET.ORA file to add or edit the entries:\n\n SQLNET.ALLOWED_LOGON_VERSION_SERVER = 11\n SQLNET.ALLOWED_LOGON_VERSION_CLIENT=11\n\n Set the value to 11 or higher.\n Valid values for SQLNET.ALLOWED_LOGON_VERSION_SERVER are: 8,9,10,11,12 and 12a\n\n Valid values for SQLNET.ALLOWED_LOGON_VERSION_CLIENT are: 8,10,11,12 and 12a\n\n For more information on sqlnet.ora parameters refer to the following document:\n \"Database Net Services Reference\"\n http://docs.oracle.com/database/121/NETRF/sqlnet.htm#NETRF006" }, - "code": "control 'V-61653' do\n title \"The system must protect audit information from any type of\n unauthorized access.\"\n desc \"If audit data were to become compromised, then competent forensic\n analysis and discovery of the true source of potentially malicious system\n activity is difficult, if not impossible, to achieve. In addition, access to\n audit records provides information an attacker could potentially use to his or\n her advantage.\n\n To ensure the veracity of audit data, the information system and/or the\n application must protect audit information from any and all unauthorized\n access. This includes read, write, copy, etc.\n\n This requirement can be achieved through multiple methods which will depend\n upon system architecture and design. Some commonly employed methods include\n ensuring log files enjoy the proper file system permissions utilizing file\n system protections and limiting log data location.\n\n Additionally, applications with user interfaces to audit records must not\n allow for the unfettered manipulation of or access to those records via the\n application. If the application provides access to the audit data, the\n application becomes accountable for ensuring that audit information is\n protected from unauthorized access.\n\n Audit information includes all information (e.g., audit records, audit\n settings, and audit reports) needed to successfully audit information system\n activity.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000118-DB-000059'\n tag \"gid\": 'V-61653'\n tag \"rid\": 'SV-76143r2_rule'\n tag \"stig_id\": 'O121-C2-009300'\n tag \"fix_id\": 'F-67567r3_fix'\n tag \"cci\": ['CCI-000162']\n tag \"nist\": ['AU-9', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review locations of audit logs, both internal to the database\n and database audit logs located at the operating system-level. Verify there are\n appropriate controls and permissions to protect the audit information from\n unauthorized access.\n\n If appropriate controls and permissions do not exist, this is a finding.\n\n - - - - -\n If Standard Auditing is used:\n DBA_TAB_PRIVS describes all object grants in the database. Check to see who\n has permissions on the AUD$ table.\n\n Related View\n\n DBA_TAB_PRIVS describes the object grants for which the current user is the\n object owner, grantor, or grantee.\n Column Datatype NULL Description\n GRANTEE VARCHAR2(30) NOT NULL Name of the user to whom access was granted\n OWNER VARCHAR2(30) NOT NULL Owner of the object\n TABLE_NAME VARCHAR2(30) NOT NULL Name of the object\n GRANTOR VARCHAR2(30) NOT NULL Name of the user who performed the grant\n PRIVILEGE VARCHAR2(40) NOT NULL Privilege on the object\n GRANTABLE VARCHAR2(3) Indicates whether the privilege was granted with the\n GRANT OPTION (YES) or not (NO)\n HIERARCHY VARCHAR2(3) Indicates whether the privilege was granted with the\n HIERARCHY OPTION (YES) or not (NO)\n COMMON VARCHAR2(3)\n TYPE VARCHAR2(24)\n\n sqlplus connect as sysdba;\n\n SQL> SELECT GRANTEE, TABLE_NAME, PRIVILEGE\n FROM DBA_TAB_PRIVS where table_name = 'AUD$';\n\n If Unified Auditing is used:\n DBA_TAB_PRIVS describes all object grants in the database. Check to see who\n has permissions on the AUDSYS tables.\n\n Related View\n\n DBA_TAB_PRIVS describes the object grants for which the current user is the\n object owner, grantor, or grantee.\n Column Datatype NULL Description\n GRANTEE VARCHAR2(30) NOT NULL Name of the user to whom access was\n granted\n OWNER VARCHAR2(30) NOT NULL Owner of the object\n TABLE_NAME VARCHAR2(30) NOT NULL Name of the object\n GRANTOR VARCHAR2(30) NOT NULL Name of the user who performed the grant\n PRIVILEGE VARCHAR2(40) NOT NULL Privilege on the object\n GRANTABLE VARCHAR2(3) Indicates whether the privilege was granted with\n the GRANT OPTION (YES) or not (NO)\n HIERARCHY VARCHAR2(3) Indicates whether the privilege was granted with\n the HIERARCHY OPTION (YES) or not (NO)\n COMMON VARCHAR2(3)\n TYPE VARCHAR2(24)\n\n sqlplus connect as sysdba;\n\n SQL> SELECT GRANTEE, TABLE_NAME, PRIVILEGE\n FROM DBA_TAB_PRIVS where owner='AUDSYS';\"\n tag \"fix\": \"Add controls and modify permissions to protect database audit log\n data from unauthorized access, whether stored in the database itself or at the\n OS level.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n users_allowed_access_to_audit_info = sql.query(\"SELECT GRANTEE, TABLE_NAME, PRIVILEGE\n FROM DBA_TAB_PRIVS where owner='AUDSYS';\").column('grantee').uniq\n if users_allowed_access_to_audit_info.empty?\n impact 0.0\n describe 'There are no oracle users allowed access to audit information, control N/A' do\n skip 'There are no oracle users allowed access to audit information'\n end\n else\n users_allowed_access_to_audit_info.each do |user|\n describe \"oracle users: #{user} allowed access to audit information\" do\n subject { user }\n it { should be_in input('allowed_audit_users') }\n end\n end\n end\nend\n", + "code": " control 'V-61535' do\n impact 0.0\n describe 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on' do\n skip 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on'\n end\n end\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61653.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61535.rb", "line": 1 }, - "id": "V-61653" + "id": "V-61535" }, { - "title": "DBMS must conduct backups of system-level information per\n organization-defined frequency that is consistent with recovery time and\n recovery point objectives.", - "desc": "Information system backup is a critical step in maintaining data\n assurance and availability.\n\n System-level information includes: system-state information, operating\n system and application software, and licenses.\n\n Backups shall be consistent with organizational recovery time and recovery\n point objectives.\n\n Databases that do not back up information regularly risk the loss of that\n information in the event of a system failure. Most databases contain\n functionality to allow regular backups; it is important that this functionality\n is enabled and configured correctly to prevent data loss.", + "title": "The DBMS, when the maximum number of unsuccessful logon attempts is\n exceeded, must automatically lock the account/node until released by an\n administrator.", + "desc": "Anytime an authentication method is exposed, to allow for the\n utilization of an application, there is a risk that attempts will be made to\n obtain unauthorized access.\n\n To defeat these attempts, organizations define the number of times a user\n account may consecutively fail a logon attempt. The organization also defines\n the period of time in which these consecutive failed attempts may occur.\n\n By limiting the number of failed logon attempts, the risk of unauthorized\n system access via user password guessing, otherwise known as brute forcing, is\n reduced. Limits are imposed by locking the account.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP. This requirement applies to cases where it is necessary to\n have accounts directly managed by Oracle.", "descriptions": { - "default": "Information system backup is a critical step in maintaining data\n assurance and availability.\n\n System-level information includes: system-state information, operating\n system and application software, and licenses.\n\n Backups shall be consistent with organizational recovery time and recovery\n point objectives.\n\n Databases that do not back up information regularly risk the loss of that\n information in the event of a system failure. Most databases contain\n functionality to allow regular backups; it is important that this functionality\n is enabled and configured correctly to prevent data loss." + "default": "Anytime an authentication method is exposed, to allow for the\n utilization of an application, there is a risk that attempts will be made to\n obtain unauthorized access.\n\n To defeat these attempts, organizations define the number of times a user\n account may consecutively fail a logon attempt. The organization also defines\n the period of time in which these consecutive failed attempts may occur.\n\n By limiting the number of failed logon attempts, the risk of unauthorized\n system access via user password guessing, otherwise known as brute forcing, is\n reduced. Limits are imposed by locking the account.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP. This requirement applies to cases where it is necessary to\n have accounts directly managed by Oracle." }, "impact": 0.5, - "refs": [], + "refs": [ + { + "ref": [] + } + ], "tags": { - "gtitle": "SRG-APP-000146-DB-000099", - "gid": "V-61701", - "rid": "SV-76191r1_rule", - "stig_id": "O121-C2-012600", - "fix_id": "F-67617r1_fix", + "gtitle": "SRG-APP-000067-DB-000026", + "gid": "V-61607", + "rid": "SV-76097r2_rule", + "stig_id": "O121-C2-005200", + "fix_id": "F-67523r1_fix", "cci": [ - "CCI-000537" + "CCI-000366" ], "nist": [ - "CP-9 (b)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -1181,35 +1190,39 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Review DBMS and OS backup configuration to determine that\n system-level data is backed up in according with organization-defined frequency.\n\n If the system-level data of the DBMS is not backed up to the\n organization-defined frequency, this is a finding.", - "fix": "Utilize DBMS, OS, or third-party product(s) to meet the\n requirement of backing up system data according to the organization-defined\n frequency." + "check": "(This addresses both O121-C2-005000 and O121-C2-005200.)\n\n The limit on the number of consecutive failed logon attempts is defined in the\n profile assigned to a user.\n\n To see what profile is assigned to a user, enter the following query:\n\n SQL>SELECT profile FROM dba_users WHERE username = ''\n\n This will return the profile name assigned to that user.\n\n The user profile, ORA_STIG_PROFILE, has been provided (starting with Oracle\n 12.1.0.2) to satisfy the STIG requirements pertaining to the profile\n parameters. Oracle recommends that this profile be customized with any\n site-specific requirements and assigned to all users where applicable. Note:\n It remains necessary to create a customized replacement for the password\n validation function, ORA12C_STRONG_VERIFY_FUNCTION, if relying on this\n technique to verify password complexity.\n\n Now check the values assigned to the profile returned from the query above:\n\n column profile format a20\n column limit format a20\n SQL>SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE PROFILE =\n 'ORA_STIG_PROFILE';\n\n Check the settings for failed_login_attempts - this is the number of\n consecutive failed logon attempts before locking the Oracle user account. If\n the value is greater than 3, this is a finding.", + "fix": "(This addresses both O121-C2-005000 and O121-C2-005200.)\n\n Configure the DBMS settings to specify the maximum number of consecutive failed\n logon attempts to 3 (or less):\n ALTER PROFILE ORA_STIG_PROFILE LIMIT FAILED_LOGIN_ATTEMPTS 3;" }, - "code": "control 'V-61701' do\n title \"DBMS must conduct backups of system-level information per\n organization-defined frequency that is consistent with recovery time and\n recovery point objectives.\"\n desc \"Information system backup is a critical step in maintaining data\n assurance and availability.\n\n System-level information includes: system-state information, operating\n system and application software, and licenses.\n\n Backups shall be consistent with organizational recovery time and recovery\n point objectives.\n\n Databases that do not back up information regularly risk the loss of that\n information in the event of a system failure. Most databases contain\n functionality to allow regular backups; it is important that this functionality\n is enabled and configured correctly to prevent data loss.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000146-DB-000099'\n tag \"gid\": 'V-61701'\n tag \"rid\": 'SV-76191r1_rule'\n tag \"stig_id\": 'O121-C2-012600'\n tag \"fix_id\": 'F-67617r1_fix'\n tag \"cci\": ['CCI-000537']\n tag \"nist\": ['CP-9 (b)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review DBMS and OS backup configuration to determine that\n system-level data is backed up in according with organization-defined frequency.\n\n If the system-level data of the DBMS is not backed up to the\n organization-defined frequency, this is a finding.\"\n tag \"fix\": \"Utilize DBMS, OS, or third-party product(s) to meet the\n requirement of backing up system data according to the organization-defined\n frequency.\"\n describe 'A manual is required to ensure the DBMS conducts backups of system-level information per\n organization-defined frequency that is consistent with recovery time and\n recovery point objectives' do\n skip 'A manual is required to ensure the DBMS conducts backups of system-level information per\n organization-defined frequency that is consistent with recovery time and\n recovery point objectives'\n end\nend\n", + "code": " control 'V-61607' do\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n \n query = %{\n SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE PROFILE =\n '%s' AND RESOURCE_NAME = 'FAILED_LOGIN_ATTEMPTS'\n }\n \n user_profiles = sql.query('SELECT profile FROM dba_users;').column('profile').uniq\n \n user_profiles.each do |profile|\n next if profile == \"RDSADMIN\"\n password_lock_time = sql.query(format(query, profile: profile)).column('limit')\n \n describe \"The oracle database limit for failed login attempts for profile: #{profile}\" do\n subject { password_lock_time }\n it { should cmp <= input('failed_logon_attempts') }\n end\n end\n if user_profiles.empty?\n describe 'There are no user profiles, therefore this control is NA' do\n skip 'There are no user profiles, therefore this control is NA'\n end\n end\n end\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61701.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61607.rb", "line": 1 }, - "id": "V-61701" + "id": "V-61607" }, { - "title": "The DBMS must support the requirement to back up audit data and\n records onto a different system or media than the system being audited on an\n organization-defined frequency.", - "desc": "Protection of log data includes assuring log data is not accidentally\n lost or deleted. Backing up audit records to a different system or onto media\n separate from the system being audited on an organizational-defined frequency\n helps to assure, in the event of a catastrophic system failure, the audit\n records will be retained.", + "title": "Remote administrative access to the database must be monitored by the\n ISSO or ISSM.", + "desc": "Remote administrative access to systems provides a path for access to\n and exploit of DBA privileges. Where the risk has been accepted to allow remote\n administrative access, it is imperative to instate increased monitoring of this\n access to detect any abuse or compromise.", "descriptions": { - "default": "Protection of log data includes assuring log data is not accidentally\n lost or deleted. Backing up audit records to a different system or onto media\n separate from the system being audited on an organizational-defined frequency\n helps to assure, in the event of a catastrophic system failure, the audit\n records will be retained." + "default": "Remote administrative access to systems provides a path for access to\n and exploit of DBA privileges. Where the risk has been accepted to allow remote\n administrative access, it is imperative to instate increased monitoring of this\n access to detect any abuse or compromise." }, - "impact": 0.5, - "refs": [], + "impact": 0, + "refs": [ + { + "ref": [] + } + ], "tags": { - "gtitle": "SRG-APP-000125-DB-000170", - "gid": "V-61665", - "rid": "SV-76155r1_rule", - "stig_id": "O121-C2-010000", - "fix_id": "F-67579r1_fix", + "gtitle": "SRG-APP-000516-DB-999900", + "gid": "V-61493", + "rid": "SV-75983r1_rule", + "stig_id": "O121-BP-024400", + "fix_id": "F-67409r1_fix", "cci": [ - "CCI-001348" + "CCI-000366" ], "nist": [ - "AU-9 (2)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -1222,35 +1235,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Check with the database administrator, storage administrator or\n system administrator, as applicable at the site, to verify that Oracle is\n configured EITHER to perform backups of the audit data specifically, OR, with\n appropriate permissions granted, to permit a third-party tool to do so. Test\n the backup process. Test the restore process (using a non-production system as\n the target).\n\n If Oracle is not so configured, this is a finding.\n\n If the test run of the backup and restore fails, this is a finding.", - "fix": "Utilize DBMS features or other software that supports the ability\n to back up audit data and records onto a system or media different from the\n system being audited on an organization-defined frequency.\n\n EITHER use Oracle features (such as Backup or Data Pump) to perform backups of\n the audit data specifically, OR grant appropriate permissions to permit a\n third-party tool to do so." + "check": "If remote administrative access to the database is prohibited\n and is disabled, this check is not a finding.\n\n Review policy, procedure and evidence of implementation for monitoring of\n remote administrative access to the database.\n\n If monitoring procedures for remote administrative access are not documented or\n implemented, this is a finding.", + "fix": "Develop, document and implement policy and procedures to monitor\n remote administrative access to the DBMS.\n\n The automated generation of a log report with automatic dissemination to the\n ISSO/ISSM may be used.\n\n Require and store an acknowledgement of receipt and confirmation of review for\n the log report." }, - "code": "control 'V-61665' do\n title \"The DBMS must support the requirement to back up audit data and\n records onto a different system or media than the system being audited on an\n organization-defined frequency.\"\n desc \"Protection of log data includes assuring log data is not accidentally\n lost or deleted. Backing up audit records to a different system or onto media\n separate from the system being audited on an organizational-defined frequency\n helps to assure, in the event of a catastrophic system failure, the audit\n records will be retained.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000125-DB-000170'\n tag \"gid\": 'V-61665'\n tag \"rid\": 'SV-76155r1_rule'\n tag \"stig_id\": 'O121-C2-010000'\n tag \"fix_id\": 'F-67579r1_fix'\n tag \"cci\": ['CCI-001348']\n tag \"nist\": ['AU-9 (2)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Check with the database administrator, storage administrator or\n system administrator, as applicable at the site, to verify that Oracle is\n configured EITHER to perform backups of the audit data specifically, OR, with\n appropriate permissions granted, to permit a third-party tool to do so. Test\n the backup process. Test the restore process (using a non-production system as\n the target).\n\n If Oracle is not so configured, this is a finding.\n\n If the test run of the backup and restore fails, this is a finding.\"\n tag \"fix\": \"Utilize DBMS features or other software that supports the ability\n to back up audit data and records onto a system or media different from the\n system being audited on an organization-defined frequency.\n\n EITHER use Oracle features (such as Backup or Data Pump) to perform backups of\n the audit data specifically, OR grant appropriate permissions to permit a\n third-party tool to do so.\"\n describe 'A manual review is required to ensure the DBMS supports the requirement to back up audit data and\n records onto a different system or media than the system being audited on an\n organization-defined frequency' do\n skip 'A manual review is required to ensure the DBMS supports the requirement to back up audit data and\n records onto a different system or media than the system being audited on an\n organization-defined frequency'\n end\nend\n", + "code": " control 'V-61493' do\n impact 0.0\n describe 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on' do\n skip 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on'\n end\n end\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61665.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61493.rb", "line": 1 }, - "id": "V-61665" + "id": "V-61493" }, { - "title": "Audit trail data must be retained for at least one year.", - "desc": "Without preservation, a complete discovery of an attack or suspicious\n activity may not be determined. DBMS audit data also contributes to the\n complete investigation of unauthorized activity and needs to be included in\n audit retention plans and procedures.", + "title": "The DBMS must enforce password maximum lifetime restrictions.", + "desc": "Password maximum lifetime is the maximum period of time, (typically in\n days) a user's password may be in effect before the user is forced to change it.\n\n Passwords need to be changed at specific policy-based intervals as per\n policy. Any password, no matter how complex, can eventually be cracked.\n\n One method of minimizing this risk is to use complex passwords and\n periodically change them. If the application does not limit the lifetime of\n passwords and force users to change their passwords, there is the risk that the\n system and/or application passwords could be compromised.\n\n The “PASSWORD_LIFE_TIME” parameter defines the number of days a password\n remains valid. This can, but must not be, set to “UNLIMITED”. Further, the\n “PASSWORD_GRACE_TIME” parameter, if set to “UNLIMITED”, can nullify the\n “PASSWORD_LIFE_TIME”. “PASSWORD_GRACE_TIME” must be set to “0” days (or another\n small integer).\n\n Note: User authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP. With respect to Oracle, this requirement applies to cases\n where it is necessary to have accounts directly managed by Oracle.", "descriptions": { - "default": "Without preservation, a complete discovery of an attack or suspicious\n activity may not be determined. DBMS audit data also contributes to the\n complete investigation of unauthorized activity and needs to be included in\n audit retention plans and procedures." + "default": "Password maximum lifetime is the maximum period of time, (typically in\n days) a user's password may be in effect before the user is forced to change it.\n\n Passwords need to be changed at specific policy-based intervals as per\n policy. Any password, no matter how complex, can eventually be cracked.\n\n One method of minimizing this risk is to use complex passwords and\n periodically change them. If the application does not limit the lifetime of\n passwords and force users to change their passwords, there is the risk that the\n system and/or application passwords could be compromised.\n\n The “PASSWORD_LIFE_TIME” parameter defines the number of days a password\n remains valid. This can, but must not be, set to “UNLIMITED”. Further, the\n “PASSWORD_GRACE_TIME” parameter, if set to “UNLIMITED”, can nullify the\n “PASSWORD_LIFE_TIME”. “PASSWORD_GRACE_TIME” must be set to “0” days (or another\n small integer).\n\n Note: User authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP. With respect to Oracle, this requirement applies to cases\n where it is necessary to have accounts directly managed by Oracle." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000516-DB-999900", - "gid": "V-61409", - "rid": "SV-75899r1_rule", - "stig_id": "O121-BP-021100", - "fix_id": "F-67325r1_fix", + "gtitle": "SRG-APP-000174-DB-000080", + "gid": "V-61739", + "rid": "SV-76229r3_rule", + "stig_id": "O121-C2-015200", + "fix_id": "F-67655r5_fix", "cci": [ - "CCI-000366" + "CCI-000199" ], "nist": [ - "CM-6 b", + "IA-5 (1) (d)", "Rev_4" ], "false_negatives": null, @@ -1263,39 +1276,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Review and verify the implementation of an audit trail\n retention policy.\n\n Verify that audit data is maintained for a minimum of one year.\n\n If audit data is not maintained for a minimum of one year, this is a finding.", - "fix": "Develop, document and implement an audit retention policy and\n procedures.\n\n It is recommended that the most recent thirty days of audit logs remain\n available online.\n\n After thirty days, the audit logs may be maintained off-line.\n\n Online maintenance provides for a more timely capability and inclination to\n investigate suspicious activity." + "check": "If all user accounts are authenticated by the OS or an\n enterprise-level authentication/access mechanism, and not by Oracle, this is\n not a finding.\n\n Review DBMS settings to determine if passwords must be changed periodically. If\n not, this is a finding:\n\n SELECT p1.profile,\n CASE p1.limit WHEN 'UNLIMITED' THEN 'UNLIMITED' ELSE\n CASE p2.limit WHEN 'UNLIMITED' THEN 'UNLIMITED' ELSE\n CASE p3.limit WHEN 'UNLIMITED' THEN 'UNLIMITED' ELSE\n CASE p4.limit WHEN 'UNLIMITED' THEN 'UNLIMITED' ELSE\n TO_CHAR(DECODE(p1.limit, 'DEFAULT', p3.limit, p1.limit) + DECODE(p2.limit,\n 'DEFAULT', p4.limit, p2.limit))\n END\n END\n END\n END effective_life_time\n FROM dba_profiles p1, dba_profiles p2, dba_profiles p3, dba_profiles p4\n WHERE p1.profile=p2.profile\n AND p3.profile='DEFAULT'\n AND p4.profile='DEFAULT'\n AND p1.resource_name='PASSWORD_LIFE_TIME'\n AND p2.resource_name='PASSWORD_GRACE_TIME'\n AND p3.resource_name='PASSWORD_LIFE_TIME' -- from DEFAULT profile\n AND p4.resource_name='PASSWORD_GRACE_TIME' -- from DEFAULT profile\n order by 1;\n\n If the “effective_life_time” is greater than “60” for any profile applied to\n user accounts, and the need for this has not been documented and approved by\n the ISSO, this is a finding.\n\n If the value is greater than 35 for any profile applied to user accounts, and\n the DBMS is configured to use Password Lifetime to disable inactive accounts,\n this is a finding.", + "fix": "For user accounts managed by Oracle: Modify DBMS settings to\n force users to periodically change their passwords. For example, using PPPPPP\n to stand for a profile name:\n ALTER PROFILE PPPPPP LIMIT PASSWORD_LIFE_TIME 35 PASSWORD_GRACE_TIME 0;\n Do this for each profile applied to user accounts.\n\n (Note: Although the DoD requirement is for a password change every 60 days,\n using a value of “35” facilitates the use of “PASSWORD_LIFE_TIME” as a means of\n locking accounts inactive for 35 days. But if “35” is not a practical or\n acceptable limit for password lifetime, set it to the standard DoD value of\n “60”.)\n\n Where a password lifetime longer than “60” is needed, document the reasons and\n obtain ISSO approval." }, - "code": "control 'V-61409' do\n title 'Audit trail data must be retained for at least one year.'\n desc \"Without preservation, a complete discovery of an attack or suspicious\n activity may not be determined. DBMS audit data also contributes to the\n complete investigation of unauthorized activity and needs to be included in\n audit retention plans and procedures.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000516-DB-999900'\n tag \"gid\": 'V-61409'\n tag \"rid\": 'SV-75899r1_rule'\n tag \"stig_id\": 'O121-BP-021100'\n tag \"fix_id\": 'F-67325r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review and verify the implementation of an audit trail\n retention policy.\n\n Verify that audit data is maintained for a minimum of one year.\n\n If audit data is not maintained for a minimum of one year, this is a finding.\"\n tag \"fix\": \"Develop, document and implement an audit retention policy and\n procedures.\n\n It is recommended that the most recent thirty days of audit logs remain\n available online.\n\n After thirty days, the audit logs may be maintained off-line.\n\n Online maintenance provides for a more timely capability and inclination to\n investigate suspicious activity.\"\n describe 'A manual review is required to ensure audit trail data is retained for at least one year' do\n skip 'A manual review is required to ensure audit trail data is retained for at least one year'\n end\nend\n", + "code": "control 'V-61739' do\n title 'The DBMS must enforce password maximum lifetime restrictions.'\n desc \"Password maximum lifetime is the maximum period of time, (typically in\n days) a user's password may be in effect before the user is forced to change it.\n\n Passwords need to be changed at specific policy-based intervals as per\n policy. Any password, no matter how complex, can eventually be cracked.\n\n One method of minimizing this risk is to use complex passwords and\n periodically change them. If the application does not limit the lifetime of\n passwords and force users to change their passwords, there is the risk that the\n system and/or application passwords could be compromised.\n\n The “PASSWORD_LIFE_TIME” parameter defines the number of days a password\n remains valid. This can, but must not be, set to “UNLIMITED”. Further, the\n “PASSWORD_GRACE_TIME” parameter, if set to “UNLIMITED”, can nullify the\n “PASSWORD_LIFE_TIME”. “PASSWORD_GRACE_TIME” must be set to “0” days (or another\n small integer).\n\n Note: User authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP. With respect to Oracle, this requirement applies to cases\n where it is necessary to have accounts directly managed by Oracle.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000174-DB-000080'\n tag \"gid\": 'V-61739'\n tag \"rid\": 'SV-76229r3_rule'\n tag \"stig_id\": 'O121-C2-015200'\n tag \"fix_id\": 'F-67655r5_fix'\n tag \"cci\": ['CCI-000199']\n tag \"nist\": ['IA-5 (1) (d)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If all user accounts are authenticated by the OS or an\n enterprise-level authentication/access mechanism, and not by Oracle, this is\n not a finding.\n\n Review DBMS settings to determine if passwords must be changed periodically. If\n not, this is a finding:\n\n SELECT p1.profile,\n CASE p1.limit WHEN 'UNLIMITED' THEN 'UNLIMITED' ELSE\n CASE p2.limit WHEN 'UNLIMITED' THEN 'UNLIMITED' ELSE\n CASE p3.limit WHEN 'UNLIMITED' THEN 'UNLIMITED' ELSE\n CASE p4.limit WHEN 'UNLIMITED' THEN 'UNLIMITED' ELSE\n TO_CHAR(DECODE(p1.limit, 'DEFAULT', p3.limit, p1.limit) + DECODE(p2.limit,\n 'DEFAULT', p4.limit, p2.limit))\n END\n END\n END\n END effective_life_time\n FROM dba_profiles p1, dba_profiles p2, dba_profiles p3, dba_profiles p4\n WHERE p1.profile=p2.profile\n AND p3.profile='DEFAULT'\n AND p4.profile='DEFAULT'\n AND p1.resource_name='PASSWORD_LIFE_TIME'\n AND p2.resource_name='PASSWORD_GRACE_TIME'\n AND p3.resource_name='PASSWORD_LIFE_TIME' -- from DEFAULT profile\n AND p4.resource_name='PASSWORD_GRACE_TIME' -- from DEFAULT profile\n order by 1;\n\n If the “effective_life_time” is greater than “60” for any profile applied to\n user accounts, and the need for this has not been documented and approved by\n the ISSO, this is a finding.\n\n If the value is greater than 35 for any profile applied to user accounts, and\n the DBMS is configured to use Password Lifetime to disable inactive accounts,\n this is a finding.\"\n tag \"fix\": \"For user accounts managed by Oracle: Modify DBMS settings to\n force users to periodically change their passwords. For example, using PPPPPP\n to stand for a profile name:\n ALTER PROFILE PPPPPP LIMIT PASSWORD_LIFE_TIME 35 PASSWORD_GRACE_TIME 0;\n Do this for each profile applied to user accounts.\n\n (Note: Although the DoD requirement is for a password change every 60 days,\n using a value of “35” facilitates the use of “PASSWORD_LIFE_TIME” as a means of\n locking accounts inactive for 35 days. But if “35” is not a practical or\n acceptable limit for password lifetime, set it to the standard DoD value of\n “60”.)\n\n Where a password lifetime longer than “60” is needed, document the reasons and\n obtain ISSO approval.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n get_effective_life_time = sql.query(\"SELECT p1.profile,\n CASE p1.limit WHEN 'UNLIMITED' THEN 'UNLIMITED' ELSE\n CASE p2.limit WHEN 'UNLIMITED' THEN 'UNLIMITED' ELSE\n CASE p3.limit WHEN 'UNLIMITED' THEN 'UNLIMITED' ELSE\n CASE p4.limit WHEN 'UNLIMITED' THEN 'UNLIMITED' ELSE\n TO_CHAR(DECODE(p1.limit, 'DEFAULT', p3.limit, p1.limit) + DECODE(p2.limit,\n 'DEFAULT', p4.limit, p2.limit))\n END\n END\n END\n END effective_life_time\n FROM dba_profiles p1, dba_profiles p2, dba_profiles p3, dba_profiles p4\n WHERE p1.profile=p2.profile\n AND p3.profile='DEFAULT'\n AND p4.profile='DEFAULT'\n AND p1.resource_name='PASSWORD_LIFE_TIME'\n AND p2.resource_name='PASSWORD_GRACE_TIME'\n AND p3.resource_name='PASSWORD_LIFE_TIME' -- from DEFAULT profile\n AND p4.resource_name='PASSWORD_GRACE_TIME' -- from DEFAULT profile\n order by 1;\").column('effective_life_time')\n\n get_effective_life_time.each do |effective_life_time|\n\n describe 'The oracle database account effective life time limit' do\n subject { effective_life_time }\n it { should cmp >= 60 }\n end\n end\n describe get_effective_life_time do\n it { should_not be_empty }\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61409.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61739.rb", "line": 1 }, - "id": "V-61409" + "id": "V-61739" }, { - "title": "The DBMS must use multifactor authentication for local access to\n privileged accounts.", - "desc": "Multifactor authentication is defined as using two or more factors to\n achieve authentication.\n\n Factors include:\n (i) Something a user knows (e.g., password/PIN);\n (ii) Something a user has (e.g., cryptographic identification device,\n token); or\n (iii) Something a user is (e.g., biometric).\n\n A privileged account is defined as an information system account with\n authorizations of a privileged user.\n\n Local Access is defined as access to an organizational information system\n by a user (or process acting on behalf of a user) communicating through a\n direct connection without the use of a network.\n\n The lack of multifactor authentication makes it much easier for an attacker\n to gain unauthorized access to a system.\n\n Transport Layer Security (TLS) is the successor protocol to Secure Sockets\n Layer (SSL). Although the Oracle configuration parameters have names including\n 'SSL', such as SSL_VERSION and SSL_CIPHER_SUITES, they refer to TLS.", + "title": "The DBMS must notify appropriate individuals when accounts are\n terminated.", + "desc": "When application accounts are terminated, user accessibility is\n affected. Accounts are utilized for identifying individual application users\n or for identifying the application processes themselves.\n\n In order to detect and respond to events that affect user accessibility and\n application processing, applications must notify the appropriate individuals\n when an account is terminated so they can investigate the event. Such a\n capability greatly reduces the risk that application accessibility will be\n negatively affected for extended periods of time and provides logging that can\n be used for forensic purposes.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP. This requirement applies to cases where accounts are\n directly managed by Oracle.\n\n Notwithstanding how accounts are normally managed, the DBMS must support\n the requirement to notify appropriate individuals upon account termination\n within Oracle. Indeed, in a configuration where accounts are managed\n externally, the manipulation of an account within Oracle may indicate hostile\n activity.", "descriptions": { - "default": "Multifactor authentication is defined as using two or more factors to\n achieve authentication.\n\n Factors include:\n (i) Something a user knows (e.g., password/PIN);\n (ii) Something a user has (e.g., cryptographic identification device,\n token); or\n (iii) Something a user is (e.g., biometric).\n\n A privileged account is defined as an information system account with\n authorizations of a privileged user.\n\n Local Access is defined as access to an organizational information system\n by a user (or process acting on behalf of a user) communicating through a\n direct connection without the use of a network.\n\n The lack of multifactor authentication makes it much easier for an attacker\n to gain unauthorized access to a system.\n\n Transport Layer Security (TLS) is the successor protocol to Secure Sockets\n Layer (SSL). Although the Oracle configuration parameters have names including\n 'SSL', such as SSL_VERSION and SSL_CIPHER_SUITES, they refer to TLS." + "default": "When application accounts are terminated, user accessibility is\n affected. Accounts are utilized for identifying individual application users\n or for identifying the application processes themselves.\n\n In order to detect and respond to events that affect user accessibility and\n application processing, applications must notify the appropriate individuals\n when an account is terminated so they can investigate the event. Such a\n capability greatly reduces the risk that application accessibility will be\n negatively affected for extended periods of time and provides logging that can\n be used for forensic purposes.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP. This requirement applies to cases where accounts are\n directly managed by Oracle.\n\n Notwithstanding how accounts are normally managed, the DBMS must support\n the requirement to notify appropriate individuals upon account termination\n within Oracle. Indeed, in a configuration where accounts are managed\n externally, the manipulation of an account within Oracle may indicate hostile\n activity." }, - "impact": 0, - "refs": [ - { - "ref": [] - } - ], + "impact": 0.5, + "refs": [], "tags": { - "gtitle": "SRG-APP-000151-DB-000106", - "gid": "V-61707", - "rid": "SV-76197r2_rule", - "stig_id": "O121-C2-013100", - "fix_id": "F-67623r1_fix", + "gtitle": "SRG-APP-000294-DB-000129", + "gid": "V-61803", + "rid": "SV-76293r2_rule", + "stig_id": "O121-C2-020700", + "fix_id": "F-67719r1_fix", "cci": [ - "CCI-000767" + "CCI-001686" ], "nist": [ - "IA-2 (3)", + "AC-2 (4)", "Rev_4" ], "false_negatives": null, @@ -1308,40 +1317,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Review DBMS settings, OS settings, and/or enterprise-level\n authentication/access mechanism settings to determine whether users logging on\n to privileged accounts locally are required to use multifactor authentication.\n\n If users logging on to privileged accounts locally are not required to use\n multifactor authentication, this is a finding.\n\n Use authentication to prove the identities of users who are attempting to log\n on to the database. Authenticating user identity is imperative in distributed\n environments, without which there can be little confidence in network security.\n Passwords are the most common means of authentication. Oracle Database enables\n strong authentication with Oracle authentication adapters that support various\n third-party authentication services, including TLS with digital certificates.\n\n If the $ORACLE_HOME/network/admin/sqlnet.ora contains entries similar to the\n following, TLS is enabled.\n (Note: This assumes that a single sqlnet.ora file, in the default location, is\n in use. Please see the supplemental file \"Non-default sqlnet.ora\n configurations.pdf\" for how to find multiple and/or differently located\n sqlnet.ora files.)\n\n SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)\n SSL_VERSION = 1.2 or 1.1\n SSL_CLIENT_AUTHENTICATION = TRUE\n WALLET_LOCATION =\n (SOURCE =\n (METHOD = FILE)\n (METHOD_DATA =\n (DIRECTORY = /u01/app/oracle/product/12.1.0/dbhome_1/owm/wallets)\n )\n )\n\n SSL_CIPHER_SUITES= (SSL_RSA_WITH_AES_256_CBC_SHA384)\n ADR_BASE = /u01/app/oracle\n\n Note: \"SSL_VERSION = 1.2 or 1.1\" is the actual value, not a suggestion to\n use one or the other.", - "fix": "Configure DBMS, OS and/or enterprise-level authentication/access\n mechanism to require multifactor authentication for local users logging on to\n privileged accounts.\n\n If appropriate, enable support for Transport Layer Security (TLS) protocols and\n multifactor authentication through the use of Smart Cards (CAC/PIV)." + "check": "Check DBMS settings to determine whether it will notify\n appropriate individuals when accounts are terminated.\n\n If the DBMS does not notify appropriate individuals when accounts are\n terminated, this is a finding.", + "fix": "Working with the DBA and site management, determine the\n appropriate individuals (by job role) to be notified.\n\n If Oracle Audit Vault is available, configure it to notify the appropriate\n individuals when accounts are terminated.\n\n If Oracle Audit Vault is not available, configure the Oracle DBMS's auditing\n feature to record termination of accounts.\n\n If Standard Auditing is used:\n Create and deploy a mechanism, such as a frequently-run job, to monitor the\n SYS.AUD$ table for these records and notify the appropriate individuals.\n\n If unified Auditing is used:\n Create and deploy a mechanism, such as a frequently-run job, to monitor the\n SYS.UNIFIED_AUDIT_TRAIL view for these records and notify the appropriate\n individuals." }, - "code": " control 'V-61707' do\n impact 0.0\n describe 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on' do\n skip 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on'\n end\n end\n", + "code": "control 'V-61803' do\n title \"The DBMS must notify appropriate individuals when accounts are\n terminated.\"\n desc \"When application accounts are terminated, user accessibility is\n affected. Accounts are utilized for identifying individual application users\n or for identifying the application processes themselves.\n\n In order to detect and respond to events that affect user accessibility and\n application processing, applications must notify the appropriate individuals\n when an account is terminated so they can investigate the event. Such a\n capability greatly reduces the risk that application accessibility will be\n negatively affected for extended periods of time and provides logging that can\n be used for forensic purposes.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP. This requirement applies to cases where accounts are\n directly managed by Oracle.\n\n Notwithstanding how accounts are normally managed, the DBMS must support\n the requirement to notify appropriate individuals upon account termination\n within Oracle. Indeed, in a configuration where accounts are managed\n externally, the manipulation of an account within Oracle may indicate hostile\n activity.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000294-DB-000129'\n tag \"gid\": 'V-61803'\n tag \"rid\": 'SV-76293r2_rule'\n tag \"stig_id\": 'O121-C2-020700'\n tag \"fix_id\": 'F-67719r1_fix'\n tag \"cci\": ['CCI-001686']\n tag \"nist\": ['AC-2 (4)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Check DBMS settings to determine whether it will notify\n appropriate individuals when accounts are terminated.\n\n If the DBMS does not notify appropriate individuals when accounts are\n terminated, this is a finding.\"\n tag \"fix\": \"Working with the DBA and site management, determine the\n appropriate individuals (by job role) to be notified.\n\n If Oracle Audit Vault is available, configure it to notify the appropriate\n individuals when accounts are terminated.\n\n If Oracle Audit Vault is not available, configure the Oracle DBMS's auditing\n feature to record termination of accounts.\n\n If Standard Auditing is used:\n Create and deploy a mechanism, such as a frequently-run job, to monitor the\n SYS.AUD$ table for these records and notify the appropriate individuals.\n\n If unified Auditing is used:\n Create and deploy a mechanism, such as a frequently-run job, to monitor the\n SYS.UNIFIED_AUDIT_TRAIL view for these records and notify the appropriate\n individuals.\"\n describe 'A manual review is required to ensure the DBMS notifies the appropriate individuals when accounts are\n terminated' do\n skip 'A manual review is required to ensure the DBMS notifies the appropriate individuals when accounts are\n terminated'\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61707.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61803.rb", "line": 1 }, - "id": "V-61707" + "id": "V-61803" }, { - "title": "The system must verify there have not been unauthorized changes to the\n DBMS software and information.", - "desc": "Organizations are required to employ integrity verification\n applications on information systems to look for evidence of information\n tampering, errors, and omissions. The organization is also required to employ\n good software engineering practices with regard to commercial off-the-shelf\n integrity mechanisms (e.g., parity checks, cyclical redundancy checks, and\n cryptographic hashes), and to use tools to automatically monitor the integrity\n of the information system and the applications it hosts.\n\n The DBMS opens data files and reads configuration files at system startup,\n system shutdown, and during abort recovery efforts. If the DBMS does not verify\n the trustworthiness of these files, it is vulnerable to malicious alterations\n of its configuration or unauthorized replacement of data.", + "title": "The Oracle _TRACE_FILES_PUBLIC parameter if present must be set to\n FALSE.", + "desc": "The _TRACE_FILES_PUBLIC parameter is used to make trace files used for\n debugging database applications and events available to all database users. Use\n of this capability precludes the discrete assignment of privileges based on job\n function. Additionally, its use may provide access to external files and data\n to unauthorized users.", "descriptions": { - "default": "Organizations are required to employ integrity verification\n applications on information systems to look for evidence of information\n tampering, errors, and omissions. The organization is also required to employ\n good software engineering practices with regard to commercial off-the-shelf\n integrity mechanisms (e.g., parity checks, cyclical redundancy checks, and\n cryptographic hashes), and to use tools to automatically monitor the integrity\n of the information system and the applications it hosts.\n\n The DBMS opens data files and reads configuration files at system startup,\n system shutdown, and during abort recovery efforts. If the DBMS does not verify\n the trustworthiness of these files, it is vulnerable to malicious alterations\n of its configuration or unauthorized replacement of data." + "default": "The _TRACE_FILES_PUBLIC parameter is used to make trace files used for\n debugging database applications and events available to all database users. Use\n of this capability precludes the discrete assignment of privileges based on job\n function. Additionally, its use may provide access to external files and data\n to unauthorized users." }, - "impact": 0, - "refs": [ - { - "ref": [] - } - ], + "impact": 0.5, + "refs": [], "tags": { - "gtitle": "SRG-APP-000262-DB-000159", - "gid": "V-61787", - "rid": "SV-76277r1_rule", - "stig_id": "O121-C2-019600", - "fix_id": "F-67703r1_fix", + "gtitle": "SRG-APP-000516-DB-999900", + "gid": "V-61465", + "rid": "SV-75955r1_rule", + "stig_id": "O121-BP-023900", + "fix_id": "F-67381r1_fix", "cci": [ - "CCI-002716", - "CCI-002718" + "CCI-000366" ], "nist": [ - "SI-7 (6)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -1354,35 +1358,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Verify the DBMS system initialization/parameter files and\n software is included in the configuration of any third-party software or\n custom scripting at the OS level to perform integrity verification.\n\n If neither a third-party application nor the OS is performing integrity\n verification of DBMS system files, this is a finding.", - "fix": "Utilize the OS or a third-party product to perform file\n verification of DBMS system file integrity.\n\n (Using Oracle Configuration Manager with Enterprise Manager, configured to\n perform this verification, is one possible way of satisfying this requirement.)" + "check": "From SQL*Plus:\n\n select value from v$parameter where name = '_trace_files_public';\n\n If the value returned is TRUE, this is a finding.\n\n If the parameter does not exist or is set to FALSE, this is not a finding.", + "fix": "From SQL*Plus (shutdown database instance):\n\n shutdown immediate\n\n From SQL*Plus (create a pfile from spfile):\n\n create pfile='[PATH]init[SID].ora' from spfile;\n\n Edit the init[SID].ora file and remove the following line:\n\n *._trace_files_public=TRUE\n\n From SQL*Plus (update the spfile using the pfile):\n\n create spfile from pfile='[PATH]init[SID].ora';\n\n From SQL*Plus (start the database instance):\n\n startup\n\n Note: [PATH] depends on the platform (Windows or UNIX).\n\n Ensure the file is directed to a writable location.\n\n [SID] is equal to the oracle SID or database instance ID." }, - "code": " control 'V-61787' do\n impact 0.0\n describe 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on' do\n skip 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on'\n end\n end\n", + "code": "control 'V-61465' do\n title \"The Oracle _TRACE_FILES_PUBLIC parameter if present must be set to\n FALSE.\"\n desc \"The _TRACE_FILES_PUBLIC parameter is used to make trace files used for\n debugging database applications and events available to all database users. Use\n of this capability precludes the discrete assignment of privileges based on job\n function. Additionally, its use may provide access to external files and data\n to unauthorized users.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000516-DB-999900'\n tag \"gid\": 'V-61465'\n tag \"rid\": 'SV-75955r1_rule'\n tag \"stig_id\": 'O121-BP-023900'\n tag \"fix_id\": 'F-67381r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"From SQL*Plus:\n\n select value from v$parameter where name = '_trace_files_public';\n\n If the value returned is TRUE, this is a finding.\n\n If the parameter does not exist or is set to FALSE, this is not a finding.\"\n tag \"fix\": \"From SQL*Plus (shutdown database instance):\n\n shutdown immediate\n\n From SQL*Plus (create a pfile from spfile):\n\n create pfile='[PATH]init[SID].ora' from spfile;\n\n Edit the init[SID].ora file and remove the following line:\n\n *._trace_files_public=TRUE\n\n From SQL*Plus (update the spfile using the pfile):\n\n create spfile from pfile='[PATH]init[SID].ora';\n\n From SQL*Plus (start the database instance):\n\n startup\n\n Note: [PATH] depends on the platform (Windows or UNIX).\n\n Ensure the file is directed to a writable location.\n\n [SID] is equal to the oracle SID or database instance ID.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n parameter = sql.query(\"select value from v$parameter where name = '_trace_files_public';\").column('value')\n\n describe 'The oracle database _TRACE_FILES_PUBLIC parameter' do\n subject { parameter }\n it { should_not cmp 'TRUE' }\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61787.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61465.rb", "line": 1 }, - "id": "V-61787" + "id": "V-61465" }, { - "title": "Audit trail data must be reviewed daily or more frequently.", - "desc": "Review of audit trail data provides a means for detection of\n unauthorized access or attempted access. Frequent and regularly scheduled\n reviews ensure that such access is discovered in a timely manner.", + "title": "Unused database components that are integrated in the DBMS and cannot\n be uninstalled must be disabled.", + "desc": "Information systems are capable of providing a wide variety of\n functions and services. Some of the functions and services, provided by\n default, may not be necessary to support essential organizational operations\n (e.g., key missions, functions).\n\n It is detrimental for applications to provide, or install by default,\n functionality exceeding requirements or mission objectives. Examples include,\n but are not limited to, installing advertising software, demonstrations, or\n browser plug-ins not related to requirements or providing a wide array of\n functionality not required for the mission.\n\n Applications must adhere to the principles of least functionality by\n providing only essential capabilities.\n\n Unused, unnecessary DBMS components increase the attack vector for the DBMS\n by introducing additional targets for attack. By minimizing the services and\n applications installed on the system, the number of potential vulnerabilities\n is reduced. Components of the system that are unused and cannot be uninstalled\n must be disabled.", "descriptions": { - "default": "Review of audit trail data provides a means for detection of\n unauthorized access or attempted access. Frequent and regularly scheduled\n reviews ensure that such access is discovered in a timely manner." + "default": "Information systems are capable of providing a wide variety of\n functions and services. Some of the functions and services, provided by\n default, may not be necessary to support essential organizational operations\n (e.g., key missions, functions).\n\n It is detrimental for applications to provide, or install by default,\n functionality exceeding requirements or mission objectives. Examples include,\n but are not limited to, installing advertising software, demonstrations, or\n browser plug-ins not related to requirements or providing a wide array of\n functionality not required for the mission.\n\n Applications must adhere to the principles of least functionality by\n providing only essential capabilities.\n\n Unused, unnecessary DBMS components increase the attack vector for the DBMS\n by introducing additional targets for attack. By minimizing the services and\n applications installed on the system, the number of potential vulnerabilities\n is reduced. Components of the system that are unused and cannot be uninstalled\n must be disabled." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-APP-000516-DB-999900", - "gid": "V-61457", - "rid": "SV-75947r1_rule", - "stig_id": "O121-BP-023500", - "fix_id": "F-67373r2_fix", + "gtitle": "SRG-APP-000141-DB-000092", + "gid": "V-61681", + "rid": "SV-76171r2_rule", + "stig_id": "O121-C2-011700", + "fix_id": "F-67595r3_fix", "cci": [ - "CCI-000366" + "CCI-000381" ], "nist": [ - "CM-6 b", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -1395,35 +1399,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If the database being reviewed is not a production database,\n this check is not a finding.\n\n Review policy and procedures documented or noted in the System Security plan as\n well as evidence of implementation for daily audit trail monitoring.\n\n If policy and procedures are not documented or evidence of implementation is\n not available, this is a finding.", - "fix": "Develop, document and implement policy and procedures to monitor\n audit trail data daily." + "check": "Run this query to check to see what integrated components are\n installed in the database:\n\n SELECT parameter, value\n from v$option\n where parameter in\n (\n 'Data Mining',\n 'Oracle Database Extensions for .NET',\n 'OLAP',\n 'Partitioning',\n 'Real Application Testing'\n );\n\n This will return all of the relevant database options and their status. TRUE\n means that the option is installed. If the option is not installed, the option\n will be set to FALSE.\n\n Review the options and check the system documentation to see what is required.\n If all listed components are authorized to be in use, this is not a finding.\n\n If any unused components or features are listed by the query as TRUE, this is a\n finding.", + "fix": "In the system documentation list the integrated components\n required for operation of applications that will be accessing the DBMS.\n\n For Oracle Database 12.1, only the following components can be enabled/disabled:\n\n Oracle Data Mining (dm)\n Oracle Database Extensions for .NET (ode_net)\n Oracle OLAP (olap)\n Oracle Partitioning (partitioning)\n Real Application Testing (rat)\n\n Use the chopt utility (an Oracle-supplied operating system command that resides\n in the /bin directory) to disable each option that should not\n be available. The command format is\n\n chopt