From 3c9089940a69bec8119761d1b567b28c17661b40 Mon Sep 17 00:00:00 2001 From: MITRE SAF Date: Fri, 26 Jan 2024 00:05:46 +0000 Subject: [PATCH] Automated ingestion of profiles Signed-off-by: MITRE SAF --- ...rds-oracle-database-12c-stig-baseline.json | 7378 ++++---- ...onical-ubuntu-16.04-lts-stig-baseline.json | 9620 +++++----- ...onical-ubuntu-20.04-lts-stig-baseline.json | 6678 +++---- ...crunchy-data-postgresql-stig-baseline.json | 3886 ++-- ...ql-server-2014-database-stig-baseline.json | 1324 +- ...ql-server-2014-instance-stig-baseline.json | 3198 ++-- .../microsoft-windows-10-stig-baseline.json | 10388 +++++------ ...oft-windows-server-2016-stig-baseline.json | 10628 +++++------ ...oft-windows-server-2019-stig-baseline.json | 11432 ++++++------ ...b-enterprise-advanced-3-stig-baseline.json | 1684 +- .../data/baselineProfiles/nginx-baseline.json | 1222 +- .../nginx-stigready-baseline.json | 3166 ++-- .../oracle-database-12c-stig-baseline.json | 6834 +++---- ...time-environment-7-unix-stig-baseline.json | 300 +- ...time-environment-8-unix-stig-baseline.json | 454 +- .../oracle-mysql-ee-5.7-cis-baseline.json | 1728 +- .../baselineProfiles/pgstigcheck-inspec.json | 3898 ++-- ...dhat-enterprise-linux-6-stig-baseline.json | 9032 +++++----- ...dhat-enterprise-linux-7-stig-baseline.json | 11722 ++++++------ ...dhat-enterprise-linux-8-stig-baseline.json | 14914 ++++++++-------- ...pplication-platform-6.3-stig-baseline.json | 2292 +-- ...security-configuration-guide-baseline.json | 232 +- 22 files changed, 61005 insertions(+), 61005 deletions(-) diff --git a/src/assets/data/baselineProfiles/aws-rds-oracle-database-12c-stig-baseline.json b/src/assets/data/baselineProfiles/aws-rds-oracle-database-12c-stig-baseline.json index bd52de6c..fb05519e 100644 --- a/src/assets/data/baselineProfiles/aws-rds-oracle-database-12c-stig-baseline.json +++ b/src/assets/data/baselineProfiles/aws-rds-oracle-database-12c-stig-baseline.json @@ -20,24 +20,24 @@ "supports": [], "controls": [ { - "title": "The Oracle WITH GRANT OPTION privilege must not be granted to non-DBA\n or non-Application administrator user accounts.", - "desc": "An account permission to grant privileges within the database is an\n administrative function. Minimizing the number and privileges of administrative\n accounts reduces the chances of privileged account exploitation. Application\n user accounts must never require WITH GRANT OPTION privileges since, by\n definition, they require only privileges to execute procedures or view / edit\n data.", + "title": "The DBMS must isolate security functions from nonsecurity functions by\n means of separate security domains.", + "desc": "Security functions are defined as \"the hardware, software, and/or\n firmware of the information system responsible for enforcing the system\n security policy and supporting the isolation of code and data on which the\n protection is based\".\n\n Developers and implementers can increase the assurance in security\n functions by employing well-defined security policy models, structured,\n disciplined, and rigorous hardware and software development techniques, and\n sound system/security engineering principles.\n\n Database Management Systems typically separate security functionality from\n non-security functionality via separate databases or schemas. Database objects\n or code implementing security functionality must not be commingled with objects\n or code implementing application logic. When security and non-security\n functionality is commingled, users who have access to non-security\n functionality may be able to access security functionality.", "descriptions": { - "default": "An account permission to grant privileges within the database is an\n administrative function. Minimizing the number and privileges of administrative\n accounts reduces the chances of privileged account exploitation. Application\n user accounts must never require WITH GRANT OPTION privileges since, by\n definition, they require only privileges to execute procedures or view / edit\n data." + "default": "Security functions are defined as \"the hardware, software, and/or\n firmware of the information system responsible for enforcing the system\n security policy and supporting the isolation of code and data on which the\n protection is based\".\n\n Developers and implementers can increase the assurance in security\n functions by employing well-defined security policy models, structured,\n disciplined, and rigorous hardware and software development techniques, and\n sound system/security engineering principles.\n\n Database Management Systems typically separate security functionality from\n non-security functionality via separate databases or schemas. Database objects\n or code implementing security functionality must not be commingled with objects\n or code implementing application logic. When security and non-security\n functionality is commingled, users who have access to non-security\n functionality may be able to access security functionality." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000516-DB-999900", - "gid": "V-61421", - "rid": "SV-75911r2_rule", - "stig_id": "O121-BP-021700", - "fix_id": "F-67337r1_fix", + "gtitle": "SRG-APP-000233-DB-000124", + "gid": "V-61775", + "rid": "SV-76265r1_rule", + "stig_id": "O121-C2-018500", + "fix_id": "F-67691r1_fix", "cci": [ - "CCI-000366" + "CCI-001084" ], "nist": [ - "CM-6 b", + "SC-3", "Rev_4" ], "false_negatives": null, @@ -50,35 +50,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Execute the query:\n\n select grantee||': '||owner||'.'||table_name\n from dba_tab_privs\n where grantable = 'YES'\n and grantee not in (select distinct owner from dba_objects)\n and grantee not in (select grantee from dba_role_privs where granted_role =\n 'DBA')\n order by grantee;\n\n If any accounts are listed, this is a finding.", - "fix": "Revoke privileges granted the WITH GRANT OPTION from non-DBA and\n accounts that do not own application objects.\n\n Re-grant privileges without specifying WITH GRANT OPTION." + "check": "Check DBMS settings to determine whether objects or code\n implementing security functionality are located in a separate security domain,\n such as a separate database or schema created specifically for security\n functionality.\n\n If security-related database objects or code are not kept separate, this is a\n finding.\n\n The Oracle elements of security functionality, such as the roles, permissions,\n and profiles, along with password complexity requirements, are stored in\n separate schemas in the database. Review any site-specific applications\n security modules built into the database and determine what schema they are\n located in and take appropriate action. The Oracle objects will be in the\n Oracle Data Dictionary.", + "fix": "Locate security-related database objects and code in a separate\n database, schema, or other separate security domain from database objects and\n code implementing application logic. (This is the default behavior for\n Oracle.) Review any site-specific applications security modules built into the\n database: determine what schema they are located in and take appropriate\n action." }, - "code": "control 'V-61421' do\n title \"The Oracle WITH GRANT OPTION privilege must not be granted to non-DBA\n or non-Application administrator user accounts.\"\n desc \"An account permission to grant privileges within the database is an\n administrative function. Minimizing the number and privileges of administrative\n accounts reduces the chances of privileged account exploitation. Application\n user accounts must never require WITH GRANT OPTION privileges since, by\n definition, they require only privileges to execute procedures or view / edit\n data.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000516-DB-999900'\n tag \"gid\": 'V-61421'\n tag \"rid\": 'SV-75911r2_rule'\n tag \"stig_id\": 'O121-BP-021700'\n tag \"fix_id\": 'F-67337r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Execute the query:\n\n select grantee||': '||owner||'.'||table_name\n from dba_tab_privs\n where grantable = 'YES'\n and grantee not in (select distinct owner from dba_objects)\n and grantee not in (select grantee from dba_role_privs where granted_role =\n 'DBA')\n order by grantee;\n\n If any accounts are listed, this is a finding.\"\n tag \"fix\": \"Revoke privileges granted the WITH GRANT OPTION from non-DBA and\n accounts that do not own application objects.\n\n Re-grant privileges without specifying WITH GRANT OPTION.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n describe sql.query(\"select grantee||': '||owner||'.'||table_name\n from dba_tab_privs\n where grantable = 'YES'\n and grantee not in (select distinct owner from dba_objects)\n and grantee not in (select grantee from dba_role_privs where granted_role =\n 'DBA')\n order by grantee;\").row(0).column(\"grantee||': '||owner||'.'||table_name\") do\n its('value') { should be_empty }\n end\nend\n", + "code": "control 'V-61775' do\n title \"The DBMS must isolate security functions from nonsecurity functions by\n means of separate security domains.\"\n desc \"Security functions are defined as \\\"the hardware, software, and/or\n firmware of the information system responsible for enforcing the system\n security policy and supporting the isolation of code and data on which the\n protection is based\\\".\n\n Developers and implementers can increase the assurance in security\n functions by employing well-defined security policy models, structured,\n disciplined, and rigorous hardware and software development techniques, and\n sound system/security engineering principles.\n\n Database Management Systems typically separate security functionality from\n non-security functionality via separate databases or schemas. Database objects\n or code implementing security functionality must not be commingled with objects\n or code implementing application logic. When security and non-security\n functionality is commingled, users who have access to non-security\n functionality may be able to access security functionality.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000233-DB-000124'\n tag \"gid\": 'V-61775'\n tag \"rid\": 'SV-76265r1_rule'\n tag \"stig_id\": 'O121-C2-018500'\n tag \"fix_id\": 'F-67691r1_fix'\n tag \"cci\": ['CCI-001084']\n tag \"nist\": ['SC-3', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Check DBMS settings to determine whether objects or code\n implementing security functionality are located in a separate security domain,\n such as a separate database or schema created specifically for security\n functionality.\n\n If security-related database objects or code are not kept separate, this is a\n finding.\n\n The Oracle elements of security functionality, such as the roles, permissions,\n and profiles, along with password complexity requirements, are stored in\n separate schemas in the database. Review any site-specific applications\n security modules built into the database and determine what schema they are\n located in and take appropriate action. The Oracle objects will be in the\n Oracle Data Dictionary.\"\n tag \"fix\": \"Locate security-related database objects and code in a separate\n database, schema, or other separate security domain from database objects and\n code implementing application logic. (This is the default behavior for\n Oracle.) Review any site-specific applications security modules built into the\n database: determine what schema they are located in and take appropriate\n action.\"\n describe 'A manual review is required to ensure the DBMS isolates security functions from nonsecurity functions by\n means of separate security domains' do\n skip 'A manual review is required to ensure the DBMS isolates security functions from nonsecurity functions by\n means of separate security domains'\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61421.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61775.rb", "line": 1 }, - "id": "V-61421" + "id": "V-61775" }, { - "title": "The DBMS must only generate error messages that provide information\n necessary for corrective actions without revealing organization-defined\n sensitive or potentially harmful information in error logs and administrative\n messages that could be exploited.", - "desc": "Any application providing too much information in error logs and in\n administrative messages to the screen risks compromising the data and security\n of the application and system. The structure and content of error messages\n needs to be carefully considered by the organization and development team.\n\n The extent to which the application is able to identify and handle error\n conditions is guided by organizational policy and operational requirements.\n Sensitive information includes account numbers, social security numbers, and\n credit card numbers.\n\n Databases can inadvertently provide a wealth of information to an attacker\n through improperly handled error messages. In addition to sensitive business or\n personal information, database errors can provide host names, IP addresses,\n user names, and other system information not required for troubleshooting but\n very useful to someone targeting the system.\n\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure operation\n of databases that they must not be ignored. At a minimum, the DBA must attempt\n to obtain assurances from the development organization that this issue has been\n addressed and must document what has been discovered.", + "title": "The DBMS must uniquely identify and authenticate organizational users\n (or processes acting on behalf of organizational users).", + "desc": "To assure accountability and prevent unauthorized access,\n organizational users shall be identified and authenticated.\n\n Organizational users include organizational employees or individuals the\n organization deems to have equivalent status of employees (e.g., contractors,\n guest researchers, individuals from allied nations).\n\n Users (and any processes acting on behalf of users) are uniquely identified\n and authenticated for all accesses other than those accesses explicitly\n identified and documented by the organization which outlines specific user\n actions that can be performed on the information system without identification\n or authentication.", "descriptions": { - "default": "Any application providing too much information in error logs and in\n administrative messages to the screen risks compromising the data and security\n of the application and system. The structure and content of error messages\n needs to be carefully considered by the organization and development team.\n\n The extent to which the application is able to identify and handle error\n conditions is guided by organizational policy and operational requirements.\n Sensitive information includes account numbers, social security numbers, and\n credit card numbers.\n\n Databases can inadvertently provide a wealth of information to an attacker\n through improperly handled error messages. In addition to sensitive business or\n personal information, database errors can provide host names, IP addresses,\n user names, and other system information not required for troubleshooting but\n very useful to someone targeting the system.\n\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure operation\n of databases that they must not be ignored. At a minimum, the DBA must attempt\n to obtain assurances from the development organization that this issue has been\n addressed and must document what has been discovered." + "default": "To assure accountability and prevent unauthorized access,\n organizational users shall be identified and authenticated.\n\n Organizational users include organizational employees or individuals the\n organization deems to have equivalent status of employees (e.g., contractors,\n guest researchers, individuals from allied nations).\n\n Users (and any processes acting on behalf of users) are uniquely identified\n and authenticated for all accesses other than those accesses explicitly\n identified and documented by the organization which outlines specific user\n actions that can be performed on the information system without identification\n or authentication." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000266-DB-000162", - "gid": "V-61791", - "rid": "SV-76281r2_rule", - "stig_id": "O121-C2-019900", - "fix_id": "F-67707r1_fix", + "gtitle": "SRG-APP-000148-DB-000103", + "gid": "V-61879", + "rid": "SV-76369r1_rule", + "stig_id": "O121-P2-012800", + "fix_id": "F-67795r1_fix", "cci": [ - "CCI-001312" + "CCI-000764" ], "nist": [ - "SI-11 a", + "IA-2", "Rev_4" ], "false_negatives": null, @@ -91,30 +91,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Check DBMS settings and custom database and application code to\n verify error messages do not contain information beyond what is needed for\n troubleshooting the issue.\n\n If database errors contain PII data, sensitive business data, or information\n useful for identifying the host system, this is a finding.\n\n Notes on Oracle's approach to this issue: Out of the box, Oracle covers this.\n For example, if a user does not have access to a table, the error is just that\n the table or view does not exist. The Oracle database is not going to display a\n Social Security Number in an error code unless an application is programmed to\n do so. Oracle applications will not expose the actual transactional data to a\n screen. The only way Oracle will capture this information is to enable\n specific logging levels. Custom code would require a review to ensure\n compliance.", - "fix": "Configure DBMS and custom database and application code not to\n divulge sensitive information or information useful for system identification\n in error information." + "check": "Review DBMS settings, OS settings, and/or enterprise-level\n authentication/access mechanism settings, and site practices, to determine\n whether organizational users are uniquely identified and authenticated when\n logging on to the system.\n\n If organizational users are not uniquely identified and authenticated, this is\n a finding.", + "fix": "Configure DBMS, OS and/or enterprise-level authentication/access\n mechanism to uniquely identify and authenticate all organizational users who\n log on to the system. Ensure that each user has a separate account from all\n other users." }, - "code": "control 'V-61791' do\n title \"The DBMS must only generate error messages that provide information\n necessary for corrective actions without revealing organization-defined\n sensitive or potentially harmful information in error logs and administrative\n messages that could be exploited.\"\n desc \"Any application providing too much information in error logs and in\n administrative messages to the screen risks compromising the data and security\n of the application and system. The structure and content of error messages\n needs to be carefully considered by the organization and development team.\n\n The extent to which the application is able to identify and handle error\n conditions is guided by organizational policy and operational requirements.\n Sensitive information includes account numbers, social security numbers, and\n credit card numbers.\n\n Databases can inadvertently provide a wealth of information to an attacker\n through improperly handled error messages. In addition to sensitive business or\n personal information, database errors can provide host names, IP addresses,\n user names, and other system information not required for troubleshooting but\n very useful to someone targeting the system.\n\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure operation\n of databases that they must not be ignored. At a minimum, the DBA must attempt\n to obtain assurances from the development organization that this issue has been\n addressed and must document what has been discovered.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000266-DB-000162'\n tag \"gid\": 'V-61791'\n tag \"rid\": 'SV-76281r2_rule'\n tag \"stig_id\": 'O121-C2-019900'\n tag \"fix_id\": 'F-67707r1_fix'\n tag \"cci\": ['CCI-001312']\n tag \"nist\": ['SI-11 a', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Check DBMS settings and custom database and application code to\n verify error messages do not contain information beyond what is needed for\n troubleshooting the issue.\n\n If database errors contain PII data, sensitive business data, or information\n useful for identifying the host system, this is a finding.\n\n Notes on Oracle's approach to this issue: Out of the box, Oracle covers this.\n For example, if a user does not have access to a table, the error is just that\n the table or view does not exist. The Oracle database is not going to display a\n Social Security Number in an error code unless an application is programmed to\n do so. Oracle applications will not expose the actual transactional data to a\n screen. The only way Oracle will capture this information is to enable\n specific logging levels. Custom code would require a review to ensure\n compliance.\"\n tag \"fix\": \"Configure DBMS and custom database and application code not to\n divulge sensitive information or information useful for system identification\n in error information.\"\n describe 'A manual review is required to ensure the DBMS only generates error messages that provide information\n necessary for corrective actions without revealing organization-defined\n sensitive or potentially harmful information in error logs and administrative\n messages that could be exploited.' do\n skip 'A manual review is required to ensure the DBMS only generates error messages that provide information\n necessary for corrective actions without revealing organization-defined\n sensitive or potentially harmful information in error logs and administrative\n messages that could be exploited.'\n end\nend\n", + "code": "control 'V-61879' do\n title \"The DBMS must uniquely identify and authenticate organizational users\n (or processes acting on behalf of organizational users).\"\n desc \"To assure accountability and prevent unauthorized access,\n organizational users shall be identified and authenticated.\n\n Organizational users include organizational employees or individuals the\n organization deems to have equivalent status of employees (e.g., contractors,\n guest researchers, individuals from allied nations).\n\n Users (and any processes acting on behalf of users) are uniquely identified\n and authenticated for all accesses other than those accesses explicitly\n identified and documented by the organization which outlines specific user\n actions that can be performed on the information system without identification\n or authentication.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000148-DB-000103'\n tag \"gid\": 'V-61879'\n tag \"rid\": 'SV-76369r1_rule'\n tag \"stig_id\": 'O121-P2-012800'\n tag \"fix_id\": 'F-67795r1_fix'\n tag \"cci\": ['CCI-000764']\n tag \"nist\": ['IA-2', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review DBMS settings, OS settings, and/or enterprise-level\n authentication/access mechanism settings, and site practices, to determine\n whether organizational users are uniquely identified and authenticated when\n logging on to the system.\n\n If organizational users are not uniquely identified and authenticated, this is\n a finding.\"\n tag \"fix\": \"Configure DBMS, OS and/or enterprise-level authentication/access\n mechanism to uniquely identify and authenticate all organizational users who\n log on to the system. Ensure that each user has a separate account from all\n other users.\"\n describe 'A manual review is required to ensure the DBMS uniquely identifies and authenticates organizational users\n (or processes acting on behalf of organizational users).' do\n skip 'A manual review is required to ensure the DBMS uniquely identifies and authenticates organizational users\n (or processes acting on behalf of organizational users).'\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61791.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61879.rb", "line": 1 }, - "id": "V-61791" + "id": "V-61879" }, { - "title": "Procedures and restrictions for import of production data to\n development databases must be documented, implemented and followed.", - "desc": "Data export from production databases may include sensitive data.\n Application developers may not be cleared for or have need-to-know to sensitive\n data. Any access they may have to production data would be considered\n unauthorized access and subject the sensitive data to unlawful or unauthorized\n disclosure.", + "title": "Application object owner accounts must be disabled when not performing\n installation or maintenance actions.", + "desc": "Object ownership provides all database object permissions to the owned\n object. Access to the application object owner accounts requires special\n protection to prevent unauthorized access and use of the object ownership\n privileges. In addition to the high privileges to application objects assigned\n to this account, it is also an account that, by definition, is not accessed\n interactively except for application installation and maintenance. This reduced\n access to the account means that unauthorized access to the account could go\n undetected. To help protect the account, it must be enabled only when access is\n required.", "descriptions": { - "default": "Data export from production databases may include sensitive data.\n Application developers may not be cleared for or have need-to-know to sensitive\n data. Any access they may have to production data would be considered\n unauthorized access and subject the sensitive data to unlawful or unauthorized\n disclosure." + "default": "Object ownership provides all database object permissions to the owned\n object. Access to the application object owner accounts requires special\n protection to prevent unauthorized access and use of the object ownership\n privileges. In addition to the high privileges to application objects assigned\n to this account, it is also an account that, by definition, is not accessed\n interactively except for application installation and maintenance. This reduced\n access to the account means that unauthorized access to the account could go\n undetected. To help protect the account, it must be enabled only when access is\n required." }, - "impact": 0.5, + "impact": 0, "refs": [], "tags": { "gtitle": "SRG-APP-000516-DB-999900", - "gid": "V-61501", - "rid": "SV-75991r1_rule", - "stig_id": "O121-BP-024800", - "fix_id": "F-67417r1_fix", + "gid": "V-61467", + "rid": "SV-75957r4_rule", + "stig_id": "O121-BP-024000", + "fix_id": "F-67383r1_fix", "cci": [ "CCI-000366" ], @@ -132,35 +132,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If the database being reviewed is not a production database or\n does not contain sensitive data, this check is not a finding.\n\n Review documented policy, procedures and proof of implementation for\n restrictions placed on data exports from the production database.\n\n Policy and procedures should include that only authorized users have access to\n DBMS export utilities and that export data is properly sanitized prior to\n import to a development database.\n\n Policy and procedures may also include that developers be granted the necessary\n clearance and need-to-know prior to import of production data.\n\n If documented policy, procedures and proof of implementation are not present or\n complete, this is a finding.\n\n If methods to sanitize sensitive data are required and not documented or\n followed, this is a finding.", - "fix": "Develop, document and implement policy and procedures that\n provide restrictions for production data export.\n\n Require users and administrators assigned privileges that allow the export of\n production data from a production database to acknowledge understanding of\n export restrictions.\n\n Restrict permissions allowing use or access to database export procedures or\n functions to authorized users.\n\n Ensure sensitive data from production is sanitized prior to import to a\n development database (See check O121-BP-023300.)\n\n Grant access and need-to-know to developers where allowed by policy." + "check": "Run the SQL query:\n\n select distinct o.owner from dba_objects o, dba_users u\n where o.owner not in\n (\n \n )\n and o.object_type <> 'SYNONYM'\n and o.owner = username\n and upper(account_status) not like '%LOCKED%';\n\n (With respect to the list of special accounts that are excluded from this\n requirement, it is expected that the DBA will maintain the list to suit local\n circumstances, adding special accounts as necessary and removing any that are\n not supposed to be in use in the Oracle deployment that is under review.)\n\n To obtain a list of users assigned DBA privileges, run the query:\n\n select grantee from dba_role_privs where granted_role = 'DBA';\n\n If any records are returned, then verify the account is an authorized\n application object owner account or a default account installed to support an\n Oracle product.\n\n Verify that any objects owned by custom DBA accounts are for the personal use\n of that DBA.\n\n If any objects are used to support applications or any functions other than DBA\n functions, this is a finding.\n\n Any unauthorized object owner accounts are not a finding under this check as\n they are noted as findings under check O121-C2-011000.\n\n Any other accounts listed are a finding.", + "fix": "Disable any application object owner accounts.\n\n From SQL*Plus:\n alter user [username] account lock;\n\n Enable application object owner accounts only for installation and maintenance.\n\n DBAs are special purpose accounts and do not require disabling although they\n may own objects.\n\n For application objects that require routine maintenance, e.g. index objects,\n to maintain performance, consider allowing a special purpose account to own the\n index or enable the application owner account for the duration of the routine\n maintenance function only." }, - "code": "control 'V-61501' do\n title \"Procedures and restrictions for import of production data to\n development databases must be documented, implemented and followed.\"\n desc \"Data export from production databases may include sensitive data.\n Application developers may not be cleared for or have need-to-know to sensitive\n data. Any access they may have to production data would be considered\n unauthorized access and subject the sensitive data to unlawful or unauthorized\n disclosure.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000516-DB-999900'\n tag \"gid\": 'V-61501'\n tag \"rid\": 'SV-75991r1_rule'\n tag \"stig_id\": 'O121-BP-024800'\n tag \"fix_id\": 'F-67417r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the database being reviewed is not a production database or\n does not contain sensitive data, this check is not a finding.\n\n Review documented policy, procedures and proof of implementation for\n restrictions placed on data exports from the production database.\n\n Policy and procedures should include that only authorized users have access to\n DBMS export utilities and that export data is properly sanitized prior to\n import to a development database.\n\n Policy and procedures may also include that developers be granted the necessary\n clearance and need-to-know prior to import of production data.\n\n If documented policy, procedures and proof of implementation are not present or\n complete, this is a finding.\n\n If methods to sanitize sensitive data are required and not documented or\n followed, this is a finding.\"\n tag \"fix\": \"Develop, document and implement policy and procedures that\n provide restrictions for production data export.\n\n Require users and administrators assigned privileges that allow the export of\n production data from a production database to acknowledge understanding of\n export restrictions.\n\n Restrict permissions allowing use or access to database export procedures or\n functions to authorized users.\n\n Ensure sensitive data from production is sanitized prior to import to a\n development database (See check O121-BP-023300.)\n\n Grant access and need-to-know to developers where allowed by policy.\"\n describe 'A manual review is required to ensure procedures and restrictions for import of production data to\n development databases are documented, implemented and followed' do\n skip 'A manual review is required to ensure procedures and restrictions for import of production data to\n development databases are documented, implemented and followed'\n end\nend\n", + "code": "control 'V-61467' do\n title \"Application object owner accounts must be disabled when not performing\n installation or maintenance actions.\"\n desc \"Object ownership provides all database object permissions to the owned\n object. Access to the application object owner accounts requires special\n protection to prevent unauthorized access and use of the object ownership\n privileges. In addition to the high privileges to application objects assigned\n to this account, it is also an account that, by definition, is not accessed\n interactively except for application installation and maintenance. This reduced\n access to the account means that unauthorized access to the account could go\n undetected. To help protect the account, it must be enabled only when access is\n required.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000516-DB-999900'\n tag \"gid\": 'V-61467'\n tag \"rid\": 'SV-75957r4_rule'\n tag \"stig_id\": 'O121-BP-024000'\n tag \"fix_id\": 'F-67383r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the SQL query:\n\n select distinct o.owner from dba_objects o, dba_users u\n where o.owner not in\n (\n \n )\n and o.object_type <> 'SYNONYM'\n and o.owner = username\n and upper(account_status) not like '%LOCKED%';\n\n (With respect to the list of special accounts that are excluded from this\n requirement, it is expected that the DBA will maintain the list to suit local\n circumstances, adding special accounts as necessary and removing any that are\n not supposed to be in use in the Oracle deployment that is under review.)\n\n To obtain a list of users assigned DBA privileges, run the query:\n\n select grantee from dba_role_privs where granted_role = 'DBA';\n\n If any records are returned, then verify the account is an authorized\n application object owner account or a default account installed to support an\n Oracle product.\n\n Verify that any objects owned by custom DBA accounts are for the personal use\n of that DBA.\n\n If any objects are used to support applications or any functions other than DBA\n functions, this is a finding.\n\n Any unauthorized object owner accounts are not a finding under this check as\n they are noted as findings under check O121-C2-011000.\n\n Any other accounts listed are a finding.\"\n tag \"fix\": \"Disable any application object owner accounts.\n\n From SQL*Plus:\n alter user [username] account lock;\n\n Enable application object owner accounts only for installation and maintenance.\n\n DBAs are special purpose accounts and do not require disabling although they\n may own objects.\n\n For application objects that require routine maintenance, e.g. index objects,\n to maintain performance, consider allowing a special purpose account to own the\n index or enable the application owner account for the duration of the routine\n maintenance function only.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n dba_users = sql.query(\"select grantee from dba_sys_privs\n where admin_option = 'YES' and grantee not in (select grantee from dba_role_privs where granted_role = 'DBA');\").column('grantee').uniq\n if dba_users.empty?\n impact 0.0\n describe 'There are no oracle DBA users, control N/A' do\n skip 'There are no oracle DBA users, control N/A'\n end\n else\n dba_users.each do |user|\n describe \"oracle DBA users: #{user}\" do\n subject { user }\n it { should be_in input('allowed_dbadmin_users') }\n end\n end\n end\n\n unlocked_accounts = sql.query(\"select distinct o.owner from dba_objects o, dba_users u\n where\n o.object_type <> 'SYNONYM'\n and o.owner = username\n and upper(account_status) not like '%LOCKED%';\").column('owner').uniq\n if unlocked_accounts.empty?\n impact 0.0\n describe 'There are no unlocked oracle accounts, control N/A' do\n skip 'There are no unlocked oracle accounts, control N/A'\n end\n else\n unlocked_accounts.each do |user|\n describe \"oracle user: #{user}\" do\n subject { user }\n it { should be_in input('allowed_unlocked_oracledb_accounts') }\n end\n end\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61501.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61467.rb", "line": 1 }, - "id": "V-61501" + "id": "V-61467" }, { - "title": "The DBMS must take needed steps to protect data at rest and ensure\n confidentiality and integrity of application data.", - "desc": "This control is intended to address the confidentiality and integrity\n of information at rest in non-mobile devices and covers user information and\n system information. Information at rest refers to the state of information when\n it is located on a secondary storage device (e.g., disk drive, tape drive)\n within an organizational information system. Applications and application users\n generate information throughout the course of their application use.\n\n User-generated data and application specific configuration data both need\n to be protected. Configurations and/or rule sets for firewalls, gateways,\n intrusion detection/prevention systems, and filtering routers and authenticator\n content are examples of system information likely requiring protection.\n Organizations may choose to employ different mechanisms to achieve\n confidentiality and integrity protections, as appropriate.\n\n If the confidentiality and integrity of application data is not protected,\n the data will be open to compromise and unauthorized modification.", + "title": "The DBMS must automatically audit account modification.", + "desc": "Once an attacker establishes initial access to a system, they often\n attempt to create a persistent method of re-establishing access. One way to\n accomplish this is for the attacker to simply modify an existing account.\n\n Auditing of account modification is one method and best practice for\n mitigating this risk. A comprehensive application account management process\n ensures an audit trail automatically documents the modification of application\n user accounts and, as required, notifies administrators, application owners,\n and/or appropriate individuals. Applications must provide this capability\n directly, leveraging complementary technology providing this capability or a\n combination thereof.\n\n Automated account auditing processes greatly reduces the risk that accounts\n will be surreptitiously modified and provides logging that can be used for\n forensic purposes.\n\n Note that user authentication and account management should be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP.\n\n However, notwithstanding how accounts are managed, Oracle auditing should\n always be configured to capture account modification.", "descriptions": { - "default": "This control is intended to address the confidentiality and integrity\n of information at rest in non-mobile devices and covers user information and\n system information. Information at rest refers to the state of information when\n it is located on a secondary storage device (e.g., disk drive, tape drive)\n within an organizational information system. Applications and application users\n generate information throughout the course of their application use.\n\n User-generated data and application specific configuration data both need\n to be protected. Configurations and/or rule sets for firewalls, gateways,\n intrusion detection/prevention systems, and filtering routers and authenticator\n content are examples of system information likely requiring protection.\n Organizations may choose to employ different mechanisms to achieve\n confidentiality and integrity protections, as appropriate.\n\n If the confidentiality and integrity of application data is not protected,\n the data will be open to compromise and unauthorized modification." + "default": "Once an attacker establishes initial access to a system, they often\n attempt to create a persistent method of re-establishing access. One way to\n accomplish this is for the attacker to simply modify an existing account.\n\n Auditing of account modification is one method and best practice for\n mitigating this risk. A comprehensive application account management process\n ensures an audit trail automatically documents the modification of application\n user accounts and, as required, notifies administrators, application owners,\n and/or appropriate individuals. Applications must provide this capability\n directly, leveraging complementary technology providing this capability or a\n combination thereof.\n\n Automated account auditing processes greatly reduces the risk that accounts\n will be surreptitiously modified and provides logging that can be used for\n forensic purposes.\n\n Note that user authentication and account management should be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP.\n\n However, notwithstanding how accounts are managed, Oracle auditing should\n always be configured to capture account modification." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000231-DB-000154", - "gid": "V-61771", - "rid": "SV-76261r2_rule", - "stig_id": "O121-C2-018300", - "fix_id": "F-67687r1_fix", + "gtitle": "SRG-APP-000027-DB-000186", + "gid": "V-61569", + "rid": "SV-76059r2_rule", + "stig_id": "O121-C2-002300", + "fix_id": "F-67485r3_fix", "cci": [ - "CCI-001199" + "CCI-001403" ], "nist": [ - "SC-28", + "AC-2 (4)", "Rev_4" ], "false_negatives": null, @@ -173,35 +173,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If the application owner and Authorizing Official have\n determined that encryption of data at rest is NOT required, this is not a\n finding.\n\n Review DBMS settings to determine whether controls exist to protect the\n confidentiality and integrity of data at rest in the database.\n\n If controls do not exist or are not enabled, this is a finding.\n\n To ensure that the appropriate controls are in place, discuss the precautions\n taken with the site Database Administrators and System Administrators and try\n to modify data at rest.\n\n Oracle recommends using Transparent Data Encryption to protect data.\n\n In order to check to see if the data is encrypted, for example, upon an\n auditor's request, Oracle provides views that document the encryption status of\n the database. For TDE column encryption, use the view 'dba_encrypted_columns',\n which lists the owner, table name, column name, encryption algorithm, and salt\n for all encrypted columns. For TDE tablespace encryption, the following SQL\n statement lists all encrypted tablespaces with their encryption algorithm and\n corresponding, encrypted, data files. Issue the following commands to check to\n see if the data at rest is encrypted.\n\n $ sqlplus connect as sysdba\n\n SQL> SELECT t.name \"TSName\",\n e.encryptionalg \"Algorithm\",\n d.file_name \"File Name\"\n FROM v$tablespace t,\n v$encrypted_tablespaces e,\n dba_data_files d\n WHERE t.ts# = e.ts#\n and t.name = d.tablespace_name;\n\n The next SQL statement lists the table owner, tables within encrypted\n tablespaces, and the encryption algorithm:\n\n SQL> SELECT a.owner \"Owner\",\n a.table_name \"Table Name\",\n e.encryptionalg \"Algorithm\"\n FROM dba_tables a,\n v$encrypted_tablespaces e\n WHERE a.tablespace_name in (select t.name from v$tablespace t,\n v$encrypted_tablespaces e where t.ts# = e.ts#);", - "fix": "Apply appropriate controls to protect the confidentiality and\n integrity of data at rest in the database.\n\n If no site-specific precautions are in place, use Oracle Advanced Security\n Option to encrypt data at rest.\n\n If ASO is not an option, use site-specific procedures to secure data at rest." + "check": "Check Oracle settings (and also OS settings and/or\n enterprise-level authentication/access mechanisms settings) to determine if\n account modification is being audited. If account modification is not being\n audited by Oracle, this is a finding.\n\n If Standard Auditing is used:\n To see if Oracle is configured to capture audit data, enter the following\n SQL*Plus command:\n SHOW PARAMETER AUDIT_TRAIL\n or the following SQL query:\n SELECT * FROM SYS.V$PARAMETER WHERE NAME = 'audit_trail';\n If Oracle returns the value 'NONE', this is a finding.\n\n If Unified Auditing is used:\n To see if Oracle is configured to capture audit data including account\n modification, enter the following SQL*Plus command:\n SELECT ' Account modification is not being audited. '\n FROM dual\n WHERE (SELECT Count(*)\n FROM (select policy_name , audit_option from audit_unified_policies\n WHERE audit_option = 'ALTER USER'\n and policy_name in (select policy_name from\n audit_unified_enabled_policies where user_name='ALL USERS'))) = 0\n OR (SELECT value\n FROM v$option\n WHERE parameter = 'Unified Auditing') != 'TRUE';\n\n If Oracle returns \"no rows selected\", this is not a finding.", + "fix": "Configure Oracle to audit account modifications activities.\n\n If Standard Auditing is used:\n Use this process to ensure auditable events are captured:\n ALTER SYSTEM SET AUDIT_TRAIL= SCOPE=SPFILE;\n Audit trail type can be 'OS', 'DB', 'DB,EXTENDED', 'XML' or 'XML,EXTENDED'.\n After executing this statement, it may be necessary to shut down and restart\n the Oracle database.\n\n If Unified Auditing is used:\n To ensure auditable events are captured:\n Link the oracle binary with uniaud_on, and then restart the database. Oracle\n Database Upgrade Guide describes how to enable unified auditing. Reference\n V-61625 for information on how to configure a policy to audit account\n modification.\n\n For more information on the configuration of auditing, refer to the following\n documents:\n \"Auditing Database Activity\" in the Oracle Database 2 Day + Security Guide:\n http://docs.oracle.com/database/121/TDPSG/tdpsg_auditing.htm#TDPSG50000\n \"Monitoring Database Activity with Auditing\" in the Oracle Database Security\n Guide:\n http://docs.oracle.com/database/121/DBSEG/part_6.htm#CCHEHCGI\n \"DBMS_AUDIT_MGMT\" in the Oracle Database PL/SQL Packages and Types Reference:\n http://docs.oracle.com/database/121/ARPLS/d_audit_mgmt.htm#ARPLS241\n Oracle Database Upgrade Guide:\n http://docs.oracle.com/database/121/UPGRD/afterup.htm#UPGRD52810" }, - "code": "control 'V-61771' do\n title \"The DBMS must take needed steps to protect data at rest and ensure\n confidentiality and integrity of application data.\"\n desc \"This control is intended to address the confidentiality and integrity\n of information at rest in non-mobile devices and covers user information and\n system information. Information at rest refers to the state of information when\n it is located on a secondary storage device (e.g., disk drive, tape drive)\n within an organizational information system. Applications and application users\n generate information throughout the course of their application use.\n\n User-generated data and application specific configuration data both need\n to be protected. Configurations and/or rule sets for firewalls, gateways,\n intrusion detection/prevention systems, and filtering routers and authenticator\n content are examples of system information likely requiring protection.\n Organizations may choose to employ different mechanisms to achieve\n confidentiality and integrity protections, as appropriate.\n\n If the confidentiality and integrity of application data is not protected,\n the data will be open to compromise and unauthorized modification.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000231-DB-000154'\n tag \"gid\": 'V-61771'\n tag \"rid\": 'SV-76261r2_rule'\n tag \"stig_id\": 'O121-C2-018300'\n tag \"fix_id\": 'F-67687r1_fix'\n tag \"cci\": ['CCI-001199']\n tag \"nist\": ['SC-28', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the application owner and Authorizing Official have\n determined that encryption of data at rest is NOT required, this is not a\n finding.\n\n Review DBMS settings to determine whether controls exist to protect the\n confidentiality and integrity of data at rest in the database.\n\n If controls do not exist or are not enabled, this is a finding.\n\n To ensure that the appropriate controls are in place, discuss the precautions\n taken with the site Database Administrators and System Administrators and try\n to modify data at rest.\n\n Oracle recommends using Transparent Data Encryption to protect data.\n\n In order to check to see if the data is encrypted, for example, upon an\n auditor's request, Oracle provides views that document the encryption status of\n the database. For TDE column encryption, use the view 'dba_encrypted_columns',\n which lists the owner, table name, column name, encryption algorithm, and salt\n for all encrypted columns. For TDE tablespace encryption, the following SQL\n statement lists all encrypted tablespaces with their encryption algorithm and\n corresponding, encrypted, data files. Issue the following commands to check to\n see if the data at rest is encrypted.\n\n $ sqlplus connect as sysdba\n\n SQL> SELECT t.name \\\"TSName\\\",\n e.encryptionalg \\\"Algorithm\\\",\n d.file_name \\\"File Name\\\"\n FROM v$tablespace t,\n v$encrypted_tablespaces e,\n dba_data_files d\n WHERE t.ts# = e.ts#\n and t.name = d.tablespace_name;\n\n The next SQL statement lists the table owner, tables within encrypted\n tablespaces, and the encryption algorithm:\n\n SQL> SELECT a.owner \\\"Owner\\\",\n a.table_name \\\"Table Name\\\",\n e.encryptionalg \\\"Algorithm\\\"\n FROM dba_tables a,\n v$encrypted_tablespaces e\n WHERE a.tablespace_name in (select t.name from v$tablespace t,\n v$encrypted_tablespaces e where t.ts# = e.ts#);\"\n tag \"fix\": \"Apply appropriate controls to protect the confidentiality and\n integrity of data at rest in the database.\n\n If no site-specific precautions are in place, use Oracle Advanced Security\n Option to encrypt data at rest.\n\n If ASO is not an option, use site-specific procedures to secure data at rest.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n parameter = sql.query(\"select * from v$parameter where name = 'DBFIPS_140c';\").column('value')\n\n describe 'The oracle database DBFIPS_140c parameter' do\n subject { parameter }\n it { should_not be_empty }\n end\nend\n", + "code": "control 'V-61569' do\n title 'The DBMS must automatically audit account modification.'\n desc \"Once an attacker establishes initial access to a system, they often\n attempt to create a persistent method of re-establishing access. One way to\n accomplish this is for the attacker to simply modify an existing account.\n\n Auditing of account modification is one method and best practice for\n mitigating this risk. A comprehensive application account management process\n ensures an audit trail automatically documents the modification of application\n user accounts and, as required, notifies administrators, application owners,\n and/or appropriate individuals. Applications must provide this capability\n directly, leveraging complementary technology providing this capability or a\n combination thereof.\n\n Automated account auditing processes greatly reduces the risk that accounts\n will be surreptitiously modified and provides logging that can be used for\n forensic purposes.\n\n Note that user authentication and account management should be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP.\n\n However, notwithstanding how accounts are managed, Oracle auditing should\n always be configured to capture account modification.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000027-DB-000186'\n tag \"gid\": 'V-61569'\n tag \"rid\": 'SV-76059r2_rule'\n tag \"stig_id\": 'O121-C2-002300'\n tag \"fix_id\": 'F-67485r3_fix'\n tag \"cci\": ['CCI-001403']\n tag \"nist\": ['AC-2 (4)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Check Oracle settings (and also OS settings and/or\n enterprise-level authentication/access mechanisms settings) to determine if\n account modification is being audited. If account modification is not being\n audited by Oracle, this is a finding.\n\n If Standard Auditing is used:\n To see if Oracle is configured to capture audit data, enter the following\n SQL*Plus command:\n SHOW PARAMETER AUDIT_TRAIL\n or the following SQL query:\n SELECT * FROM SYS.V$PARAMETER WHERE NAME = 'audit_trail';\n If Oracle returns the value 'NONE', this is a finding.\n\n If Unified Auditing is used:\n To see if Oracle is configured to capture audit data including account\n modification, enter the following SQL*Plus command:\n SELECT ' Account modification is not being audited. '\n FROM dual\n WHERE (SELECT Count(*)\n FROM (select policy_name , audit_option from audit_unified_policies\n WHERE audit_option = 'ALTER USER'\n and policy_name in (select policy_name from\n audit_unified_enabled_policies where user_name='ALL USERS'))) = 0\n OR (SELECT value\n FROM v$option\n WHERE parameter = 'Unified Auditing') != 'TRUE';\n\n If Oracle returns \\\"no rows selected\\\", this is not a finding.\"\n tag \"fix\": \"Configure Oracle to audit account modifications activities.\n\n If Standard Auditing is used:\n Use this process to ensure auditable events are captured:\n ALTER SYSTEM SET AUDIT_TRAIL= SCOPE=SPFILE;\n Audit trail type can be 'OS', 'DB', 'DB,EXTENDED', 'XML' or 'XML,EXTENDED'.\n After executing this statement, it may be necessary to shut down and restart\n the Oracle database.\n\n If Unified Auditing is used:\n To ensure auditable events are captured:\n Link the oracle binary with uniaud_on, and then restart the database. Oracle\n Database Upgrade Guide describes how to enable unified auditing. Reference\n V-61625 for information on how to configure a policy to audit account\n modification.\n\n For more information on the configuration of auditing, refer to the following\n documents:\n \\\"Auditing Database Activity\\\" in the Oracle Database 2 Day + Security Guide:\n http://docs.oracle.com/database/121/TDPSG/tdpsg_auditing.htm#TDPSG50000\n \\\"Monitoring Database Activity with Auditing\\\" in the Oracle Database Security\n Guide:\n http://docs.oracle.com/database/121/DBSEG/part_6.htm#CCHEHCGI\n \\\"DBMS_AUDIT_MGMT\\\" in the Oracle Database PL/SQL Packages and Types Reference:\n http://docs.oracle.com/database/121/ARPLS/d_audit_mgmt.htm#ARPLS241\n Oracle Database Upgrade Guide:\n http://docs.oracle.com/database/121/UPGRD/afterup.htm#UPGRD52810\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n standard_auditing_used = input('standard_auditing_used')\n unified_auditing_used = input('unified_auditing_used')\n\n describe.one do\n describe 'Standard auditing is in use for audit purposes' do\n subject { standard_auditing_used }\n it { should be true }\n end\n\n describe 'Unified auditing is in use for audit purposes' do\n subject { unified_auditing_used }\n it { should be true }\n end\n end\n\n audit_trail = sql.query(\"select value from v$parameter where name = 'audit_trail';\").column('value')\n\n if standard_auditing_used\n describe 'The oracle database audit_trail parameter' do\n subject { audit_trail }\n it { should_not cmp 'NONE' }\n end\n end\n\n unified_auditing = sql.query(\"SELECT value FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';\").column('value')\n\n if unified_auditing_used\n describe 'The oracle database unified auditing parameter' do\n subject { unified_auditing }\n it { should_not cmp 'FALSE' }\n end\n\n unified_auditing_events = sql.query(\"SELECT ' Account modification is not being audited. '\n FROM dual\n WHERE (SELECT Count(*)\n FROM (select policy_name , audit_option from audit_unified_policies\n WHERE audit_option = 'ALTER USER'\n and policy_name in (select policy_name from\n audit_unified_enabled_policies where user_name='ALL USERS'))) = 0\n OR (SELECT value\n FROM v$option\n WHERE parameter = 'Unified Auditing') != 'TRUE';\").column('Account modification is not being audited.').uniq\n\n describe 'The unified auditing data capture for account modification' do\n subject { unified_auditing_events.to_s }\n it { should_not cmp '[nil]' }\n end\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61771.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61569.rb", "line": 1 }, - "id": "V-61771" + "id": "V-61569" }, { - "title": "Application user privilege assignment must be reviewed monthly or more\n frequently to ensure compliance with least privilege and documented policy.", - "desc": "Users granted privileges not required to perform their assigned\n functions are able to make unauthorized modifications to the production data or\n database. Monthly or more frequent periodic review of privilege assignments\n assures that organizational and/or functional changes are reflected\n appropriately.", + "title": "The DBMS must automatically audit account termination.", + "desc": "When application accounts are terminated, user accessibility is\n affected. Accounts are utilized for identifying individual application users\n or for identifying the application processes themselves.\n\n In order to detect and respond to events affecting user accessibility and\n application processing, applications must audit account terminating actions and\n notify the appropriate individuals so they can investigate the event. Such a\n capability greatly reduces the risk that application accessibility will be\n negatively affected for extended periods of time and provides logging that can\n be used for forensic purposes.\n\n Note that user authentication and account management should be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP.\n\n However, notwithstanding how accounts are managed, Oracle auditing should\n always be configured to capture account termination.", "descriptions": { - "default": "Users granted privileges not required to perform their assigned\n functions are able to make unauthorized modifications to the production data or\n database. Monthly or more frequent periodic review of privilege assignments\n assures that organizational and/or functional changes are reflected\n appropriately." + "default": "When application accounts are terminated, user accessibility is\n affected. Accounts are utilized for identifying individual application users\n or for identifying the application processes themselves.\n\n In order to detect and respond to events affecting user accessibility and\n application processing, applications must audit account terminating actions and\n notify the appropriate individuals so they can investigate the event. Such a\n capability greatly reduces the risk that application accessibility will be\n negatively affected for extended periods of time and provides logging that can\n be used for forensic purposes.\n\n Note that user authentication and account management should be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP.\n\n However, notwithstanding how accounts are managed, Oracle auditing should\n always be configured to capture account termination." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000516-DB-999900", - "gid": "V-61455", - "rid": "SV-75945r1_rule", - "stig_id": "O121-BP-023400", - "fix_id": "F-67371r1_fix", + "gtitle": "SRG-APP-000029-DB-000188", + "gid": "V-61573", + "rid": "SV-76063r2_rule", + "stig_id": "O121-C2-002500", + "fix_id": "F-67489r2_fix", "cci": [ - "CCI-000366" + "CCI-001405" ], "nist": [ - "CM-6 b", + "AC-2 (4)", "Rev_4" ], "false_negatives": null, @@ -214,35 +214,39 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Review policy, procedures and implementation evidence to\n determine if periodic reviews of user privileges by the ISSO are being\n performed.\n\n Evidence may consist of email or other correspondence that acknowledges receipt\n of periodic reports and notification of review between the DBA and ISSO or\n other auditors as assigned.\n\n If policy and procedures are incomplete or no evidence of implementation\n exists, this is a finding.", - "fix": "Develop, document and implement policy and procedures for\n periodic review of database user accounts and privilege assignments.\n\n Include methods to provide evidence of review in the procedures to verify\n reviews occur in accordance with the procedures." + "check": "Check Oracle settings (and also OS settings and/or\n enterprise-level authentication/access mechanisms settings) to determine if\n account termination actions are being audited. If account termination actions\n are not being audited by Oracle, this is a finding.\n\n If Standard Auditing is used:\n To see if Oracle is configured to capture audit data, enter the following\n SQL*Plus command:\n SHOW PARAMETER AUDIT_TRAIL\n or the following SQL query:\n SELECT * FROM SYS.V$PARAMETER WHERE NAME = 'audit_trail';\n If Oracle returns the value 'NONE', this is a finding.\n\n If Unified Auditing is used:\n To see if Oracle is configured to capture audit data including account\n termination, enter the following SQL*Plus command:\n SELECT ' Account termination is not being audited. '\n FROM dual\n WHERE (SELECT Count(*)\n FROM (select policy_name , audit_option from audit_unified_policies\n WHERE audit_option = 'DROP USER'\n and policy_name in (select policy_name from\n audit_unified_enabled_policies where user_name='ALL USERS'))) = 0\n OR (SELECT value\n FROM v$option\n WHERE parameter = 'Unified Auditing') != 'TRUE';\n\n If Oracle returns \"no rows selected\", this is not a finding.", + "fix": "Configure Oracle to audit account termination actions.\n\n If Standard Auditing is used:\n Use this process to ensure auditable events are captured:\n ALTER SYSTEM SET AUDIT_TRAIL= SCOPE=SPFILE;\n Audit trail type can be 'OS', 'DB', 'DB,EXTENDED', 'XML' or 'XML,EXTENDED'.\n After executing this statement, it may be necessary to shut down and restart\n the Oracle database.\n\n If Unified Auditing is used:\n To ensure auditable events are captured:\n Link the oracle binary with uniaud_on, and then restart the database. Oracle\n Database Upgrade Guide describes how to enable unified auditing. Reference\n V-61625 for information on how to configure a policy to audit account\n termination.\n\n For more information on the configuration of auditing, refer to the following\n documents:\n \"Auditing Database Activity\" in the Oracle Database 2 Day + Security Guide:\n http://docs.oracle.com/database/121/TDPSG/tdpsg_auditing.htm#TDPSG50000\n \"Monitoring Database Activity with Auditing\" in the Oracle Database Security\n Guide:\n http://docs.oracle.com/database/121/DBSEG/part_6.htm#CCHEHCGI\n \"DBMS_AUDIT_MGMT\" in the Oracle Database PL/SQL Packages and Types Reference:\n http://docs.oracle.com/database/121/ARPLS/d_audit_mgmt.htm#ARPLS241\n Oracle Database Upgrade Guide:\n http://docs.oracle.com/database/121/UPGRD/afterup.htm#UPGRD52810" }, - "code": "control 'V-61455' do\n title \"Application user privilege assignment must be reviewed monthly or more\n frequently to ensure compliance with least privilege and documented policy.\"\n desc \"Users granted privileges not required to perform their assigned\n functions are able to make unauthorized modifications to the production data or\n database. Monthly or more frequent periodic review of privilege assignments\n assures that organizational and/or functional changes are reflected\n appropriately.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000516-DB-999900'\n tag \"gid\": 'V-61455'\n tag \"rid\": 'SV-75945r1_rule'\n tag \"stig_id\": 'O121-BP-023400'\n tag \"fix_id\": 'F-67371r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review policy, procedures and implementation evidence to\n determine if periodic reviews of user privileges by the ISSO are being\n performed.\n\n Evidence may consist of email or other correspondence that acknowledges receipt\n of periodic reports and notification of review between the DBA and ISSO or\n other auditors as assigned.\n\n If policy and procedures are incomplete or no evidence of implementation\n exists, this is a finding.\"\n tag \"fix\": \"Develop, document and implement policy and procedures for\n periodic review of database user accounts and privilege assignments.\n\n Include methods to provide evidence of review in the procedures to verify\n reviews occur in accordance with the procedures.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n database_roles = sql.query('select * from dba_roles;').column('role')\n\n describe \"A manual review is required to ensure application user privilege assignment are reviewed monthly or more frequently to ensure compliance with least privilege and documented policy. The database roles to review are: #{database_roles}\" do\n skip \"A manual review is required to ensure application user privilege assignment are reviewed monthly or more frequently to ensure compliance with least privilege and documented policy. The database roles to review are: #{database_roles}\"\n end\nend\n", + "code": "control 'V-61573' do\n title 'The DBMS must automatically audit account termination.'\n desc \"When application accounts are terminated, user accessibility is\n affected. Accounts are utilized for identifying individual application users\n or for identifying the application processes themselves.\n\n In order to detect and respond to events affecting user accessibility and\n application processing, applications must audit account terminating actions and\n notify the appropriate individuals so they can investigate the event. Such a\n capability greatly reduces the risk that application accessibility will be\n negatively affected for extended periods of time and provides logging that can\n be used for forensic purposes.\n\n Note that user authentication and account management should be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP.\n\n However, notwithstanding how accounts are managed, Oracle auditing should\n always be configured to capture account termination.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000029-DB-000188'\n tag \"gid\": 'V-61573'\n tag \"rid\": 'SV-76063r2_rule'\n tag \"stig_id\": 'O121-C2-002500'\n tag \"fix_id\": 'F-67489r2_fix'\n tag \"cci\": ['CCI-001405']\n tag \"nist\": ['AC-2 (4)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Check Oracle settings (and also OS settings and/or\n enterprise-level authentication/access mechanisms settings) to determine if\n account termination actions are being audited. If account termination actions\n are not being audited by Oracle, this is a finding.\n\n If Standard Auditing is used:\n To see if Oracle is configured to capture audit data, enter the following\n SQL*Plus command:\n SHOW PARAMETER AUDIT_TRAIL\n or the following SQL query:\n SELECT * FROM SYS.V$PARAMETER WHERE NAME = 'audit_trail';\n If Oracle returns the value 'NONE', this is a finding.\n\n If Unified Auditing is used:\n To see if Oracle is configured to capture audit data including account\n termination, enter the following SQL*Plus command:\n SELECT ' Account termination is not being audited. '\n FROM dual\n WHERE (SELECT Count(*)\n FROM (select policy_name , audit_option from audit_unified_policies\n WHERE audit_option = 'DROP USER'\n and policy_name in (select policy_name from\n audit_unified_enabled_policies where user_name='ALL USERS'))) = 0\n OR (SELECT value\n FROM v$option\n WHERE parameter = 'Unified Auditing') != 'TRUE';\n\n If Oracle returns \\\"no rows selected\\\", this is not a finding.\"\n tag \"fix\": \"Configure Oracle to audit account termination actions.\n\n If Standard Auditing is used:\n Use this process to ensure auditable events are captured:\n ALTER SYSTEM SET AUDIT_TRAIL= SCOPE=SPFILE;\n Audit trail type can be 'OS', 'DB', 'DB,EXTENDED', 'XML' or 'XML,EXTENDED'.\n After executing this statement, it may be necessary to shut down and restart\n the Oracle database.\n\n If Unified Auditing is used:\n To ensure auditable events are captured:\n Link the oracle binary with uniaud_on, and then restart the database. Oracle\n Database Upgrade Guide describes how to enable unified auditing. Reference\n V-61625 for information on how to configure a policy to audit account\n termination.\n\n For more information on the configuration of auditing, refer to the following\n documents:\n \\\"Auditing Database Activity\\\" in the Oracle Database 2 Day + Security Guide:\n http://docs.oracle.com/database/121/TDPSG/tdpsg_auditing.htm#TDPSG50000\n \\\"Monitoring Database Activity with Auditing\\\" in the Oracle Database Security\n Guide:\n http://docs.oracle.com/database/121/DBSEG/part_6.htm#CCHEHCGI\n \\\"DBMS_AUDIT_MGMT\\\" in the Oracle Database PL/SQL Packages and Types Reference:\n http://docs.oracle.com/database/121/ARPLS/d_audit_mgmt.htm#ARPLS241\n Oracle Database Upgrade Guide:\n http://docs.oracle.com/database/121/UPGRD/afterup.htm#UPGRD52810\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n standard_auditing_used = input('standard_auditing_used')\n unified_auditing_used = input('unified_auditing_used')\n\n describe.one do\n describe 'Standard auditing is in use for audit purposes' do\n subject { standard_auditing_used }\n it { should be true }\n end\n\n describe 'Unified auditing is in use for audit purposes' do\n subject { unified_auditing_used }\n it { should be true }\n end\n end\n\n audit_trail = sql.query(\"select value from v$parameter where name = 'audit_trail';\").column('value')\n\n if standard_auditing_used\n describe 'The oracle database audit_trail parameter' do\n subject { audit_trail }\n it { should_not cmp 'NONE' }\n end\n end\n\n unified_auditing = sql.query(\"SELECT value FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';\").column('value')\n\n if unified_auditing_used\n describe 'The oracle database unified auditing parameter' do\n subject { unified_auditing }\n it { should_not cmp 'FALSE' }\n end\n\n unified_auditing_events = sql.query(\"SELECT ' Account termination is not being audited. '\n FROM dual\n WHERE (SELECT Count(*)\n FROM (select policy_name , audit_option from audit_unified_policies\n WHERE audit_option = 'DROP USER'\n and policy_name in (select policy_name from\n audit_unified_enabled_policies where user_name='ALL USERS'))) = 0\n OR (SELECT value\n FROM v$option\n WHERE parameter = 'Unified Auditing') != 'TRUE';\").column('Account termination is not being audited').uniq\n\n describe 'The unified auditing data capture for account termination' do\n subject { unified_auditing_events.to_s }\n it { should_not cmp '[nil]' }\n end\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61455.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61573.rb", "line": 1 }, - "id": "V-61455" + "id": "V-61573" }, { - "title": "The DBMS must produce audit records containing sufficient information\n to establish what type of events occurred.", - "desc": "Information system auditing capability is critical for accurate\n forensic analysis. Audit record content that may be necessary to satisfy the\n requirement of this control includes: timestamps, source and destination\n addresses, user/process identifiers, event descriptions, success/fail\n indications, file names involved, and access control or flow control rules\n invoked.\n\n Database software is capable of a range of actions on data stored within\n the database. It is important, for accurate forensic analysis, to know exactly\n what actions were performed. This requires specific information regarding the\n event type an audit record is referring to. If event type information is not\n recorded and stored with the audit record, the record itself is of very limited\n use.", + "title": "Access to external executables must be disabled or restricted.", + "desc": "The Oracle external procedure capability provides use of the Oracle\n process account outside the operation of the DBMS process. You can use it to\n submit and execute applications stored externally from the database under\n operating system controls. The external procedure process is the subject of\n frequent and successful attacks as it allows unauthenticated use of the Oracle\n process account on the operating system. As of Oracle version 11.1, the\n external procedure agent may be run directly from the database and not require\n use of the Oracle listener. This reduces the risk of unauthorized access to the\n procedure from outside of the database process.", "descriptions": { - "default": "Information system auditing capability is critical for accurate\n forensic analysis. Audit record content that may be necessary to satisfy the\n requirement of this control includes: timestamps, source and destination\n addresses, user/process identifiers, event descriptions, success/fail\n indications, file names involved, and access control or flow control rules\n invoked.\n\n Database software is capable of a range of actions on data stored within\n the database. It is important, for accurate forensic analysis, to know exactly\n what actions were performed. This requires specific information regarding the\n event type an audit record is referring to. If event type information is not\n recorded and stored with the audit record, the record itself is of very limited\n use." + "default": "The Oracle external procedure capability provides use of the Oracle\n process account outside the operation of the DBMS process. You can use it to\n submit and execute applications stored externally from the database under\n operating system controls. The external procedure process is the subject of\n frequent and successful attacks as it allows unauthenticated use of the Oracle\n process account on the operating system. As of Oracle version 11.1, the\n external procedure agent may be run directly from the database and not require\n use of the Oracle listener. This reduces the risk of unauthorized access to the\n procedure from outside of the database process." }, - "impact": 0.5, - "refs": [], + "impact": 0, + "refs": [ + { + "ref": [] + } + ], "tags": { - "gtitle": "SRG-APP-000095-DB-000039", - "gid": "V-61627", - "rid": "SV-76117r1_rule", - "stig_id": "O121-C2-007400", - "fix_id": "F-67543r1_fix", + "gtitle": "SRG-APP-000141-DB-000093", + "gid": "V-61685", + "rid": "SV-76175r2_rule", + "stig_id": "O121-C2-011810", + "fix_id": "F-67599r1_fix", "cci": [ - "CCI-000130" + "CCI-000381" ], "nist": [ - "AU-3", + "CM-7 a", "Rev_4" ], "false_negatives": null, @@ -255,39 +259,36 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Verify, using vendor and system documentation if necessary,\n that the DBMS is configured to use Oracle's auditing features, or that a\n third-party product or custom code is deployed and configured to satisfy this\n requirement.\n\n If a third-party product or custom code is used, compare its current\n configuration with the audit requirements. If any of the requirements is not\n covered by the configuration, this is a finding.\n\n The remainder of this Check is applicable specifically where Oracle auditing is\n in use.\n\n If Standard Auditing is used:\n To see if Oracle is configured to capture audit data, enter the following\n SQL*Plus command:\n\n SHOW PARAMETER AUDIT_TRAIL\n\n or the following SQL query:\n\n SELECT * FROM SYS.V$PARAMETER WHERE NAME = 'audit_trail';\n\n If Oracle returns the value \"NONE\", this is a finding.\n\n To confirm that Oracle audit is capturing sufficient information to establish\n the identity of the user/subject or process, perform a successful auditable\n action and an auditable action that results in an SQL error, and then view the\n results in the SYS.AUD$ table or the audit file, whichever is in use.\n\n If no ACTION#, or the wrong value, is returned for the auditable actions just\n performed, this is a finding.\n\n If Unified Auditing is used:\n To see if Oracle is configured to capture audit data, enter the following\n SQL*Plus command:\n\n SELECT * FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';\n\n If Oracle returns the value \"TRUE\", this is not a finding.\n\n To confirm that Oracle audit is capturing sufficient information to establish\n the identity of the user/subject or process, perform a successful auditable\n action and an auditable action that results in an SQL error, and then view the\n results in the SYS.UNIFIED_AUDIT_TRAIL view.\n\n If no ACTION#, or the wrong value, is returned for the auditable actions just\n performed, this is a finding.", - "fix": "Configure the DBMS's auditing to audit standard and\n organization-defined auditable events, the audit record to include what type of\n event occurred. If preferred, use a third-party or custom tool.\n\n If using a third-party product, proceed in accordance with the product\n documentation. If using Oracle's capabilities, proceed as follows.\n\n If Standard Auditing is used:\n Use this process to ensure auditable events are captured:\n\n ALTER SYSTEM SET AUDIT_TRAIL= SCOPE=SPFILE;\n\n Audit trail type can be 'OS', 'DB', 'DB,EXTENDED', 'XML' or 'XML,EXTENDED'.\n After executing this statement, it may be necessary to shut down and restart\n the Oracle database.\n\n If Unified Auditing is used:\n To ensure auditable events are captured:\n Link the oracle binary with uniaud_on, and then restart the database.\n\n\n\n Oracle Database Upgrade Guide describes how to enable unified auditing.\n\n For more information on the configuration of auditing, refer to the following\n documents:\n \"Auditing Database Activity\" in the Oracle Database 2 Day + Security Guide:\n http://docs.oracle.com/database/121/TDPSG/tdpsg_auditing.htm#TDPSG50000\n \"Monitoring Database Activity with Auditing\" in the Oracle Database Security\n Guide:\n http://docs.oracle.com/database/121/DBSEG/part_6.htm#CCHEHCGI\n \"DBMS_AUDIT_MGMT\" in the Oracle Database PL/SQL Packages and Types Reference:\n http://docs.oracle.com/database/121/ARPLS/d_audit_mgmt.htm#ARPLS241\n Oracle Database Upgrade Guide:\n http://docs.oracle.com/database/121/UPGRD/afterup.htm#UPGRD52810" + "check": "Review the System Security Plan to determine if the use of the\n external procedure agent is authorized.\n\n Review the ORACLE_HOME/bin directory or search the ORACLE_BASE path for the\n executable extproc (UNIX) or extproc.exe (Windows).\n\n If external procedure agent is not authorized for use in the System Security\n Plan and the executable file does not exist or is restricted, this is not a\n finding.\n\n If external procedure agent is not authorized for use in the System Security\n Plan and the executable file exists and is not restricted, this is a finding.\n\n If use of the external procedure agent is authorized, ensure extproc is\n restricted to execution of authorized applications.\n\n External jobs are run using the account nobody by default.\n\n Review the contents of the file ORACLE_HOME/rdbms/admin/externaljob.ora for the\n lines run_user= and run_group=.\n\n If the user assigned to these parameters is not \"nobody\", this is a finding.\n\n For versions 11.1 and later, the external procedure agent (extproc executable)\n is available directly from the database and does not require definition in the\n listener.ora file for use.\n\n Review the contents of the file ORACLE_HOME/hs/admin/extproc.ora.\n\n If the file does not exist, this is a finding.\n\n If the following entry does not appear in the file, this is a finding:\n\n EXTPROC_DLLS=ONLY:[dll full file name1]:[dll full file name2]:..\n\n [dll full file name] represents a full path and file name.\n\n This list of file names is separated by \":\".\n\n Note: If \"ONLY\" is specified, then the list is restricted to allow execution\n of only the DLLs specified in the list and is not a finding. If \"ANY\" is\n specified, then there are no restrictions for execution except what is\n controlled by operating system permissions and is a finding. If no\n specification is made, any files located in the %ORACLE_HOME%\\bin directory on\n Windows systems or $ORACLE_HOME/lib directory on UNIX systems can be executed\n (the default) and is a finding.\n\n Ensure that EXTPROC is not accessible from the listener.\n\n Review the listener.ora file. If any entries reference \"extproc\", this is a\n finding.\n\n Determine if the external procedure agent is in use per Oracle 10.x conventions.\n\n Review the listener.ora file.\n\n If any entries reference \"extproc\", then the agent is in use.\n\n If external procedure agent is not authorized for use in the System Security\n Plan and references to \"extproc\" exist, this is a finding.\n\n Sample listener.ora entries with extproc included:\n\n LISTENER =\n (DESCRIPTION =\n (ADDRESS = (PROTOCOL = TCP)(HOST = 127.0.0.1)(PORT = 1521))\n )\n EXTLSNR =\n (DESCRIPTION =\n (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC))\n )\n SID_LIST_LISTENER =\n (SID_LIST =\n (SID_DESC =\n (GLOBAL_DBNAME = ORCL)\n (ORACLE_HOME = /home/oracle/app/oracle/product/11.1.0/db_1)\n (SID_NAME = ORCL)\n )\n )\n SID_LIST_EXTLSNR =\n (SID_LIST =\n (SID_DESC =\n (PROGRAM = extproc)\n (SID_NAME = PLSExtProc)\n (ORACLE_HOME = /home/oracle/app/oracle/product/11.1.0/db_1)\n (ENVS=\"EXTPROC_DLLS=ONLY:/home/app1/app1lib.so:/home/app2/app2lib.so,\n LD_LIBRARY_PATH=/private/app2/lib:/private/app1,\n MYPATH=/usr/fso:/usr/local/packages\")\n )\n )\n\n Sample tnsnames.ora entries with extproc included:\n\n ORCL =\n (DESCRIPTION =\n (ADDRESS_LIST =\n (ADDRESS = (PROTOCOL = TCP)(HOST = 127.0.0.1)(PORT = 1521))\n )\n (CONNECT_DATA =\n (SERVICE_NAME = ORCL)\n )\n )\n EXTPROC_CONNECTION_DATA =\n (DESCRIPTION =\n (ADDRESS_LIST =\n (ADDRESS = (PROTOCOL = IPC)(KEY = extproc))\n )\n (CONNECT_DATA =\n (SERVER = DEDICATED)\n (SERVICE_NAME = PLSExtProc)\n )\n )\n\n If EXTPROC is in use, confirm that a listener is dedicated to serving the\n external procedure agent (as shown above).\n\n View the protocols configured for the listener.\n\n For the listener to be dedicated, the only entries will be to specify extproc.\n\n If there is not a dedicated listener in use for the external procedure agent,\n this is a finding.\n\n If the PROTOCOL= specified is other than IPC, this is a finding.\n\n Verify and ensure extproc is restricted executing authorized external\n applications only and extproc is restricted to execution of authorized\n applications.\n\n Review the listener.ora file.\n\n If the following entry does not exist, this is a finding:\n\n EXTPROC_DLLS=ONLY:[dll full file name1]:[dll full file name2]:...\n\n Note: [dll full file name] represents a full path and file name. This list of\n file names is separated by \":\".\n\n Note: If \"ONLY\" is specified, then the list is restricted to allow execution\n of only the DLLs specified in the list and is not a finding. If \"ANY\" is\n specified, then there are no restrictions for execution except what is\n controlled by operating system permissions and is a finding. If no\n specification is made, any files located in the %ORACLE_HOME%\\bin directory on\n Windows systems or $ORACLE_HOME/lib directory on UNIX systems can be executed\n (the default) and is a finding.\n\n View the listener.ora file (usually in ORACLE_HOME/network/admin or directory\n specified by the TNS_ADMIN environment variable).\n\n If multiple listener processes are running, then the listener.ora file for each\n must be viewed.\n\n For each process, determine the directory specified in the ORACLE_HOME or\n TNS_ADMIN environment variable defined for the process account to locate the\n listener.ora file.", + "fix": "If use of the external procedure agent is required, then\n authorize and document the requirement in the System Security Plan.\n\n If the external procedure agent must be accessible to the Oracle listener, then\n specify this and authorize it in the System Security Plan.\n\n If use of the Oracle External Procedure agent is not required:\n\n - Stop the Oracle Listener process\n - Remove all references to extproc in the listener.ora and tnsnames.ora files\n - Alter the permissions on the executable files:\n UNIX - Remove read/write/execute permissions from owner, group and\n world\n Windows - Remove Groups/Users from the executable (except groups\n SYSTEM and ADMINISTRATORS) and allow READ [only] for SYSTEM and ADMINISTRATORS\n groups\n\n If required:\n\n - Restrict extproc execution to only authorized applications.\n - Specify EXTPROC_DLLS=ONLY: [list of authorized DLLS] in the extproc.ora and\n the listener.ora files\n - Create a separate, dedicated listener for use by the external procedure agent\n\n See the Oracle Net Services Administrators Guides, External Procedures section\n for detailed configuration information." }, - "code": "control 'V-61627' do\n title \"The DBMS must produce audit records containing sufficient information\n to establish what type of events occurred.\"\n desc \"Information system auditing capability is critical for accurate\n forensic analysis. Audit record content that may be necessary to satisfy the\n requirement of this control includes: timestamps, source and destination\n addresses, user/process identifiers, event descriptions, success/fail\n indications, file names involved, and access control or flow control rules\n invoked.\n\n Database software is capable of a range of actions on data stored within\n the database. It is important, for accurate forensic analysis, to know exactly\n what actions were performed. This requires specific information regarding the\n event type an audit record is referring to. If event type information is not\n recorded and stored with the audit record, the record itself is of very limited\n use.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000095-DB-000039'\n tag \"gid\": 'V-61627'\n tag \"rid\": 'SV-76117r1_rule'\n tag \"stig_id\": 'O121-C2-007400'\n tag \"fix_id\": 'F-67543r1_fix'\n tag \"cci\": ['CCI-000130']\n tag \"nist\": ['AU-3', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Verify, using vendor and system documentation if necessary,\n that the DBMS is configured to use Oracle's auditing features, or that a\n third-party product or custom code is deployed and configured to satisfy this\n requirement.\n\n If a third-party product or custom code is used, compare its current\n configuration with the audit requirements. If any of the requirements is not\n covered by the configuration, this is a finding.\n\n The remainder of this Check is applicable specifically where Oracle auditing is\n in use.\n\n If Standard Auditing is used:\n To see if Oracle is configured to capture audit data, enter the following\n SQL*Plus command:\n\n SHOW PARAMETER AUDIT_TRAIL\n\n or the following SQL query:\n\n SELECT * FROM SYS.V$PARAMETER WHERE NAME = 'audit_trail';\n\n If Oracle returns the value \\\"NONE\\\", this is a finding.\n\n To confirm that Oracle audit is capturing sufficient information to establish\n the identity of the user/subject or process, perform a successful auditable\n action and an auditable action that results in an SQL error, and then view the\n results in the SYS.AUD$ table or the audit file, whichever is in use.\n\n If no ACTION#, or the wrong value, is returned for the auditable actions just\n performed, this is a finding.\n\n If Unified Auditing is used:\n To see if Oracle is configured to capture audit data, enter the following\n SQL*Plus command:\n\n SELECT * FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';\n\n If Oracle returns the value \\\"TRUE\\\", this is not a finding.\n\n To confirm that Oracle audit is capturing sufficient information to establish\n the identity of the user/subject or process, perform a successful auditable\n action and an auditable action that results in an SQL error, and then view the\n results in the SYS.UNIFIED_AUDIT_TRAIL view.\n\n If no ACTION#, or the wrong value, is returned for the auditable actions just\n performed, this is a finding.\"\n tag \"fix\": \"Configure the DBMS's auditing to audit standard and\n organization-defined auditable events, the audit record to include what type of\n event occurred. If preferred, use a third-party or custom tool.\n\n If using a third-party product, proceed in accordance with the product\n documentation. If using Oracle's capabilities, proceed as follows.\n\n If Standard Auditing is used:\n Use this process to ensure auditable events are captured:\n\n ALTER SYSTEM SET AUDIT_TRAIL= SCOPE=SPFILE;\n\n Audit trail type can be 'OS', 'DB', 'DB,EXTENDED', 'XML' or 'XML,EXTENDED'.\n After executing this statement, it may be necessary to shut down and restart\n the Oracle database.\n\n If Unified Auditing is used:\n To ensure auditable events are captured:\n Link the oracle binary with uniaud_on, and then restart the database.\n\n\n\n Oracle Database Upgrade Guide describes how to enable unified auditing.\n\n For more information on the configuration of auditing, refer to the following\n documents:\n \\\"Auditing Database Activity\\\" in the Oracle Database 2 Day + Security Guide:\n http://docs.oracle.com/database/121/TDPSG/tdpsg_auditing.htm#TDPSG50000\n \\\"Monitoring Database Activity with Auditing\\\" in the Oracle Database Security\n Guide:\n http://docs.oracle.com/database/121/DBSEG/part_6.htm#CCHEHCGI\n \\\"DBMS_AUDIT_MGMT\\\" in the Oracle Database PL/SQL Packages and Types Reference:\n http://docs.oracle.com/database/121/ARPLS/d_audit_mgmt.htm#ARPLS241\n Oracle Database Upgrade Guide:\n http://docs.oracle.com/database/121/UPGRD/afterup.htm#UPGRD52810\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n standard_auditing_used = input('standard_auditing_used')\n unified_auditing_used = input('unified_auditing_used')\n\n describe.one do\n describe 'Standard auditing is in use for audit purposes' do\n subject { standard_auditing_used }\n it { should be true }\n end\n\n describe 'Unified auditing is in use for audit purposes' do\n subject { unified_auditing_used }\n it { should be true }\n end\n end\n\n audit_trail = sql.query(\"select value from v$parameter where name = 'audit_trail';\").column('value')\n audit_info_captured = sql.query('SELECT EVENT_TIMESTAMP FROM UNIFIED_AUDIT_TRAIL ORDER BY EVENT_TIMESTAMP DESC FETCH FIRST 10 ROWS ONLY;').column('event_timestamp')\n\n if standard_auditing_used\n describe 'The oracle database audit_trail parameter' do\n subject { audit_trail }\n it { should_not cmp 'NONE' }\n end\n end\n\n unified_auditing = sql.query(\"SELECT value FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';\").column('value')\n\n if unified_auditing_used\n describe 'The oracle database unified auditing parameter' do\n subject { unified_auditing }\n it { should_not cmp 'FALSE' }\n end\n\n describe 'The oracle database unified auditing events captured' do\n subject { audit_info_captured }\n it { should_not be_empty }\n end\n\n end\nend\n", + "code": " control 'V-61685' do\n impact 0.0\n describe 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on' do\n skip 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on'\n end\n end\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61627.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61685.rb", "line": 1 }, - "id": "V-61627" + "id": "V-61685" }, { - "title": "Network access to the DBMS must be restricted to authorized personnel.", - "desc": "Restricting remote access to specific, trusted systems helps prevent\n access by unauthorized and potentially malicious users.", + "title": "The DBMS must restrict access to system tables and other configuration\n information or metadata to DBAs or other authorized users.", + "desc": "Applications employ the concept of least privilege for specific duties\n and information systems (including specific functions, ports, protocols, and\n services). The concept of least privilege is also applied to information system\n processes, ensuring that the processes operate at privilege levels no higher\n than necessary to accomplish required organizational missions and/or functions.\n Organizations consider the creation of additional processes, roles, and\n information system accounts as necessary to achieve least privilege.\n Organizations also apply least privilege concepts to the design, development,\n implementation, and operations of information systems.\n\n Administrative data includes DBMS metadata and other configuration and\n management data. Unauthorized access to this data could result in unauthorized\n changes to database objects, access controls, or DBMS configuration.", "descriptions": { - "default": "Restricting remote access to specific, trusted systems helps prevent\n access by unauthorized and potentially malicious users." + "default": "Applications employ the concept of least privilege for specific duties\n and information systems (including specific functions, ports, protocols, and\n services). The concept of least privilege is also applied to information system\n processes, ensuring that the processes operate at privilege levels no higher\n than necessary to accomplish required organizational missions and/or functions.\n Organizations consider the creation of additional processes, roles, and\n information system accounts as necessary to achieve least privilege.\n Organizations also apply least privilege concepts to the design, development,\n implementation, and operations of information systems.\n\n Administrative data includes DBMS metadata and other configuration and\n management data. Unauthorized access to this data could result in unauthorized\n changes to database objects, access controls, or DBMS configuration." }, "impact": 0, - "refs": [ - { - "ref": [] - } - ], + "refs": [], "tags": { - "gtitle": "SRG-APP-000516-DB-999900", - "gid": "V-61515", - "rid": "SV-76005r2_rule", - "stig_id": "O121-BP-025600", - "fix_id": "F-67431r1_fix", + "gtitle": "SRG-APP-000062-DB-000016", + "gid": "V-61589", + "rid": "SV-76079r2_rule", + "stig_id": "O121-C2-003900", + "fix_id": "F-67505r1_fix", "cci": [ - "CCI-000366" + "CCI-000366", + "CCI-002220" ], "nist": [ - "CM-6 b", + "AC-5 c", "Rev_4" ], "false_negatives": null, @@ -300,35 +301,39 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "IP address restriction may be defined for the database\n listener, by use of the Oracle Connection Manager or by an external network\n device.\n\n Identify the method used to enforce address restriction (interview or System\n Security Plan review).\n\n If enforced by the database listener, then review the SQLNET.ORA file located\n in the ORACLE_HOME/network/admin directory (note: this assumes that a single\n sqlnet.ora file, in the default location, is in use; please see the\n supplemental file \"Non-default sqlnet.ora configurations.pdf\" for how to find\n multiple and/or differently located sqlnet.ora files) or the directory\n indicated by the TNS_ADMIN environment variable or registry setting.\n\n If the following entries do not exist, then restriction by IP address is not\n configured and is a finding.\n\n tcp.validnode_checking=YES\n tcp.invited_nodes=(IP1, IP2, IP3)\n\n If enforced by an Oracle Connection Manager, then review the CMAN.ORA file for\n the Connection Manager (located in the TNS_ADMIN or ORACLE_HOME/network/admin\n directory for the connection manager).\n\n If a RULE entry allows all addresses (\"/32\") or does not match the address\n range specified in the System Security Plan, this is a finding.\n\n (rule=(src=[IP]/27)(dst=[IP])(srv=*)(act=accept))\n\n Note: an IP address with a \"/\" indicates acceptance by subnet mask where the\n number after the \"/\" is the left most number of bits in the address that must\n match for the rule to apply.\n\n If this rule is database-specific, then determine if the SERVICE_NAMES\n parameter is set:\n\n From SQL*PLUS:\n\n select value from v$parameter where name = 'service_names';\n\n If SERVICE_NAMES is set in the initialization file for the database instance,\n use (srv=[service name]), else, use (srv=*) if not set or rule applies to all\n databases on the DBMS server.\n\n If network access restriction is performed by an external device, validate ACLs\n are in place to prohibit unauthorized access to the DBMS. To do this, find the\n IP address of the database server (destination address) and source address\n (authorized IPs) in the System Security Plan. Confirm only authorized IPs from\n the System Security Plan are allowed access to the DBMS.", - "fix": "Configure the database listener to restrict access by IP address\n or set up an external device to restrict network access to the DBMS." + "check": "Review user privileges to system tables and configuration data\n stored in the Oracle database.\n\n If non-DBA users are assigned privileges to access system tables and tables\n containing configuration data, this is a finding.\n\n To obtain a list of users and roles that have been granted access to any\n dictionary table, run the query:\n SELECT unique grantee from dba_tab_privs where table_name in\n (select table_name from dictionary)\n order by grantee;\n\n To obtain a list of dictionary tables and assigned privileges granted to a\n specific user or role, run the query:\n SELECT grantee, table_name, privilege from dba_tab_privs where table_name in\n (select table_name from dictionary)\n and grantee = '';", + "fix": "Restrict accessibility of Oracle system tables and other\n configuration information or metadata to DBAs or other authorized users." }, - "code": " control 'V-61515' do\n impact 0.0\n describe 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on' do\n skip 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on'\n end\n end\n", + "code": "control 'V-61589' do\n title \"The DBMS must restrict access to system tables and other configuration\n information or metadata to DBAs or other authorized users.\"\n desc \"Applications employ the concept of least privilege for specific duties\n and information systems (including specific functions, ports, protocols, and\n services). The concept of least privilege is also applied to information system\n processes, ensuring that the processes operate at privilege levels no higher\n than necessary to accomplish required organizational missions and/or functions.\n Organizations consider the creation of additional processes, roles, and\n information system accounts as necessary to achieve least privilege.\n Organizations also apply least privilege concepts to the design, development,\n implementation, and operations of information systems.\n\n Administrative data includes DBMS metadata and other configuration and\n management data. Unauthorized access to this data could result in unauthorized\n changes to database objects, access controls, or DBMS configuration.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000062-DB-000016'\n tag \"gid\": 'V-61589'\n tag \"rid\": 'SV-76079r2_rule'\n tag \"stig_id\": 'O121-C2-003900'\n tag \"fix_id\": 'F-67505r1_fix'\n tag \"cci\": ['CCI-000366', 'CCI-002220']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"nist\": ['AC-5 c', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review user privileges to system tables and configuration data\n stored in the Oracle database.\n\n If non-DBA users are assigned privileges to access system tables and tables\n containing configuration data, this is a finding.\n\n To obtain a list of users and roles that have been granted access to any\n dictionary table, run the query:\n SELECT unique grantee from dba_tab_privs where table_name in\n (select table_name from dictionary)\n order by grantee;\n\n To obtain a list of dictionary tables and assigned privileges granted to a\n specific user or role, run the query:\n SELECT grantee, table_name, privilege from dba_tab_privs where table_name in\n (select table_name from dictionary)\n and grantee = '';\"\n tag \"fix\": \"Restrict accessibility of Oracle system tables and other\n configuration information or metadata to DBAs or other authorized users.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n users_with_dictionary_table_access = sql.query(\"SELECT unique grantee from dba_tab_privs where table_name in\n (select table_name from dictionary)\n order by grantee;\").column('grantee').uniq\n if users_with_dictionary_table_access.empty?\n impact 0.0\n describe 'There are no oracle users allowed access to the dictionary table, control N/A' do\n skip 'There are no oracle users allowed access to the dictionary table, control N/A'\n end\n else\n users_with_dictionary_table_access.each do |user|\n describe \"oracle users: #{user} with access to the dictionary table\" do\n subject { user }\n it { should be_in USERS_ALLOWED_ACCESS_TO_DICTIONARY_TABLE }\n end\n end\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61515.rb", - "line": 1 + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61589.rb", + "line": 2 }, - "id": "V-61515" + "id": "V-61589" }, { - "title": "The Oracle REMOTE_OS_AUTHENT parameter must be set to FALSE.", - "desc": "Setting this value to TRUE allows operating system authentication over\n an unsecured connection. Trusting remote operating systems can allow a user to\n impersonate another operating system user and connect to the database without\n having to supply a password. If REMOTE_OS_AUTHENT is set to true, the only\n information a remote user needs to connect to the database is the name of any\n user whose account is setup to be authenticated by the operating system.", + "title": "The DBMS must employ cryptographic mechanisms preventing the\n unauthorized disclosure of information during transmission unless the\n transmitted data is otherwise protected by alternative physical measures.", + "desc": "Preventing the disclosure of transmitted information requires that\n applications take measures to employ some form of cryptographic mechanism in\n order to protect the information during transmission. This is usually achieved\n through the use of Transport Layer Security (TLS), SSL VPN, or IPSEC tunnel.\n\n Alternative physical protection measures include Protected Distribution\n Systems (PDS). PDS are used to transmit unencrypted classified NSI through an\n area of lesser classification or control. Inasmuch as the classified NSI is\n unencrypted, the PDS must provide adequate electrical, electromagnetic, and\n physical safeguards to deter exploitation. Refer to NSTSSI No. 7003 for\n additional details on a PDS.\n\n Information in transmission is particularly vulnerable to attack. If the\n DBMS does not employ cryptographic mechanisms preventing unauthorized\n disclosure of information during transit, the information may be compromised.\n\n SHA-1 is in the process of being removed from service within the DoD and\n it's use is to be limited during the transition to SHA-2. Use of SHA-1 for\n digital signature generation is prohibited. Allowable uses during the\n transition include CHECKSUM usage and verification of legacy certificate\n signatures. SHA-1 is considered a temporary solution during legacy application\n transitionary periods and should not be engineered into new applications. SHA-2\n is the path forward for DoD.", "descriptions": { - "default": "Setting this value to TRUE allows operating system authentication over\n an unsecured connection. Trusting remote operating systems can allow a user to\n impersonate another operating system user and connect to the database without\n having to supply a password. If REMOTE_OS_AUTHENT is set to true, the only\n information a remote user needs to connect to the database is the name of any\n user whose account is setup to be authenticated by the operating system." + "default": "Preventing the disclosure of transmitted information requires that\n applications take measures to employ some form of cryptographic mechanism in\n order to protect the information during transmission. This is usually achieved\n through the use of Transport Layer Security (TLS), SSL VPN, or IPSEC tunnel.\n\n Alternative physical protection measures include Protected Distribution\n Systems (PDS). PDS are used to transmit unencrypted classified NSI through an\n area of lesser classification or control. Inasmuch as the classified NSI is\n unencrypted, the PDS must provide adequate electrical, electromagnetic, and\n physical safeguards to deter exploitation. Refer to NSTSSI No. 7003 for\n additional details on a PDS.\n\n Information in transmission is particularly vulnerable to attack. If the\n DBMS does not employ cryptographic mechanisms preventing unauthorized\n disclosure of information during transit, the information may be compromised.\n\n SHA-1 is in the process of being removed from service within the DoD and\n it's use is to be limited during the transition to SHA-2. Use of SHA-1 for\n digital signature generation is prohibited. Allowable uses during the\n transition include CHECKSUM usage and verification of legacy certificate\n signatures. SHA-1 is considered a temporary solution during legacy application\n transitionary periods and should not be engineered into new applications. SHA-2\n is the path forward for DoD." }, - "impact": 0.7, - "refs": [], + "impact": 0, + "refs": [ + { + "ref": [] + } + ], "tags": { - "gtitle": "SRG-APP-000516-DB-999900", - "gid": "V-61425", - "rid": "SV-75915r1_rule", - "stig_id": "O121-BP-021900", - "fix_id": "F-67341r1_fix", + "gtitle": "SRG-APP-000264-DB-000136", + "gid": "V-61545", + "rid": "SV-76035r5_rule", + "stig_id": "O121-C1-019700", + "fix_id": "F-67461r1_fix", "cci": [ - "CCI-000366" + "CCI-002421" ], "nist": [ - "CM-6 b", + "SC-8 (1)", "Rev_4" ], "false_negatives": null, @@ -341,75 +346,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "From SQL*Plus:\n\n select value from v$parameter where name = 'remote_os_authent';\n\n If the value returned does not equal FALSE, this is a finding.", - "fix": "Document remote OS authentication in the System Security Plan.\n\n If not required or not mitigated to an acceptable level, disable remote OS\n authentication.\n\n From SQL*Plus:\n\n alter system set remote_os_authent = FALSE scope = spfile;\n\n The above SQL*Plus command will set the parameter to take effect at next system\n startup." + "check": "Check DBMS settings to determine whether cryptographic\n mechanisms are used to prevent the unauthorized disclosure of information\n during transmission. Determine whether physical measures are being used instead\n of cryptographic mechanisms. If neither cryptographic nor physical measures are\n being utilized, this is a finding.\n\n To check that network encryption is enabled and using site-specified encryption\n procedures, look in SQLNET.ORA located at\n $ORACLE_HOME/network/admin/sqlnet.ora. (Note: This assumes that a single\n sqlnet.ora file, in the default location, is in use. Please see the\n supplemental file \"Non-default sqlnet.ora configurations.pdf\" for how to find\n multiple and/or differently located sqlnet.ora files.) If encryption is set,\n entries like the following will be present:\n\n SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT= (SHA384)\n SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER= (SHA384)\n SQLNET.ENCRYPTION_TYPES_CLIENT= (AES256)\n\n SQLNET.ENCRYPTION_TYPES_SERVER= (AES256)\n SQLNET.CRYPTO_CHECKSUM_CLIENT = requested\n SQLNET.CRYPTO_CHECKSUM_SERVER = required\n\n (The values assigned to the parameters may be different, the combination of\n parameters may be different, and not all of the example parameters will\n necessarily exist in the file.)", + "fix": "Configure DBMS and/or operating system to use cryptographic\n mechanisms to prevent unauthorized disclosure of information during\n transmission where physical measures are not being utilized." }, - "code": "control 'V-61425' do\n title 'The Oracle REMOTE_OS_AUTHENT parameter must be set to FALSE.'\n desc \"Setting this value to TRUE allows operating system authentication over\n an unsecured connection. Trusting remote operating systems can allow a user to\n impersonate another operating system user and connect to the database without\n having to supply a password. If REMOTE_OS_AUTHENT is set to true, the only\n information a remote user needs to connect to the database is the name of any\n user whose account is setup to be authenticated by the operating system.\"\n impact 0.7\n tag \"gtitle\": 'SRG-APP-000516-DB-999900'\n tag \"gid\": 'V-61425'\n tag \"rid\": 'SV-75915r1_rule'\n tag \"stig_id\": 'O121-BP-021900'\n tag \"fix_id\": 'F-67341r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"From SQL*Plus:\n\n select value from v$parameter where name = 'remote_os_authent';\n\n If the value returned does not equal FALSE, this is a finding.\"\n tag \"fix\": \"Document remote OS authentication in the System Security Plan.\n\n If not required or not mitigated to an acceptable level, disable remote OS\n authentication.\n\n From SQL*Plus:\n\n alter system set remote_os_authent = FALSE scope = spfile;\n\n The above SQL*Plus command will set the parameter to take effect at next system\n startup.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n parameter = sql.query(\"select value from v$parameter where name = 'remote_os_authent';\").column('value')\n\n describe 'The oracle database REMOTE_OS_AUTHENT parameter' do\n subject { parameter }\n it { should cmp 'FALSE' }\n end\nend\n", - "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61425.rb", - "line": 1 - }, - "id": "V-61425" - }, - { - "title": "The DBMS must support organizational requirements to enforce password\n complexity by the number of numeric characters used.", - "desc": "Password complexity or strength is a measure of the effectiveness of a\n password in resisting attempts at guessing and brute-force attacks.\n\n Password complexity is one factor of several that determine how long it\n takes to crack a password. The more complex the password is, the greater the\n number of possible combinations that need to be tested before the password is\n compromised.\n\n Use of a complex password helps to increase the time and resources required\n to compromise the password.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP This requirement applies to cases where it is necessary to\n have accounts directly managed by Oracle.", - "descriptions": { - "default": "Password complexity or strength is a measure of the effectiveness of a\n password in resisting attempts at guessing and brute-force attacks.\n\n Password complexity is one factor of several that determine how long it\n takes to crack a password. The more complex the password is, the greater the\n number of possible combinations that need to be tested before the password is\n compromised.\n\n Use of a complex password helps to increase the time and resources required\n to compromise the password.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP This requirement applies to cases where it is necessary to\n have accounts directly managed by Oracle." - }, - "impact": 0.5, - "refs": [ - { - "ref": [] - } - ], - "tags": { - "gtitle": "SRG-APP-000168-DB-000072", - "gid": "V-61727", - "rid": "SV-76217r1_rule", - "stig_id": "O121-C2-014300", - "fix_id": "F-67643r1_fix", - "cci": [ - "CCI-000194" - ], - "nist": [ - "IA-5 (1) (a)", - "Rev_4" - ], - "false_negatives": null, - "false_positives": null, - "documentable": false, - "mitigations": null, - "severity_override_guidance": false, - "potential_impacts": null, - "third_party_tools": null, - "mitigation_controls": null, - "responsibility": null, - "ia_controls": null, - "check": "If all user accounts are managed and authenticated by the OS or\n an enterprise-level authentication/access mechanism, and not by Oracle, this is\n not a finding.\n\n For each profile that can be applied to accounts where authentication is under\n Oracle's control, determine the password verification function, if any, that is\n in use:\n\n SELECT * FROM SYS.DBA_PROFILES\n WHERE RESOURCE_NAME = 'PASSWORD_VERIFY_FUNCTION'\n [AND PROFILE NOT IN ()]\n ORDER BY PROFILE;\n Bearing in mind that a profile can inherit from another profile, and the root\n profile is called DEFAULT, determine the name of the password verification\n function effective for each profile.\n\n If, for any profile, the function name is null, this is a finding.\n\n For each password verification function, examine its source code.\n\n If it does not enforce the organization-defined minimum number of numeric\n characters (1 unless otherwise specified), this is a finding.", - "fix": "If all user accounts are authenticated by the OS or an\n enterprise-level authentication/access mechanism, and not by Oracle, no fix to\n the DBMS is required.\n\n If any user accounts are managed by Oracle: Develop, test and implement a\n password verification function that enforces DoD requirements.\n\n (Oracle supplies a sample function called ORA12C_STRONG_VERIFY_FUNCTION, in the\n script file\n /RDBMS/ADMIN/utlpwdmg.sql. This can be used as the starting point\n for a customized function.)" - }, - "code": "control 'V-61727' do\n title \"The DBMS must support organizational requirements to enforce password\n complexity by the number of numeric characters used.\"\n desc \"Password complexity or strength is a measure of the effectiveness of a\n password in resisting attempts at guessing and brute-force attacks.\n\n Password complexity is one factor of several that determine how long it\n takes to crack a password. The more complex the password is, the greater the\n number of possible combinations that need to be tested before the password is\n compromised.\n\n Use of a complex password helps to increase the time and resources required\n to compromise the password.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP This requirement applies to cases where it is necessary to\n have accounts directly managed by Oracle.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000168-DB-000072'\n tag \"gid\": 'V-61727'\n tag \"rid\": 'SV-76217r1_rule'\n tag \"stig_id\": 'O121-C2-014300'\n tag \"fix_id\": 'F-67643r1_fix'\n tag \"cci\": ['CCI-000194']\n tag \"nist\": ['IA-5 (1) (a)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If all user accounts are managed and authenticated by the OS or\n an enterprise-level authentication/access mechanism, and not by Oracle, this is\n not a finding.\n\n For each profile that can be applied to accounts where authentication is under\n Oracle's control, determine the password verification function, if any, that is\n in use:\n\n SELECT * FROM SYS.DBA_PROFILES\n WHERE RESOURCE_NAME = 'PASSWORD_VERIFY_FUNCTION'\n [AND PROFILE NOT IN ()]\n ORDER BY PROFILE;\n Bearing in mind that a profile can inherit from another profile, and the root\n profile is called DEFAULT, determine the name of the password verification\n function effective for each profile.\n\n If, for any profile, the function name is null, this is a finding.\n\n For each password verification function, examine its source code.\n\n If it does not enforce the organization-defined minimum number of numeric\n characters (1 unless otherwise specified), this is a finding.\"\n tag \"fix\": \"If all user accounts are authenticated by the OS or an\n enterprise-level authentication/access mechanism, and not by Oracle, no fix to\n the DBMS is required.\n\n If any user accounts are managed by Oracle: Develop, test and implement a\n password verification function that enforces DoD requirements.\n\n (Oracle supplies a sample function called ORA12C_STRONG_VERIFY_FUNCTION, in the\n script file\n /RDBMS/ADMIN/utlpwdmg.sql. This can be used as the starting point\n for a customized function.)\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n query = %{\n SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE PROFILE =\n '%s' AND RESOURCE_NAME = 'PASSWORD_VERIFY_FUNCTION'\n }\n\n user_profiles = sql.query('SELECT profile FROM dba_users;').column('profile').uniq\n\n user_profiles.each do |profile|\n next if profile == \"RDSADMIN\"\n password_verify_function = sql.query(format(query, profile: profile)).column('limit')\n\n describe \"The oracle database account password verify function for profile: #{profile}\" do\n subject { password_verify_function }\n it { should_not eq ['NULL'] }\n end\n end\n if user_profiles.empty?\n describe 'There are no user profiles, therefore this control is NA' do\n skip 'There are no user profiles, therefore this control is NA'\n end\n end\nend\n", + "code": " control 'V-61545' do\n impact 0.0\n describe 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on' do\n skip 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on'\n end\n end\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61727.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61545.rb", "line": 1 }, - "id": "V-61727" + "id": "V-61545" }, { - "title": "Application object owner accounts must be disabled when not performing\n installation or maintenance actions.", - "desc": "Object ownership provides all database object permissions to the owned\n object. Access to the application object owner accounts requires special\n protection to prevent unauthorized access and use of the object ownership\n privileges. In addition to the high privileges to application objects assigned\n to this account, it is also an account that, by definition, is not accessed\n interactively except for application installation and maintenance. This reduced\n access to the account means that unauthorized access to the account could go\n undetected. To help protect the account, it must be enabled only when access is\n required.", + "title": "The Oracle REMOTE_OS_ROLES parameter must be set to FALSE.", + "desc": "Setting REMOTE_OS_ROLES to TRUE allows operating system groups to\n control Oracle roles. The default value of FALSE causes roles to be identified\n and managed by the database. If REMOTE_OS_ROLES is set to TRUE, a remote user\n could impersonate another operating system user over a network connection.", "descriptions": { - "default": "Object ownership provides all database object permissions to the owned\n object. Access to the application object owner accounts requires special\n protection to prevent unauthorized access and use of the object ownership\n privileges. In addition to the high privileges to application objects assigned\n to this account, it is also an account that, by definition, is not accessed\n interactively except for application installation and maintenance. This reduced\n access to the account means that unauthorized access to the account could go\n undetected. To help protect the account, it must be enabled only when access is\n required." + "default": "Setting REMOTE_OS_ROLES to TRUE allows operating system groups to\n control Oracle roles. The default value of FALSE causes roles to be identified\n and managed by the database. If REMOTE_OS_ROLES is set to TRUE, a remote user\n could impersonate another operating system user over a network connection." }, - "impact": 0, + "impact": 0.7, "refs": [], "tags": { "gtitle": "SRG-APP-000516-DB-999900", - "gid": "V-61467", - "rid": "SV-75957r4_rule", - "stig_id": "O121-BP-024000", - "fix_id": "F-67383r1_fix", + "gid": "V-61427", + "rid": "SV-75917r1_rule", + "stig_id": "O121-BP-022000", + "fix_id": "F-67343r1_fix", "cci": [ "CCI-000366" ], @@ -427,30 +387,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Run the SQL query:\n\n select distinct o.owner from dba_objects o, dba_users u\n where o.owner not in\n (\n \n )\n and o.object_type <> 'SYNONYM'\n and o.owner = username\n and upper(account_status) not like '%LOCKED%';\n\n (With respect to the list of special accounts that are excluded from this\n requirement, it is expected that the DBA will maintain the list to suit local\n circumstances, adding special accounts as necessary and removing any that are\n not supposed to be in use in the Oracle deployment that is under review.)\n\n To obtain a list of users assigned DBA privileges, run the query:\n\n select grantee from dba_role_privs where granted_role = 'DBA';\n\n If any records are returned, then verify the account is an authorized\n application object owner account or a default account installed to support an\n Oracle product.\n\n Verify that any objects owned by custom DBA accounts are for the personal use\n of that DBA.\n\n If any objects are used to support applications or any functions other than DBA\n functions, this is a finding.\n\n Any unauthorized object owner accounts are not a finding under this check as\n they are noted as findings under check O121-C2-011000.\n\n Any other accounts listed are a finding.", - "fix": "Disable any application object owner accounts.\n\n From SQL*Plus:\n alter user [username] account lock;\n\n Enable application object owner accounts only for installation and maintenance.\n\n DBAs are special purpose accounts and do not require disabling although they\n may own objects.\n\n For application objects that require routine maintenance, e.g. index objects,\n to maintain performance, consider allowing a special purpose account to own the\n index or enable the application owner account for the duration of the routine\n maintenance function only." + "check": "From SQL*Plus:\n\n select value from v$parameter where name = 'remote_os_roles';\n\n If the returned value is not FALSE or not documented in the System Security\n Plan as required, this is a finding.", + "fix": "Document remote OS roles in the System Security Plan.\n\n If not required, disable use of remote OS roles.\n\n From SQL*Plus:\n\n alter system set remote_os_roles = FALSE scope = spfile;\n\n The above SQL*Plus command will set the parameter to take effect at next system\n startup." }, - "code": "control 'V-61467' do\n title \"Application object owner accounts must be disabled when not performing\n installation or maintenance actions.\"\n desc \"Object ownership provides all database object permissions to the owned\n object. Access to the application object owner accounts requires special\n protection to prevent unauthorized access and use of the object ownership\n privileges. In addition to the high privileges to application objects assigned\n to this account, it is also an account that, by definition, is not accessed\n interactively except for application installation and maintenance. This reduced\n access to the account means that unauthorized access to the account could go\n undetected. To help protect the account, it must be enabled only when access is\n required.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000516-DB-999900'\n tag \"gid\": 'V-61467'\n tag \"rid\": 'SV-75957r4_rule'\n tag \"stig_id\": 'O121-BP-024000'\n tag \"fix_id\": 'F-67383r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the SQL query:\n\n select distinct o.owner from dba_objects o, dba_users u\n where o.owner not in\n (\n \n )\n and o.object_type <> 'SYNONYM'\n and o.owner = username\n and upper(account_status) not like '%LOCKED%';\n\n (With respect to the list of special accounts that are excluded from this\n requirement, it is expected that the DBA will maintain the list to suit local\n circumstances, adding special accounts as necessary and removing any that are\n not supposed to be in use in the Oracle deployment that is under review.)\n\n To obtain a list of users assigned DBA privileges, run the query:\n\n select grantee from dba_role_privs where granted_role = 'DBA';\n\n If any records are returned, then verify the account is an authorized\n application object owner account or a default account installed to support an\n Oracle product.\n\n Verify that any objects owned by custom DBA accounts are for the personal use\n of that DBA.\n\n If any objects are used to support applications or any functions other than DBA\n functions, this is a finding.\n\n Any unauthorized object owner accounts are not a finding under this check as\n they are noted as findings under check O121-C2-011000.\n\n Any other accounts listed are a finding.\"\n tag \"fix\": \"Disable any application object owner accounts.\n\n From SQL*Plus:\n alter user [username] account lock;\n\n Enable application object owner accounts only for installation and maintenance.\n\n DBAs are special purpose accounts and do not require disabling although they\n may own objects.\n\n For application objects that require routine maintenance, e.g. index objects,\n to maintain performance, consider allowing a special purpose account to own the\n index or enable the application owner account for the duration of the routine\n maintenance function only.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n dba_users = sql.query(\"select grantee from dba_sys_privs\n where admin_option = 'YES' and grantee not in (select grantee from dba_role_privs where granted_role = 'DBA');\").column('grantee').uniq\n if dba_users.empty?\n impact 0.0\n describe 'There are no oracle DBA users, control N/A' do\n skip 'There are no oracle DBA users, control N/A'\n end\n else\n dba_users.each do |user|\n describe \"oracle DBA users: #{user}\" do\n subject { user }\n it { should be_in input('allowed_dbadmin_users') }\n end\n end\n end\n\n unlocked_accounts = sql.query(\"select distinct o.owner from dba_objects o, dba_users u\n where\n o.object_type <> 'SYNONYM'\n and o.owner = username\n and upper(account_status) not like '%LOCKED%';\").column('owner').uniq\n if unlocked_accounts.empty?\n impact 0.0\n describe 'There are no unlocked oracle accounts, control N/A' do\n skip 'There are no unlocked oracle accounts, control N/A'\n end\n else\n unlocked_accounts.each do |user|\n describe \"oracle user: #{user}\" do\n subject { user }\n it { should be_in input('allowed_unlocked_oracledb_accounts') }\n end\n end\n end\nend\n", + "code": "control 'V-61427' do\n title 'The Oracle REMOTE_OS_ROLES parameter must be set to FALSE.'\n desc \"Setting REMOTE_OS_ROLES to TRUE allows operating system groups to\n control Oracle roles. The default value of FALSE causes roles to be identified\n and managed by the database. If REMOTE_OS_ROLES is set to TRUE, a remote user\n could impersonate another operating system user over a network connection.\"\n impact 0.7\n tag \"gtitle\": 'SRG-APP-000516-DB-999900'\n tag \"gid\": 'V-61427'\n tag \"rid\": 'SV-75917r1_rule'\n tag \"stig_id\": 'O121-BP-022000'\n tag \"fix_id\": 'F-67343r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"From SQL*Plus:\n\n select value from v$parameter where name = 'remote_os_roles';\n\n If the returned value is not FALSE or not documented in the System Security\n Plan as required, this is a finding.\"\n tag \"fix\": \"Document remote OS roles in the System Security Plan.\n\n If not required, disable use of remote OS roles.\n\n From SQL*Plus:\n\n alter system set remote_os_roles = FALSE scope = spfile;\n\n The above SQL*Plus command will set the parameter to take effect at next system\n startup.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n parameter = sql.query(\"select value from v$parameter where name = 'remote_os_roles';\").column('value')\n\n describe 'The oracle database REMOTE_OS_ROLES parameter' do\n subject { parameter }\n it { should cmp 'FALSE' }\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61467.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61427.rb", "line": 1 }, - "id": "V-61467" + "id": "V-61427" }, { - "title": "Application owner accounts must have a dedicated application\n tablespace.", - "desc": "Separation of tablespaces by application helps to protect the\n application from resource contention and unauthorized access that could result\n from storage space reuses or host system access controls. Application data must\n be stored separately from system and custom user-defined objects to facilitate\n administration and management of its data storage. The SYSTEM tablespace must\n never be used for application data storage in order to prevent resource\n contention and performance degradation.", + "title": "Oracle instance names must not contain Oracle version numbers.", + "desc": "Service names may be discovered by unauthenticated users. If the\n service name includes version numbers or other database product information, a\n malicious user may use that information to develop a targeted attack.", "descriptions": { - "default": "Separation of tablespaces by application helps to protect the\n application from resource contention and unauthorized access that could result\n from storage space reuses or host system access controls. Application data must\n be stored separately from system and custom user-defined objects to facilitate\n administration and management of its data storage. The SYSTEM tablespace must\n never be used for application data storage in order to prevent resource\n contention and performance degradation." + "default": "Service names may be discovered by unauthenticated users. If the\n service name includes version numbers or other database product information, a\n malicious user may use that information to develop a targeted attack." }, - "impact": 0, + "impact": 0.5, "refs": [], "tags": { "gtitle": "SRG-APP-000516-DB-999900", - "gid": "V-61461", - "rid": "SV-75951r3_rule", - "stig_id": "O121-BP-023700", - "fix_id": "F-67377r1_fix", + "gid": "V-61413", + "rid": "SV-75903r1_rule", + "stig_id": "O121-BP-021300", + "fix_id": "F-67329r1_fix", "cci": [ "CCI-000366" ], @@ -468,35 +428,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Run the SQL query:\n\n select distinct owner, tablespace_name\n from dba_SEGMENTS\n where owner not in\n ()\n order by tablespace_name;\n\n (With respect to the list of special accounts that are excluded from this\n requirement, it is expected that the DBA will maintain the list to suit local\n circumstances, adding special accounts as necessary and removing any that are\n not supposed to be in use in the Oracle deployment that is under review.)\n\n Review the list of returned table owners with the tablespace used.\n\n If any of the owners listed are not default Oracle accounts and use the SYSTEM\n or any other tablespace not dedicated for the application’s use, this is a\n finding.\n\n Look for multiple applications that may share a tablespace.\n\n If no records were returned, ask the DBA if any applications use this database.\n\n If no applications use the database, this is not a finding.\n\n If there are applications that do use the database or if the application uses\n the SYS or other default account and SYSTEM tablespace to store its objects,\n this is a finding.", - "fix": "Create and assign dedicated tablespaces for the storage of data\n by each application using the CREATE TABLESPACE command." + "check": "From SQL*Plus:\n\n select instance_name from v$instance;\n select version from v$instance;\n\n If the instance name returned references the Oracle release number, this is a\n finding.\n\n Numbers used that include version numbers by coincidence are not a finding.\n\n The DBA should be able to relate the significance of the presence of a digit in\n the SID.", + "fix": "Follow the instructions in Oracle MetaLink Note 15390.1 (and\n related documents) to change the SID for the database without re-creating the\n database to a value that does not identify the Oracle version." }, - "code": "control 'V-61461' do\n title \"Application owner accounts must have a dedicated application\n tablespace.\"\n desc \"Separation of tablespaces by application helps to protect the\n application from resource contention and unauthorized access that could result\n from storage space reuses or host system access controls. Application data must\n be stored separately from system and custom user-defined objects to facilitate\n administration and management of its data storage. The SYSTEM tablespace must\n never be used for application data storage in order to prevent resource\n contention and performance degradation.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000516-DB-999900'\n tag \"gid\": 'V-61461'\n tag \"rid\": 'SV-75951r3_rule'\n tag \"stig_id\": 'O121-BP-023700'\n tag \"fix_id\": 'F-67377r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Run the SQL query:\n\n select distinct owner, tablespace_name\n from dba_SEGMENTS\n where owner not in\n ()\n order by tablespace_name;\n\n (With respect to the list of special accounts that are excluded from this\n requirement, it is expected that the DBA will maintain the list to suit local\n circumstances, adding special accounts as necessary and removing any that are\n not supposed to be in use in the Oracle deployment that is under review.)\n\n Review the list of returned table owners with the tablespace used.\n\n If any of the owners listed are not default Oracle accounts and use the SYSTEM\n or any other tablespace not dedicated for the application’s use, this is a\n finding.\n\n Look for multiple applications that may share a tablespace.\n\n If no records were returned, ask the DBA if any applications use this database.\n\n If no applications use the database, this is not a finding.\n\n If there are applications that do use the database or if the application uses\n the SYS or other default account and SYSTEM tablespace to store its objects,\n this is a finding.\"\n tag \"fix\": \"Create and assign dedicated tablespaces for the storage of data\n by each application using the CREATE TABLESPACE command.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n application_owners = sql.query(\"select distinct owner\n from dba_SEGMENTS;\").column('owner').uniq\n if application_owners.empty?\n impact 0.0\n describe 'There are no oracle db application owners, therefore control N/A' do\n skip 'There are no oracle db application owners, therefore control N/A'\n end\n else\n application_owners.each do |user|\n describe \"oracle db application owners: #{user}\" do\n subject { user }\n it { should be_in input('allowed_application_owners') }\n end\n end\n end\nend\n", + "code": "control 'V-61413' do\n title 'Oracle instance names must not contain Oracle version numbers.'\n desc \"Service names may be discovered by unauthenticated users. If the\n service name includes version numbers or other database product information, a\n malicious user may use that information to develop a targeted attack.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000516-DB-999900'\n tag \"gid\": 'V-61413'\n tag \"rid\": 'SV-75903r1_rule'\n tag \"stig_id\": 'O121-BP-021300'\n tag \"fix_id\": 'F-67329r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"From SQL*Plus:\n\n select instance_name from v$instance;\n select version from v$instance;\n\n If the instance name returned references the Oracle release number, this is a\n finding.\n\n Numbers used that include version numbers by coincidence are not a finding.\n\n The DBA should be able to relate the significance of the presence of a digit in\n the SID.\"\n tag \"fix\": \"Follow the instructions in Oracle MetaLink Note 15390.1 (and\n related documents) to change the SID for the database without re-creating the\n database to a value that does not identify the Oracle version.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n version = sql.query('select version from v$instance;').column('version')\n db_instance_name = sql.query('select instance_name from v$instance;').column('instance_name')\n\n describe 'The oracle database instance name' do\n subject { db_instance_name }\n it { should_not include version.to_s }\n end\n\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61461.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61413.rb", "line": 1 }, - "id": "V-61461" + "id": "V-61413" }, { - "title": "The DBMS must limit the use of resources by priority and not impede\n the host from servicing processes designated as a higher-priority.", - "desc": "Priority protection helps prevent a lower-priority process from\n delaying or interfering with the information system servicing any\n higher-priority process. This control does not apply to components in the\n information system for which there is only a single user/role. The application\n must limit the use of resources by priority.\n\n The DBMS is often running queries for multiple users. If lower-priority\n processes are utilizing a disproportionately high amount of database resources,\n this can severely impact higher-priority processes.", + "title": "The system must protect audit tools from unauthorized access.", + "desc": "Protecting audit data also includes identifying and protecting the\n tools used to view and manipulate log data.\n\n Depending upon the log format and application, system and application log\n tools may provide the only means to manipulate and manage application and\n system log data. It is, therefore, imperative that access to audit tools be\n controlled and protected from unauthorized access.\n\n Applications providing tools to interface with audit data will leverage\n user permissions and roles identifying the user accessing the tools and the\n corresponding rights the user enjoys in order make access decisions regarding\n the access to audit tools.\n\n Audit tools include, but are not limited to, OS-provided audit tools,\n vendor-provided audit tools, and open source audit tools needed to successfully\n view and manipulate audit information system activity and records.\n\n If an attacker were to gain access to audit tools, he could analyze audit\n logs for system weaknesses or weaknesses in the auditing itself. An attacker\n could also manipulate logs to hide evidence of malicious activity.", "descriptions": { - "default": "Priority protection helps prevent a lower-priority process from\n delaying or interfering with the information system servicing any\n higher-priority process. This control does not apply to components in the\n information system for which there is only a single user/role. The application\n must limit the use of resources by priority.\n\n The DBMS is often running queries for multiple users. If lower-priority\n processes are utilizing a disproportionately high amount of database resources,\n this can severely impact higher-priority processes." + "default": "Protecting audit data also includes identifying and protecting the\n tools used to view and manipulate log data.\n\n Depending upon the log format and application, system and application log\n tools may provide the only means to manipulate and manage application and\n system log data. It is, therefore, imperative that access to audit tools be\n controlled and protected from unauthorized access.\n\n Applications providing tools to interface with audit data will leverage\n user permissions and roles identifying the user accessing the tools and the\n corresponding rights the user enjoys in order make access decisions regarding\n the access to audit tools.\n\n Audit tools include, but are not limited to, OS-provided audit tools,\n vendor-provided audit tools, and open source audit tools needed to successfully\n view and manipulate audit information system activity and records.\n\n If an attacker were to gain access to audit tools, he could analyze audit\n logs for system weaknesses or weaknesses in the auditing itself. An attacker\n could also manipulate logs to hide evidence of malicious activity." }, - "impact": 0.3, + "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-APP-000248-DB-000135", - "gid": "V-61819", - "rid": "SV-76309r2_rule", - "stig_id": "O121-C3-019400", - "fix_id": "F-67735r5_fix", + "gtitle": "SRG-APP-000121-DB-000202", + "gid": "V-61659", + "rid": "SV-76149r1_rule", + "stig_id": "O121-C2-009600", + "fix_id": "F-67573r1_fix", "cci": [ - "CCI-002394" + "CCI-001493" ], "nist": [ - "SC-6", + "AU-9", "Rev_4" ], "false_negatives": null, @@ -509,35 +469,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Review DBMS settings and documentation to determine if the DBMS\n restricts resource usage by priority.\n\n If the DBMS does not restrict resource usage by priority, this is a finding.\n\n - - - - -\n This capability is available in Oracle at both the user and database level.\n\n At the user level, we create resource profiles for users of the database.\n\n Resource Parameters\n SESSIONS_PER_USER - Specify the number of concurrent sessions to which to limit\n the user.\n CPU_PER_SESSION - Specify the CPU time limit for a session, expressed in\n hundredths of seconds.\n CPU_PER_CALL - Specify the CPU time limit for a call (a parse, execute, or\n fetch), expressed in hundredths of seconds.\n CONNECT_TIME - Specify the total elapsed time limit for a session, expressed in\n minutes.\n IDLE_TIME - Specify the permitted periods of continuous inactive time during a\n session, expressed in minutes. Long-running queries and other operations are\n not subject to this limit.\n LOGICAL_READS_PER_SESSION - Specify the permitted number of data blocks read in\n a session, including blocks read from memory and disk.\n LOGICAL_READS_PER_CALL - Specify the permitted number of data blocks read for a\n call to process a SQL statement (a parse, execute, or fetch).\n PRIVATE_SGA - Specify the amount of private space a session can allocate in the\n shared pool of the system global area (SGA).\n COMPOSITE_LIMIT - Specify the total resource cost for a session, expressed in\n service units.\n\n To check the resource controls assigned to a user, query the DBA_PROFILES and\n DBA_USERS tables in the following manner.\n\n set linesize 121\n col username format a20\n col profile format a20\n col resource_name format a25\n col resource_type format a14\n col limit format a10\n select a.username,\n a.profile,\n b.resource_name,\n b.limit\n from dba_users a,\n dba_profiles b\n where b.resource_type is not null and\n a.profile = b.profile order by username;\n\n The output should look like the output below and display the users and the\n contents of their profiles.\n\n USERNAME PROFILE RESOURCE NAME LIMIT\n -------- ------- ------------- -----\n SCOTT DEFAULT SESSIONS_PER_USER UNLIMITED\n SCOTT DEFAULT CPU_PER_SESSION UNLIMITED", - "fix": "Implement measures to restrict the usage of resources by priority.\n\n - - - - -\n To implement security at the user level, assign users a profile that limits\n their resources:\n\n The user profile, ORA_STIG_PROFILE, has been provided (starting with Oracle\n 12.1.0.2) to satisfy the STIG requirements pertaining to the profile\n parameters. Oracle recommends that this profile be customized with any\n site-specific requirements and assigned to all users where applicable. Note:\n It remains necessary to create a customized replacement for the password\n validation function, ORA12C_STRONG_VERIFY_FUNCTION, if relying on this\n technique to verify password complexity.\n\n Example\n\n $ sqlplus connect as sysdba\n\n ALTER PROFILE ORA_STIG_PROFILE LIMIT\n SESSIONS_PER_USER 1\n IDLE_TIME 30\n CPU_PER_SESSION 100\n CPU_PER_CALL 100\n CONNECT_TIME 600;" + "check": "Review access permissions to tools used to view or modify audit\n log data. These tools may include the DBMS itself or tools external to the\n database.\n\n If appropriate permissions and access controls to prevent unauthorized access\n are not applied to these tools, this is a finding.", + "fix": "Add or modify access controls and permissions to tools used to\n view or modify audit log data. Tools must be accessible by authorized personnel\n only." }, - "code": "control 'V-61819' do\n title \"The DBMS must limit the use of resources by priority and not impede\n the host from servicing processes designated as a higher-priority.\"\n desc \"Priority protection helps prevent a lower-priority process from\n delaying or interfering with the information system servicing any\n higher-priority process. This control does not apply to components in the\n information system for which there is only a single user/role. The application\n must limit the use of resources by priority.\n\n The DBMS is often running queries for multiple users. If lower-priority\n processes are utilizing a disproportionately high amount of database resources,\n this can severely impact higher-priority processes.\n \"\n impact 0.3\n tag \"gtitle\": 'SRG-APP-000248-DB-000135'\n tag \"gid\": 'V-61819'\n tag \"rid\": 'SV-76309r2_rule'\n tag \"stig_id\": 'O121-C3-019400'\n tag \"fix_id\": 'F-67735r5_fix'\n tag \"cci\": ['CCI-002394']\n tag \"nist\": ['SC-6', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review DBMS settings and documentation to determine if the DBMS\n restricts resource usage by priority.\n\n If the DBMS does not restrict resource usage by priority, this is a finding.\n\n - - - - -\n This capability is available in Oracle at both the user and database level.\n\n At the user level, we create resource profiles for users of the database.\n\n Resource Parameters\n SESSIONS_PER_USER - Specify the number of concurrent sessions to which to limit\n the user.\n CPU_PER_SESSION - Specify the CPU time limit for a session, expressed in\n hundredths of seconds.\n CPU_PER_CALL - Specify the CPU time limit for a call (a parse, execute, or\n fetch), expressed in hundredths of seconds.\n CONNECT_TIME - Specify the total elapsed time limit for a session, expressed in\n minutes.\n IDLE_TIME - Specify the permitted periods of continuous inactive time during a\n session, expressed in minutes. Long-running queries and other operations are\n not subject to this limit.\n LOGICAL_READS_PER_SESSION - Specify the permitted number of data blocks read in\n a session, including blocks read from memory and disk.\n LOGICAL_READS_PER_CALL - Specify the permitted number of data blocks read for a\n call to process a SQL statement (a parse, execute, or fetch).\n PRIVATE_SGA - Specify the amount of private space a session can allocate in the\n shared pool of the system global area (SGA).\n COMPOSITE_LIMIT - Specify the total resource cost for a session, expressed in\n service units.\n\n To check the resource controls assigned to a user, query the DBA_PROFILES and\n DBA_USERS tables in the following manner.\n\n set linesize 121\n col username format a20\n col profile format a20\n col resource_name format a25\n col resource_type format a14\n col limit format a10\n select a.username,\n a.profile,\n b.resource_name,\n b.limit\n from dba_users a,\n dba_profiles b\n where b.resource_type is not null and\n a.profile = b.profile order by username;\n\n The output should look like the output below and display the users and the\n contents of their profiles.\n\n USERNAME PROFILE RESOURCE NAME LIMIT\n -------- ------- ------------- -----\n SCOTT DEFAULT SESSIONS_PER_USER UNLIMITED\n SCOTT DEFAULT CPU_PER_SESSION UNLIMITED\"\n tag \"fix\": \"Implement measures to restrict the usage of resources by priority.\n\n - - - - -\n To implement security at the user level, assign users a profile that limits\n their resources:\n\n The user profile, ORA_STIG_PROFILE, has been provided (starting with Oracle\n 12.1.0.2) to satisfy the STIG requirements pertaining to the profile\n parameters. Oracle recommends that this profile be customized with any\n site-specific requirements and assigned to all users where applicable. Note:\n It remains necessary to create a customized replacement for the password\n validation function, ORA12C_STRONG_VERIFY_FUNCTION, if relying on this\n technique to verify password complexity.\n\n Example\n\n $ sqlplus connect as sysdba\n\n ALTER PROFILE ORA_STIG_PROFILE LIMIT\n SESSIONS_PER_USER 1\n IDLE_TIME 30\n CPU_PER_SESSION 100\n CPU_PER_CALL 100\n CONNECT_TIME 600;\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n limit = sql.query(\"select\n DISTINCT b.limit\n from dba_users a,\n dba_profiles b\n where b.resource_type is not null and\n a.profile = b.profile;\").column('limit')\n\n describe 'The oracle database user limit' do\n subject { limit }\n it { should_not include 'UNLIMITED' }\n end\nend\n", + "code": "control 'V-61659' do\n title 'The system must protect audit tools from unauthorized access.'\n desc \"Protecting audit data also includes identifying and protecting the\n tools used to view and manipulate log data.\n\n Depending upon the log format and application, system and application log\n tools may provide the only means to manipulate and manage application and\n system log data. It is, therefore, imperative that access to audit tools be\n controlled and protected from unauthorized access.\n\n Applications providing tools to interface with audit data will leverage\n user permissions and roles identifying the user accessing the tools and the\n corresponding rights the user enjoys in order make access decisions regarding\n the access to audit tools.\n\n Audit tools include, but are not limited to, OS-provided audit tools,\n vendor-provided audit tools, and open source audit tools needed to successfully\n view and manipulate audit information system activity and records.\n\n If an attacker were to gain access to audit tools, he could analyze audit\n logs for system weaknesses or weaknesses in the auditing itself. An attacker\n could also manipulate logs to hide evidence of malicious activity.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000121-DB-000202'\n tag \"gid\": 'V-61659'\n tag \"rid\": 'SV-76149r1_rule'\n tag \"stig_id\": 'O121-C2-009600'\n tag \"fix_id\": 'F-67573r1_fix'\n tag \"cci\": ['CCI-001493']\n tag \"nist\": ['AU-9', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review access permissions to tools used to view or modify audit\n log data. These tools may include the DBMS itself or tools external to the\n database.\n\n If appropriate permissions and access controls to prevent unauthorized access\n are not applied to these tools, this is a finding.\"\n tag \"fix\": \"Add or modify access controls and permissions to tools used to\n view or modify audit log data. Tools must be accessible by authorized personnel\n only.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n users_allowed_access_to_audit_info = sql.query(\"SELECT GRANTEE, TABLE_NAME, PRIVILEGE\n FROM DBA_TAB_PRIVS where owner='AUDSYS';\").column('grantee').uniq\n if users_allowed_access_to_audit_info.empty?\n impact 0.0\n describe 'There are no oracle users allowed access to audit information, control N/A' do\n skip 'There are no oracle users allowed access to audit information'\n end\n else\n users_allowed_access_to_audit_info.each do |user|\n describe \"oracle users: #{user} allowed access to audit information\" do\n subject { user }\n it { should be_in input('allowed_audit_users') }\n end\n end\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61819.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61659.rb", "line": 1 }, - "id": "V-61819" + "id": "V-61659" }, { - "title": "The DBMS must protect against an individual who uses a shared account\n falsely denying having performed a particular action.", - "desc": "Non-repudiation of actions taken is required in order to maintain\n application integrity. Examples of particular actions taken by individuals\n include creating information, sending a message, approving information (e.g.,\n indicating concurrence or signing a contract), and receiving a message.\n\n Non-repudiation protects individuals against later claims by an author of\n not having authored a particular document, a sender of not having transmitted a\n message, a receiver of not having received a message, or a signatory of not\n having signed a document.\n\n Authentication via shared accounts does not provide individual\n accountability for actions taken on the DBMS or data. Whenever a single\n database account is used to connect to the database, a secondary authentication\n method that provides individual accountability is required. This scenario most\n frequently occurs when an externally hosted application authenticates\n individual users to the application and the application uses a single account\n to retrieve or update database information on behalf of the individual users.\n\n When shared accounts are utilized without another means of identifying\n individual users, users may deny having performed a particular action.\n\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure operation\n of databases that they must not be ignored. At a minimum, the DBA must attempt\n to obtain assurances from the development organization that this issue has been\n addressed and must document what has been discovered.", + "title": "Sensitive data stored in the database must be identified in the System\n Security Plan and AIS Functional Architecture documentation.", + "desc": "A DBMS that does not have the correct confidentiality level identified\n or any confidentiality level assigned is not being secured at a level\n appropriate to the risk it poses.", "descriptions": { - "default": "Non-repudiation of actions taken is required in order to maintain\n application integrity. Examples of particular actions taken by individuals\n include creating information, sending a message, approving information (e.g.,\n indicating concurrence or signing a contract), and receiving a message.\n\n Non-repudiation protects individuals against later claims by an author of\n not having authored a particular document, a sender of not having transmitted a\n message, a receiver of not having received a message, or a signatory of not\n having signed a document.\n\n Authentication via shared accounts does not provide individual\n accountability for actions taken on the DBMS or data. Whenever a single\n database account is used to connect to the database, a secondary authentication\n method that provides individual accountability is required. This scenario most\n frequently occurs when an externally hosted application authenticates\n individual users to the application and the application uses a single account\n to retrieve or update database information on behalf of the individual users.\n\n When shared accounts are utilized without another means of identifying\n individual users, users may deny having performed a particular action.\n\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure operation\n of databases that they must not be ignored. At a minimum, the DBA must attempt\n to obtain assurances from the development organization that this issue has been\n addressed and must document what has been discovered." + "default": "A DBMS that does not have the correct confidentiality level identified\n or any confidentiality level assigned is not being secured at a level\n appropriate to the risk it poses." }, - "impact": 0.3, + "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000080-DB-000063", - "gid": "V-61887", - "rid": "SV-76377r2_rule", - "stig_id": "O121-P3-006200", - "fix_id": "F-67803r2_fix", + "gtitle": "SRG-APP-000516-DB-999900", + "gid": "V-61503", + "rid": "SV-75993r1_rule", + "stig_id": "O121-BP-024900", + "fix_id": "F-67419r1_fix", "cci": [ - "CCI-000166" + "CCI-000366" ], "nist": [ - "AU-10", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -550,35 +510,39 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If there are no shared accounts available to more than one\n user, this is not a finding.\n\n If a shared account is used by an application to interact with the database,\n review the System Security Plan, the tables in the database, and the\n application source code/documentation to determine whether the application\n captures the individual user's identity and stores that identity along with all\n data inserted and updated (also with all records of reads and/or deletions, if\n these are required to be logged).\n\n If there are gaps in the application's ability to do this, and the gaps and the\n risk are not defined in the system documentation and accepted by the AO, this\n is a finding.\n\n If users are sharing a group account to log on to Oracle tools or third-party\n products that access the database, this is a finding.\n\n If Standard Auditing is used:\n To ensure that user activities other than SELECT, INSERT, UPDATE, and DELETE\n are also monitored and attributed to individuals, verify that Oracle auditing\n is enabled. To see if Oracle is configured to capture audit data, enter the\n following SQL*Plus command:\n SHOW PARAMETER AUDIT_TRAIL\n or the following SQL query:\n SELECT * FROM SYS.V$PARAMETER WHERE NAME = 'audit_trail';\n If Oracle returns the value 'NONE', this is a finding.\n\n If Unified Auditing is used:\n To ensure that user activities other than SELECT, INSERT, UPDATE, and DELETE\n are also monitored and attributed to individuals, verify that Oracle auditing\n is enabled. To see if Oracle is configured to capture audit data, enter the\n following SQL*Plus command:\n SELECT * FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';\n If Oracle returns the value \"TRUE\", this is not a finding.", - "fix": "Use accounts assigned to individual users where feasible.\n Configure DBMS to provide individual accountability at the DBMS level, and in\n audit logs, for actions performed under a shared database account.\n\n Modify applications and data tables that are not capturing individual user\n identity to do so.\n\n Create and enforce the use of individual user IDs for logging on to Oracle\n tools and third-party products.\n\n If Oracle auditing is not already enabled, enable it.\n\n If Standard Auditing is used:\n If Oracle (or third-party) auditing is not already enabled, enable it. For\n Oracle auditing, use this query:\n ALTER SYSTEM SET AUDIT_TRAIL= SCOPE=SPFILE;\n Audit trail type can be 'OS', 'DB', 'DB,EXTENDED', 'XML' or 'XML,EXTENDED'.\n After executing this statement, it may be necessary to shut down and restart\n the Oracle database.\n\n If Unified Auditing is used:\n Link the oracle binary with uniaud_on, and then restart the database. Oracle\n Database Upgrade Guide describes how to enable unified auditing.\n\n For more information on the configuration of auditing, refer to the following\n documents:\n \"Auditing Database Activity\" in the Oracle Database 2 Day + Security Guide:\n http://docs.oracle.com/database/121/TDPSG/tdpsg_auditing.htm#TDPSG50000\n \"Monitoring Database Activity with Auditing\" in the Oracle Database Security\n Guide:\n http://docs.oracle.com/database/121/DBSEG/part_6.htm#CCHEHCGI\n \"DBMS_AUDIT_MGMT\" in the Oracle Database PL/SQL Packages and Types Reference:\n http://docs.oracle.com/database/121/ARPLS/d_audit_mgmt.htm#ARPLS241\n Oracle Database Upgrade Guide:\n http://docs.oracle.com/database/121/UPGRD/afterup.htm#UPGRD52810\n\n If the site-specific audit requirements are not covered by the default audit\n options, deploy and configure Fine-Grained Auditing. For details, refer to\n Oracle documentation at the locations above.\n\n If this level of auditing does not meet site-specific requirements, consider\n deploying the Oracle Audit Vault. The Audit Vault is a highly configurable\n option from Oracle made specifically for performing the audit functions. It\n has reporting capabilities as well as user-defined rules that provide\n additional flexibility for complex auditing requirements." + "check": "If no sensitive or classified data is stored in the database,\n listed in the System Security Plan and listed in the AIS Functional\n Architecture documentation, this check is not a finding.\n\n Review AIS Functional Architecture documentation for the DBMS and note any\n sensitive data that is identified.\n\n Review database table column data or descriptions that indicate sensitive data.\n\n For example, a data column labeled \"SSN\" could indicate social security\n numbers are stored in the column.\n\n Question the ISSO or DBA where any questions arise.\n\n General categories of sensitive data requiring identification include any\n personal data (health, financial, social security number and date of birth),\n proprietary or financially sensitive business data or data that might be\n classified.\n\n If any data is considered sensitive and is not documented in the AISFA, this is\n a finding.", + "fix": "Include identification of any sensitive data in the AIS\n Functional Architecture and the System Security Plan.\n\n Include data that appear to be sensitive with a discussion as to why it is not\n marked as such." }, - "code": "control 'V-61887' do\n title \"The DBMS must protect against an individual who uses a shared account\n falsely denying having performed a particular action.\"\n desc \"Non-repudiation of actions taken is required in order to maintain\n application integrity. Examples of particular actions taken by individuals\n include creating information, sending a message, approving information (e.g.,\n indicating concurrence or signing a contract), and receiving a message.\n\n Non-repudiation protects individuals against later claims by an author of\n not having authored a particular document, a sender of not having transmitted a\n message, a receiver of not having received a message, or a signatory of not\n having signed a document.\n\n Authentication via shared accounts does not provide individual\n accountability for actions taken on the DBMS or data. Whenever a single\n database account is used to connect to the database, a secondary authentication\n method that provides individual accountability is required. This scenario most\n frequently occurs when an externally hosted application authenticates\n individual users to the application and the application uses a single account\n to retrieve or update database information on behalf of the individual users.\n\n When shared accounts are utilized without another means of identifying\n individual users, users may deny having performed a particular action.\n\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure operation\n of databases that they must not be ignored. At a minimum, the DBA must attempt\n to obtain assurances from the development organization that this issue has been\n addressed and must document what has been discovered.\n \"\n impact 0.3\n tag \"gtitle\": 'SRG-APP-000080-DB-000063'\n tag \"gid\": 'V-61887'\n tag \"rid\": 'SV-76377r2_rule'\n tag \"stig_id\": 'O121-P3-006200'\n tag \"fix_id\": 'F-67803r2_fix'\n tag \"cci\": ['CCI-000166']\n tag \"nist\": ['AU-10', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If there are no shared accounts available to more than one\n user, this is not a finding.\n\n If a shared account is used by an application to interact with the database,\n review the System Security Plan, the tables in the database, and the\n application source code/documentation to determine whether the application\n captures the individual user's identity and stores that identity along with all\n data inserted and updated (also with all records of reads and/or deletions, if\n these are required to be logged).\n\n If there are gaps in the application's ability to do this, and the gaps and the\n risk are not defined in the system documentation and accepted by the AO, this\n is a finding.\n\n If users are sharing a group account to log on to Oracle tools or third-party\n products that access the database, this is a finding.\n\n If Standard Auditing is used:\n To ensure that user activities other than SELECT, INSERT, UPDATE, and DELETE\n are also monitored and attributed to individuals, verify that Oracle auditing\n is enabled. To see if Oracle is configured to capture audit data, enter the\n following SQL*Plus command:\n SHOW PARAMETER AUDIT_TRAIL\n or the following SQL query:\n SELECT * FROM SYS.V$PARAMETER WHERE NAME = 'audit_trail';\n If Oracle returns the value 'NONE', this is a finding.\n\n If Unified Auditing is used:\n To ensure that user activities other than SELECT, INSERT, UPDATE, and DELETE\n are also monitored and attributed to individuals, verify that Oracle auditing\n is enabled. To see if Oracle is configured to capture audit data, enter the\n following SQL*Plus command:\n SELECT * FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';\n If Oracle returns the value \\\"TRUE\\\", this is not a finding.\"\n tag \"fix\": \"Use accounts assigned to individual users where feasible.\n Configure DBMS to provide individual accountability at the DBMS level, and in\n audit logs, for actions performed under a shared database account.\n\n Modify applications and data tables that are not capturing individual user\n identity to do so.\n\n Create and enforce the use of individual user IDs for logging on to Oracle\n tools and third-party products.\n\n If Oracle auditing is not already enabled, enable it.\n\n If Standard Auditing is used:\n If Oracle (or third-party) auditing is not already enabled, enable it. For\n Oracle auditing, use this query:\n ALTER SYSTEM SET AUDIT_TRAIL= SCOPE=SPFILE;\n Audit trail type can be 'OS', 'DB', 'DB,EXTENDED', 'XML' or 'XML,EXTENDED'.\n After executing this statement, it may be necessary to shut down and restart\n the Oracle database.\n\n If Unified Auditing is used:\n Link the oracle binary with uniaud_on, and then restart the database. Oracle\n Database Upgrade Guide describes how to enable unified auditing.\n\n For more information on the configuration of auditing, refer to the following\n documents:\n \\\"Auditing Database Activity\\\" in the Oracle Database 2 Day + Security Guide:\n http://docs.oracle.com/database/121/TDPSG/tdpsg_auditing.htm#TDPSG50000\n \\\"Monitoring Database Activity with Auditing\\\" in the Oracle Database Security\n Guide:\n http://docs.oracle.com/database/121/DBSEG/part_6.htm#CCHEHCGI\n \\\"DBMS_AUDIT_MGMT\\\" in the Oracle Database PL/SQL Packages and Types Reference:\n http://docs.oracle.com/database/121/ARPLS/d_audit_mgmt.htm#ARPLS241\n Oracle Database Upgrade Guide:\n http://docs.oracle.com/database/121/UPGRD/afterup.htm#UPGRD52810\n\n If the site-specific audit requirements are not covered by the default audit\n options, deploy and configure Fine-Grained Auditing. For details, refer to\n Oracle documentation at the locations above.\n\n If this level of auditing does not meet site-specific requirements, consider\n deploying the Oracle Audit Vault. The Audit Vault is a highly configurable\n option from Oracle made specifically for performing the audit functions. It\n has reporting capabilities as well as user-defined rules that provide\n additional flexibility for complex auditing requirements.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n standard_auditing_used = input('standard_auditing_used')\n unified_auditing_used = input('unified_auditing_used')\n\n describe.one do\n describe 'Standard auditing is in use for audit purposes' do\n subject { standard_auditing_used }\n it { should be true }\n end\n\n describe 'Unified auditing is in use for audit purposes' do\n subject { unified_auditing_used }\n it { should be true }\n end\n end\n\n audit_trail = sql.query(\"select value from v$parameter where name = 'audit_trail';\").column('value')\n\n if standard_auditing_used\n describe 'The oracle database audit_trail parameter' do\n subject { audit_trail }\n it { should_not cmp 'NONE' }\n end\n end\n\n unified_auditing = sql.query(\"SELECT value FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';\").column('value')\n\n if unified_auditing_used\n describe 'The oracle database unified auditing parameter' do\n subject { unified_auditing }\n it { should_not cmp 'FALSE' }\n end\n end\nend\n", + "code": "control 'V-61503' do\n title \"Sensitive data stored in the database must be identified in the System\n Security Plan and AIS Functional Architecture documentation.\"\n desc \"A DBMS that does not have the correct confidentiality level identified\n or any confidentiality level assigned is not being secured at a level\n appropriate to the risk it poses.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000516-DB-999900'\n tag \"gid\": 'V-61503'\n tag \"rid\": 'SV-75993r1_rule'\n tag \"stig_id\": 'O121-BP-024900'\n tag \"fix_id\": 'F-67419r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If no sensitive or classified data is stored in the database,\n listed in the System Security Plan and listed in the AIS Functional\n Architecture documentation, this check is not a finding.\n\n Review AIS Functional Architecture documentation for the DBMS and note any\n sensitive data that is identified.\n\n Review database table column data or descriptions that indicate sensitive data.\n\n For example, a data column labeled \\\"SSN\\\" could indicate social security\n numbers are stored in the column.\n\n Question the ISSO or DBA where any questions arise.\n\n General categories of sensitive data requiring identification include any\n personal data (health, financial, social security number and date of birth),\n proprietary or financially sensitive business data or data that might be\n classified.\n\n If any data is considered sensitive and is not documented in the AISFA, this is\n a finding.\"\n tag \"fix\": \"Include identification of any sensitive data in the AIS\n Functional Architecture and the System Security Plan.\n\n Include data that appear to be sensitive with a discussion as to why it is not\n marked as such.\"\n describe 'A manual review is required to ensure sensitive data stored in the database is identified in the System\n Security Plan and AIS Functional Architecture documentation' do\n skip 'A manual review is required to ensure sensitive data stored in the database is identified in the System\n Security Plan and AIS Functional Architecture documentation'\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61887.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61503.rb", "line": 1 }, - "id": "V-61887" + "id": "V-61503" }, { - "title": "DBMS default accounts must be assigned custom passwords.", - "desc": "Password maximum lifetime is the maximum period of time, (typically\nin days) a user's password may be in effect before the user is forced to change\nit.\n\n Passwords need to be changed at specific policy-based intervals as per\npolicy. Any password, no matter how complex, can eventually be cracked.\n\n One method of minimizing this risk is to use complex passwords and\nperiodically change them. If the application does not limit the lifetime of\npasswords and force users to change their passwords, there is the risk that the\nsystem and/or application passwords could be compromised.\n\n DBMS default passwords provide a commonly known and exploited means for\nunauthorized access to database installations.", + "title": "The DBMS must support organizational requirements to enforce password\n complexity by the number of lower-case characters used.", + "desc": "Password complexity or strength is a measure of the effectiveness of a\n password in resisting attempts at guessing and brute-force attacks.\n\n Password complexity is one factor of several that determine how long it\n takes to crack a password. The more complex the password is, the greater the\n number of possible combinations that need to be tested before the password is\n compromised.\n\n Use of a complex password helps to increase the time and resources required\n to compromise the password.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP. This requirement applies to cases where it is necessary to\n have accounts directly managed by Oracle.", "descriptions": { - "default": "Password maximum lifetime is the maximum period of time, (typically\nin days) a user's password may be in effect before the user is forced to change\nit.\n\n Passwords need to be changed at specific policy-based intervals as per\npolicy. Any password, no matter how complex, can eventually be cracked.\n\n One method of minimizing this risk is to use complex passwords and\nperiodically change them. If the application does not limit the lifetime of\npasswords and force users to change their passwords, there is the risk that the\nsystem and/or application passwords could be compromised.\n\n DBMS default passwords provide a commonly known and exploited means for\nunauthorized access to database installations." + "default": "Password complexity or strength is a measure of the effectiveness of a\n password in resisting attempts at guessing and brute-force attacks.\n\n Password complexity is one factor of several that determine how long it\n takes to crack a password. The more complex the password is, the greater the\n number of possible combinations that need to be tested before the password is\n compromised.\n\n Use of a complex password helps to increase the time and resources required\n to compromise the password.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP. This requirement applies to cases where it is necessary to\n have accounts directly managed by Oracle." }, - "impact": 0.7, - "refs": [], + "impact": 0.5, + "refs": [ + { + "ref": [] + } + ], "tags": { - "gtitle": "SRG-APP-000174-DB-000078", - "gid": "V-61541", - "rid": "SV-76031r1_rule", - "stig_id": "O121-C1-015000", - "fix_id": "F-67457r1_fix", + "gtitle": "SRG-APP-000167-DB-000071", + "gid": "V-61725", + "rid": "SV-76215r1_rule", + "stig_id": "O121-C2-014200", + "fix_id": "F-67641r1_fix", "cci": [ - "CCI-000199" + "CCI-000193" ], "nist": [ - "IA-5 (1) (d)", + "IA-5 (1) (a)", "Rev_4" ], "false_negatives": null, @@ -591,35 +555,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Use this query to identify the Oracle-supplied accounts that\n still have their default passwords:\n SELECT * FROM SYS.DBA_USERS_WITH_DEFPWD;\n\n If any accounts other than XS$NULL are listed, this is a finding.\n\n (XS$NULL is an internal account that represents the absence of a user in a\n session. Because XS$NULL is not a user, this account can only be accessed by\n the Oracle Database instance. XS$NULL has no privileges and no one can\n authenticate as XS$NULL, nor can authentication credentials ever be assigned to\n XS$NULL.)", - "fix": "Change passwords for DBMS accounts to non-default values. Where\n necessary, unlock or enable accounts to change the password, and then return\n the account to disabled or locked status." + "check": "If all user accounts are managed and authenticated by the OS or\n an enterprise-level authentication/access mechanism, and not by Oracle, this is\n not a finding.\n\n For each profile that can be applied to accounts where authentication is under\n Oracle's control, determine the password verification function, if any, that is\n in use:\n\n SELECT * FROM SYS.DBA_PROFILES\n WHERE RESOURCE_NAME = 'PASSWORD_VERIFY_FUNCTION'\n [AND PROFILE NOT IN ()]\n ORDER BY PROFILE;\n\n Bearing in mind that a profile can inherit from another profile, and the root\n profile is called DEFAULT, determine the name of the password verification\n function effective for each profile.\n\n If, for any profile, the function name is null, this is a finding.\n\n For each password verification function, examine its source code.\n\n If it does not enforce the organization-defined minimum number of lower-case\n characters (1 unless otherwise specified), this is a finding.", + "fix": "If all user accounts are authenticated by the OS or an\n enterprise-level authentication/access mechanism, and not by Oracle, no fix to\n the DBMS is required.\n\n If any user accounts are managed by Oracle: Develop, test and implement a\n password verification function that enforces DoD requirements.\n\n (Oracle supplies a sample function called ORA12C_STRONG_VERIFY_FUNCTION, in the\n script file\n /RDBMS/ADMIN/utlpwdmg.sql. This can be used as the starting point\n for a customized function.)" }, - "code": "control 'V-61541' do\n title 'DBMS default accounts must be assigned custom passwords.'\n desc \"Password maximum lifetime is the maximum period of time, (typically\nin days) a user's password may be in effect before the user is forced to change\nit.\n\n Passwords need to be changed at specific policy-based intervals as per\npolicy. Any password, no matter how complex, can eventually be cracked.\n\n One method of minimizing this risk is to use complex passwords and\nperiodically change them. If the application does not limit the lifetime of\npasswords and force users to change their passwords, there is the risk that the\nsystem and/or application passwords could be compromised.\n\n DBMS default passwords provide a commonly known and exploited means for\nunauthorized access to database installations.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-APP-000174-DB-000078'\n tag \"gid\": 'V-61541'\n tag \"rid\": 'SV-76031r1_rule'\n tag \"stig_id\": 'O121-C1-015000'\n tag \"fix_id\": 'F-67457r1_fix'\n tag \"cci\": ['CCI-000199']\n tag \"nist\": ['IA-5 (1) (d)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Use this query to identify the Oracle-supplied accounts that\n still have their default passwords:\n SELECT * FROM SYS.DBA_USERS_WITH_DEFPWD;\n\n If any accounts other than XS$NULL are listed, this is a finding.\n\n (XS$NULL is an internal account that represents the absence of a user in a\n session. Because XS$NULL is not a user, this account can only be accessed by\n the Oracle Database instance. XS$NULL has no privileges and no one can\n authenticate as XS$NULL, nor can authentication credentials ever be assigned to\n XS$NULL.)\"\n tag \"fix\": \"Change passwords for DBMS accounts to non-default values. Where\n necessary, unlock or enable accounts to change the password, and then return\n the account to disabled or locked status.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n sys_dba_users_with_defpwd = sql.query(' SELECT username FROM SYS.DBA_USERS_WITH_DEFPWD;').column('username').uniq\n\n describe.one do\n sys_dba_users_with_defpwd.each do |user|\n describe \"The oracle system database user: #{user} with a default password\" do\n subject { user }\n it { should cmp 'XS$NULL' }\n end\n end\n \n describe sys_dba_users_with_defpwd do\n it { should be_empty }\n end\n end\nend\n", + "code": "control 'V-61725' do\n title \"The DBMS must support organizational requirements to enforce password\n complexity by the number of lower-case characters used.\"\n desc \"Password complexity or strength is a measure of the effectiveness of a\n password in resisting attempts at guessing and brute-force attacks.\n\n Password complexity is one factor of several that determine how long it\n takes to crack a password. The more complex the password is, the greater the\n number of possible combinations that need to be tested before the password is\n compromised.\n\n Use of a complex password helps to increase the time and resources required\n to compromise the password.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP. This requirement applies to cases where it is necessary to\n have accounts directly managed by Oracle.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000167-DB-000071'\n tag \"gid\": 'V-61725'\n tag \"rid\": 'SV-76215r1_rule'\n tag \"stig_id\": 'O121-C2-014200'\n tag \"fix_id\": 'F-67641r1_fix'\n tag \"cci\": ['CCI-000193']\n tag \"nist\": ['IA-5 (1) (a)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If all user accounts are managed and authenticated by the OS or\n an enterprise-level authentication/access mechanism, and not by Oracle, this is\n not a finding.\n\n For each profile that can be applied to accounts where authentication is under\n Oracle's control, determine the password verification function, if any, that is\n in use:\n\n SELECT * FROM SYS.DBA_PROFILES\n WHERE RESOURCE_NAME = 'PASSWORD_VERIFY_FUNCTION'\n [AND PROFILE NOT IN ()]\n ORDER BY PROFILE;\n\n Bearing in mind that a profile can inherit from another profile, and the root\n profile is called DEFAULT, determine the name of the password verification\n function effective for each profile.\n\n If, for any profile, the function name is null, this is a finding.\n\n For each password verification function, examine its source code.\n\n If it does not enforce the organization-defined minimum number of lower-case\n characters (1 unless otherwise specified), this is a finding.\"\n tag \"fix\": \"If all user accounts are authenticated by the OS or an\n enterprise-level authentication/access mechanism, and not by Oracle, no fix to\n the DBMS is required.\n\n If any user accounts are managed by Oracle: Develop, test and implement a\n password verification function that enforces DoD requirements.\n\n (Oracle supplies a sample function called ORA12C_STRONG_VERIFY_FUNCTION, in the\n script file\n /RDBMS/ADMIN/utlpwdmg.sql. This can be used as the starting point\n for a customized function.)\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n query = %{\n SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE PROFILE =\n '%s' AND RESOURCE_NAME = 'PASSWORD_VERIFY_FUNCTION'\n }\n\n user_profiles = sql.query('SELECT profile FROM dba_users;').column('profile').uniq\n\n user_profiles.each do |profile|\n next if profile == \"RDSADMIN\"\n password_verify_function = sql.query(format(query, profile: profile)).column('limit')\n\n describe \"The oracle database account password verify function for profile: #{profile}\" do\n subject { password_verify_function }\n it { should_not eq ['NULL'] }\n end\n end\n if user_profiles.empty?\n describe 'There are no user profiles, therefore this control is NA' do\n skip 'There are no user profiles, therefore this control is NA'\n end\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61541.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61725.rb", "line": 1 }, - "id": "V-61541" + "id": "V-61725" }, { - "title": "The DBMS software libraries must be periodically backed up.", - "desc": "Information system backup is a critical step in maintaining data\n assurance and availability.\n\n System-level information includes: system-state information, operating\n system and application software, and licenses.\n\n Backups shall be consistent with organizational recovery time and recovery\n point objectives.\n\n The DBMS application depends upon the availability and integrity of its\n software libraries. Without backups, compromise or loss of the software\n libraries can prevent a successful recovery of DBMS operations.", + "title": "Owners of privileged accounts must use non-privileged accounts for\n non-administrative activities.", + "desc": "Use of privileged accounts for non-administrative purposes puts data\n at risk of unintended or unauthorized loss, modification, or exposure. In\n particular, DBA accounts, if used for non-administration application\n development or application maintenance, can lead to excessive privileges where\n privileges are inherited by object owners. It may also lead to loss or\n compromise of application data where the elevated privileges bypass controls\n designed in and provided by applications.", "descriptions": { - "default": "Information system backup is a critical step in maintaining data\n assurance and availability.\n\n System-level information includes: system-state information, operating\n system and application software, and licenses.\n\n Backups shall be consistent with organizational recovery time and recovery\n point objectives.\n\n The DBMS application depends upon the availability and integrity of its\n software libraries. Without backups, compromise or loss of the software\n libraries can prevent a successful recovery of DBMS operations." + "default": "Use of privileged accounts for non-administrative purposes puts data\n at risk of unintended or unauthorized loss, modification, or exposure. In\n particular, DBA accounts, if used for non-administration application\n development or application maintenance, can lead to excessive privileges where\n privileges are inherited by object owners. It may also lead to loss or\n compromise of application data where the elevated privileges bypass controls\n designed in and provided by applications." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000146-DB-000100", - "gid": "V-61877", - "rid": "SV-76367r1_rule", - "stig_id": "O121-P2-012700", - "fix_id": "F-67793r1_fix", + "gtitle": "SRG-APP-000063-DB-000018", + "gid": "V-61597", + "rid": "SV-76087r1_rule", + "stig_id": "O121-C2-004210", + "fix_id": "F-67513r1_fix", "cci": [ - "CCI-000537" + "CCI-000366" ], "nist": [ - "CP-9 (b)", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -632,21 +596,21 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Review evidence of inclusion of the DBMS libraries in current\n backup records.\n\n If any DBMS library files are not included in regular backups, this is a\n finding.", - "fix": "Configure backups to include all DBMS application and third-party\n database application software libraries." + "check": "Review procedures and practices. If there is not a policy\n requiring owners of privileged accounts to use non-privileged accounts for\n non-administrative activities, this is a finding. If there is evidence that\n owners of privileged accounts do not adhere to this policy, this is a finding.", + "fix": "Require that DBAs and other privileged users use non-privileged\n accounts for non-administrative activities." }, - "code": "control 'V-61877' do\n title 'The DBMS software libraries must be periodically backed up.'\n desc \"Information system backup is a critical step in maintaining data\n assurance and availability.\n\n System-level information includes: system-state information, operating\n system and application software, and licenses.\n\n Backups shall be consistent with organizational recovery time and recovery\n point objectives.\n\n The DBMS application depends upon the availability and integrity of its\n software libraries. Without backups, compromise or loss of the software\n libraries can prevent a successful recovery of DBMS operations.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000146-DB-000100'\n tag \"gid\": 'V-61877'\n tag \"rid\": 'SV-76367r1_rule'\n tag \"stig_id\": 'O121-P2-012700'\n tag \"fix_id\": 'F-67793r1_fix'\n tag \"cci\": ['CCI-000537']\n tag \"nist\": ['CP-9 (b)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review evidence of inclusion of the DBMS libraries in current\n backup records.\n\n If any DBMS library files are not included in regular backups, this is a\n finding.\"\n tag \"fix\": \"Configure backups to include all DBMS application and third-party\n database application software libraries.\"\n describe 'A manual review is required to ensure the DBMS software libraries are periodically backed up' do\n skip 'A manual review is required to ensure the DBMS software libraries are periodically backed up'\n end\nend\n", + "code": "control 'V-61597' do\n title \"Owners of privileged accounts must use non-privileged accounts for\n non-administrative activities.\"\n desc \"Use of privileged accounts for non-administrative purposes puts data\n at risk of unintended or unauthorized loss, modification, or exposure. In\n particular, DBA accounts, if used for non-administration application\n development or application maintenance, can lead to excessive privileges where\n privileges are inherited by object owners. It may also lead to loss or\n compromise of application data where the elevated privileges bypass controls\n designed in and provided by applications.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000063-DB-000018'\n tag \"gid\": 'V-61597'\n tag \"rid\": 'SV-76087r1_rule'\n tag \"stig_id\": 'O121-C2-004210'\n tag \"fix_id\": 'F-67513r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review procedures and practices. If there is not a policy\n requiring owners of privileged accounts to use non-privileged accounts for\n non-administrative activities, this is a finding. If there is evidence that\n owners of privileged accounts do not adhere to this policy, this is a finding.\"\n tag \"fix\": \"Require that DBAs and other privileged users use non-privileged\n accounts for non-administrative activities.\"\n describe 'A manual review is required to ensure owners of privileged accounts use non-privileged accounts for\n non-administrative activities' do\n skip 'A manual review is required to ensure owners of privileged accounts use non-privileged accounts for\n non-administrative activities'\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61877.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61597.rb", "line": 1 }, - "id": "V-61877" + "id": "V-61597" }, { - "title": "The DBMS must use NIST-validated FIPS 140-2-compliant cryptography\n for authentication mechanisms.", - "desc": "Encryption is only as good as the encryption modules utilized.\n Unapproved cryptographic module algorithms cannot be verified and cannot be\n relied upon to provide confidentiality or integrity, and DoD data may be\n compromised due to weak algorithms.\n\n Applications utilizing encryption are required to use approved encryption\n modules that meet the requirements of applicable federal laws, Executive\n Orders, directives, policies, regulations, standards, and guidance.\n\n FIPS 140-2 is the current standard for validating cryptographic modules,\n and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified hardware-based\n encryption modules.\n\n Authentication modules with weak encryption could allow an attacker to gain\n access to data stored in the database and to the administration settings of the\n DBMS.", + "title": "OS accounts utilized to run external procedures called by the DBMS\n must have limited privileges.", + "desc": "This requirement is intended to limit exposure due to operating from\n within a privileged account or role. The inclusion of role is intended to\n address those situations where an access control policy, such as Role Based\n Access Control (RBAC) is being implemented and where a change of role provides\n the same degree of assurance in the change of access authorizations for both\n the user and all processes acting on behalf of the user as would be provided by\n a change between a privileged and non-privileged account.\n\n To limit exposure when operating from within a privileged account or role,\n the application must support organizational requirements that users of\n information system accounts, or roles, with access to organization-defined\n lists of security functions or security-relevant information, use\n non-privileged accounts, or roles, when accessing other (non-security) system\n functions.\n\n Use of privileged accounts for non-administrative purposes puts data at\n risk of unintended or unauthorized loss, modification, or exposure. In\n particular, DBA accounts if used for non-administration application development\n or application maintenance can lead to miss-assignment of privileges where\n privileges are inherited by object owners. It may also lead to loss or\n compromise of application data where the elevated privileges bypass controls\n designed in and provided by applications.\n\n External applications called or spawned by the DBMS process may be executed\n under OS accounts with unnecessary privileges. This can lead to unauthorized\n access to OS resources and compromise of the OS, the DBMS or any other services\n provided by the host platform.", "descriptions": { - "default": "Encryption is only as good as the encryption modules utilized.\n Unapproved cryptographic module algorithms cannot be verified and cannot be\n relied upon to provide confidentiality or integrity, and DoD data may be\n compromised due to weak algorithms.\n\n Applications utilizing encryption are required to use approved encryption\n modules that meet the requirements of applicable federal laws, Executive\n Orders, directives, policies, regulations, standards, and guidance.\n\n FIPS 140-2 is the current standard for validating cryptographic modules,\n and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified hardware-based\n encryption modules.\n\n Authentication modules with weak encryption could allow an attacker to gain\n access to data stored in the database and to the administration settings of the\n DBMS." + "default": "This requirement is intended to limit exposure due to operating from\n within a privileged account or role. The inclusion of role is intended to\n address those situations where an access control policy, such as Role Based\n Access Control (RBAC) is being implemented and where a change of role provides\n the same degree of assurance in the change of access authorizations for both\n the user and all processes acting on behalf of the user as would be provided by\n a change between a privileged and non-privileged account.\n\n To limit exposure when operating from within a privileged account or role,\n the application must support organizational requirements that users of\n information system accounts, or roles, with access to organization-defined\n lists of security functions or security-relevant information, use\n non-privileged accounts, or roles, when accessing other (non-security) system\n functions.\n\n Use of privileged accounts for non-administrative purposes puts data at\n risk of unintended or unauthorized loss, modification, or exposure. In\n particular, DBA accounts if used for non-administration application development\n or application maintenance can lead to miss-assignment of privileges where\n privileges are inherited by object owners. It may also lead to loss or\n compromise of application data where the elevated privileges bypass controls\n designed in and provided by applications.\n\n External applications called or spawned by the DBMS process may be executed\n under OS accounts with unnecessary privileges. This can lead to unauthorized\n access to OS resources and compromise of the OS, the DBMS or any other services\n provided by the host platform." }, "impact": 0, "refs": [ @@ -655,16 +619,16 @@ } ], "tags": { - "gtitle": "SRG-APP-000179-DB-000114", - "gid": "V-61747", - "rid": "SV-76237r2_rule", - "stig_id": "O121-C2-015700", - "fix_id": "F-67663r2_fix", + "gtitle": "SRG-APP-000063-DB-000020", + "gid": "V-61601", + "rid": "SV-76091r2_rule", + "stig_id": "O121-C2-004400", + "fix_id": "F-67517r2_fix", "cci": [ - "CCI-000803" + "CCI-000366" ], "nist": [ - "IA-7", + "CM-6 b", "Rev_4" ], "false_negatives": null, @@ -677,35 +641,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Check the following settings to see if FIPS 140-2\n authentication/encryption is configured. If encryption is required but not\n configured, check with the DBA and system administrator to see if other\n mechanisms or third-party cryptography products are deployed for authentication.\n\n To see if Oracle is configured for FIPS 140-2 SSL/TLS authentication and/or\n Encryption:\n\n Verify the DBMS version:\n select * from V_$VERSION;\n If the version displayed for Oracle Database is lower than 12.1.0.2, this is a\n finding.\n\n If the operating system is Windows and the DBMS version is 12.1.0.2, use the\n opatch command to display the patches applied to the DBMS.\n\n If the patches listed do not include \"WINDOWS DB BUNDLE PATCH 12.1.0.2.7\",\n this is a finding.\n\n Open the fips.ora file in a browser or editor. (The default location for\n fips.ora is $ORACLE_HOME/ldap/admin/ but alternate locations are possible. An\n alternate location, if it is in use, is specified in the FIPS_HOME environment\n variable.)\n\n If the line \"SSLFIPS_140=TRUE\" is not found in fips.ora, or the file does not\n exist, this is a finding.", - "fix": "Utilize NIST-validated FIPS 140-2-compliant cryptography for all\n authentication mechanisms.\n\n Where not already in effect, upgrade the DBMS to version 12.1.0.2 or higher.\n\n Where the operating system is Windows and the DBMS version is 12.1.0.2, install\n patch \"WINDOWS DB BUNDLE PATCH 12.1.0.2.7\" if not already deployed.\n\n Open the fips.ora file in an editor. (The default location for fips.ora is\n $ORACLE_HOME/ldap/admin/ but alternate locations are possible. An alternate\n location, if it is in use, is specified in the FIPS_HOME environment variable.)\n Create or modify fips.ora to include the line \"SSLFIPS_140=TRUE\".\n\n - - - - -\n The strength requirements are dependent upon data classification.\n\n For unclassified data, where cryptography is required:\n AES 128 for encryption\n SHA 256 for hashing\n\n NSA has established the suite B encryption requirements for protecting National\n Security Systems (NSS) as follows.\n AES 128 for Secret\n AES 256 for Top Secret\n SHA 256 for Secret\n SHA 384 for Top Secret\n\n National Security System is defined as:\n (OMB Circular A-130) Any telecommunications or information system operated by\n the United States Government, the function, operation, or use of which (1)\n involves intelligence activities; (2) involves cryptologic activities related\n to national security; (3) involves command and control of military forces; (4)\n involves equipment that is an integral part of a weapon or weapons system; or\n (5) is critical to the direct fulfillment of military or intelligence missions,\n but excluding any system that is to be used for routine administrative and\n business applications (including payroll, finance, logistics, and personnel\n management applications).\n\n There is more information on this topic in the Oracle Database 12c Advanced\n Security Administrator's Guide, which may be found at\n https://docs.oracle.com/database/121/DBSEG/E48135-11.pdf. (Note, however, that\n because of changes in Oracle's licensing policy, it is no longer necessary to\n purchase Oracle Advanced Security to use network encryption and advanced\n authentication.)\n\n FIPS 140-2 documentation can be downloaded from\n http://csrc.nist.gov/publications/PubsFIPS.html#140-2 " + "check": "Determine which OS accounts are used by the DBMS to run\n external procedures.\n\n Validate that these OS accounts have only the privileges necessary to perform\n the required functionality.\n\n If any OS accounts, utilized by the database for running external procedures,\n have privileges beyond those required for running the external procedures, this\n is a finding.\n\n If use of the external procedure agent is authorized, ensure extproc is\n restricted to execution of authorized applications.\n\n External jobs are run using the account nobody by default.\n\n Review the contents of the file ORACLE_HOME/rdbms/admin/externaljob.ora for the\n lines run_user= and run_group=.\n\n If the user assigned to these parameters is not \"nobody\", this is a finding.\n\n System views providing privilege information are:\n DBA_SYS_PRIVS\n DBA_TAB_PRIVS\n DBA_ROLE_PRIVS", + "fix": "Limit privileges to DBMS-related OS accounts to those required to\n perform their DBMS specific functionality." }, - "code": " control 'V-61747' do\n impact 0.0\n describe 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on' do\n skip 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on'\n end\n end\n", + "code": " control 'V-61601' do\n impact 0.0\n describe 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on' do\n skip 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on'\n end\n end\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61747.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61601.rb", "line": 1 }, - "id": "V-61747" + "id": "V-61601" }, { - "title": "Owners of privileged accounts must use non-privileged accounts for\n non-administrative activities.", - "desc": "Use of privileged accounts for non-administrative purposes puts data\n at risk of unintended or unauthorized loss, modification, or exposure. In\n particular, DBA accounts, if used for non-administration application\n development or application maintenance, can lead to excessive privileges where\n privileges are inherited by object owners. It may also lead to loss or\n compromise of application data where the elevated privileges bypass controls\n designed in and provided by applications.", + "title": "Database software directories, including DBMS configuration files,\n must be stored in dedicated directories, or DASD pools, separate from the host\n OS and other applications.", + "desc": "When dealing with change control issues, it should be noted, any\n changes to the hardware, software, and/or firmware components of the\n information system and/or application can potentially have significant effects\n on the overall security of the system.\n\n Multiple applications can provide a cumulative negative effect. A\n vulnerability and subsequent exploit to one application can lead to an exploit\n of other applications sharing the same security context. For example, an\n exploit to a web server process that leads to unauthorized administrative\n access to host system directories can most likely lead to a compromise of all\n applications hosted by the same system. Database software not installed using\n dedicated directories both threatens and is threatened by other hosted\n applications. Access controls defined for one application may by default\n provide access to the other application's database objects or directories. Any\n method that provides any level of separation of security context assists in the\n protection between applications.", "descriptions": { - "default": "Use of privileged accounts for non-administrative purposes puts data\n at risk of unintended or unauthorized loss, modification, or exposure. In\n particular, DBA accounts, if used for non-administration application\n development or application maintenance, can lead to excessive privileges where\n privileges are inherited by object owners. It may also lead to loss or\n compromise of application data where the elevated privileges bypass controls\n designed in and provided by applications." + "default": "When dealing with change control issues, it should be noted, any\n changes to the hardware, software, and/or firmware components of the\n information system and/or application can potentially have significant effects\n on the overall security of the system.\n\n Multiple applications can provide a cumulative negative effect. A\n vulnerability and subsequent exploit to one application can lead to an exploit\n of other applications sharing the same security context. For example, an\n exploit to a web server process that leads to unauthorized administrative\n access to host system directories can most likely lead to a compromise of all\n applications hosted by the same system. Database software not installed using\n dedicated directories both threatens and is threatened by other hosted\n applications. Access controls defined for one application may by default\n provide access to the other application's database objects or directories. Any\n method that provides any level of separation of security context assists in the\n protection between applications." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000063-DB-000018", - "gid": "V-61597", - "rid": "SV-76087r1_rule", - "stig_id": "O121-C2-004210", - "fix_id": "F-67513r1_fix", + "gtitle": "SRG-APP-000133-DB-000199", + "gid": "V-61875", + "rid": "SV-76365r1_rule", + "stig_id": "O121-P2-010900", + "fix_id": "F-67791r1_fix", "cci": [ - "CCI-000366" + "CCI-001499" ], "nist": [ - "CM-6 b", + "CM-5 (6)", "Rev_4" ], "false_negatives": null, @@ -718,76 +682,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Review procedures and practices. If there is not a policy\n requiring owners of privileged accounts to use non-privileged accounts for\n non-administrative activities, this is a finding. If there is evidence that\n owners of privileged accounts do not adhere to this policy, this is a finding.", - "fix": "Require that DBAs and other privileged users use non-privileged\n accounts for non-administrative activities." + "check": "Review the DBMS software library directory and note other root\n directories located on the same disk directory or any subdirectories. If any\n non-DBMS software directories exist on the disk directory, examine or\n investigate their use.\n\n If any of the directories are used by other applications, including third-party\n applications that use the DBMS, this is a finding.\n\n Only applications that are required for the functioning and administration, not\n use, of the DBMS should be located on the same disk directory as the DBMS\n software libraries.\n\n For databases located on mainframes, confirm that the database and its\n configuration files are isolated in their own DASD pools.\n\n If database software and database configuration files share DASD with other\n applications, this is a finding.", + "fix": "Install all applications on directories, or pools, separate from\n the DBMS software library directory. Re-locate any directories or re-install\n other application software that currently shares the DBMS software library\n directory to separate directories.\n\n For mainframe-based databases, locate database software and configuration files\n in separate DASD pools from other mainframe applications." }, - "code": "control 'V-61597' do\n title \"Owners of privileged accounts must use non-privileged accounts for\n non-administrative activities.\"\n desc \"Use of privileged accounts for non-administrative purposes puts data\n at risk of unintended or unauthorized loss, modification, or exposure. In\n particular, DBA accounts, if used for non-administration application\n development or application maintenance, can lead to excessive privileges where\n privileges are inherited by object owners. It may also lead to loss or\n compromise of application data where the elevated privileges bypass controls\n designed in and provided by applications.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000063-DB-000018'\n tag \"gid\": 'V-61597'\n tag \"rid\": 'SV-76087r1_rule'\n tag \"stig_id\": 'O121-C2-004210'\n tag \"fix_id\": 'F-67513r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review procedures and practices. If there is not a policy\n requiring owners of privileged accounts to use non-privileged accounts for\n non-administrative activities, this is a finding. If there is evidence that\n owners of privileged accounts do not adhere to this policy, this is a finding.\"\n tag \"fix\": \"Require that DBAs and other privileged users use non-privileged\n accounts for non-administrative activities.\"\n describe 'A manual review is required to ensure owners of privileged accounts use non-privileged accounts for\n non-administrative activities' do\n skip 'A manual review is required to ensure owners of privileged accounts use non-privileged accounts for\n non-administrative activities'\n end\nend\n", + "code": "control 'V-61875' do\n title \"Database software directories, including DBMS configuration files,\n must be stored in dedicated directories, or DASD pools, separate from the host\n OS and other applications.\"\n desc \"When dealing with change control issues, it should be noted, any\n changes to the hardware, software, and/or firmware components of the\n information system and/or application can potentially have significant effects\n on the overall security of the system.\n\n Multiple applications can provide a cumulative negative effect. A\n vulnerability and subsequent exploit to one application can lead to an exploit\n of other applications sharing the same security context. For example, an\n exploit to a web server process that leads to unauthorized administrative\n access to host system directories can most likely lead to a compromise of all\n applications hosted by the same system. Database software not installed using\n dedicated directories both threatens and is threatened by other hosted\n applications. Access controls defined for one application may by default\n provide access to the other application's database objects or directories. Any\n method that provides any level of separation of security context assists in the\n protection between applications.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000133-DB-000199'\n tag \"gid\": 'V-61875'\n tag \"rid\": 'SV-76365r1_rule'\n tag \"stig_id\": 'O121-P2-010900'\n tag \"fix_id\": 'F-67791r1_fix'\n tag \"cci\": ['CCI-001499']\n tag \"nist\": ['CM-5 (6)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review the DBMS software library directory and note other root\n directories located on the same disk directory or any subdirectories. If any\n non-DBMS software directories exist on the disk directory, examine or\n investigate their use.\n\n If any of the directories are used by other applications, including third-party\n applications that use the DBMS, this is a finding.\n\n Only applications that are required for the functioning and administration, not\n use, of the DBMS should be located on the same disk directory as the DBMS\n software libraries.\n\n For databases located on mainframes, confirm that the database and its\n configuration files are isolated in their own DASD pools.\n\n If database software and database configuration files share DASD with other\n applications, this is a finding.\"\n tag \"fix\": \"Install all applications on directories, or pools, separate from\n the DBMS software library directory. Re-locate any directories or re-install\n other application software that currently shares the DBMS software library\n directory to separate directories.\n\n For mainframe-based databases, locate database software and configuration files\n in separate DASD pools from other mainframe applications.\"\n describe 'A manual review is required to ensure Database software directories, including DBMS configuration files,\n are stored in dedicated directories, or DASD pools, separate from the host\n OS and other applications' do\n skip 'A manual review is required to ensure Database software directories, including DBMS configuration files,\n are stored in dedicated directories, or DASD pools, separate from the host\n OS and other applications'\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61597.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61875.rb", "line": 1 }, - "id": "V-61597" + "id": "V-61875" }, { - "title": "The DBMS must automatically terminate emergency accounts after an\n organization-defined time period for each type of account.", - "desc": "Emergency application accounts are typically created due to an\n unforeseen operational event or could ostensibly be used in the event of a\n vendor support visit where a support representative requires a temporary unique\n account in order to perform diagnostic testing or conduct some other\n support-related activity. When these types of accounts are created, there is a\n risk that the temporary account may remain in place and active after the\n support representative has left.\n\n In the event emergency application accounts are required, the application\n must ensure accounts that are designated as temporary in nature shall\n automatically terminate these accounts after an organization-defined time\n period. Such a process and capability greatly reduces the risk that accounts\n will be misused, hijacked, or application data compromised.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP. This requirement applies to cases where it is necessary to\n have accounts directly managed by Oracle.\n\n If it is possible for any temporary emergency accounts to be created and\n managed by Oracle, then the DBMS or application must provide or utilize a\n mechanism to automatically terminate such accounts after an\n organization-defined time period.\n\n Emergency database accounts must be automatically terminated after an\n organization-defined time period in order to mitigate the risk of the account\n being misused.", + "title": "Oracle must back up user-level information per a defined frequency.", + "desc": "Information system backup is a critical step in maintaining data\n assurance and availability.\n\n User-level information is data generated by information system and/or\n application users. In order to assure availability of this data in the event of\n a system failure, DoD organizations are required to ensure user-generated data\n is backed up at a defined frequency. This includes data stored on file systems,\n within databases or within any other storage media.\n\n Applications performing backups must be capable of backing up user-level\n information per the DoD-defined frequency.\n\n Databases that do not backup information regularly risk the loss of that\n information in the event of a system failure. Most databases contain\n functionality to allow regular backups; it is important that this functionality\n is enabled and configured correctly to prevent data loss.", "descriptions": { - "default": "Emergency application accounts are typically created due to an\n unforeseen operational event or could ostensibly be used in the event of a\n vendor support visit where a support representative requires a temporary unique\n account in order to perform diagnostic testing or conduct some other\n support-related activity. When these types of accounts are created, there is a\n risk that the temporary account may remain in place and active after the\n support representative has left.\n\n In the event emergency application accounts are required, the application\n must ensure accounts that are designated as temporary in nature shall\n automatically terminate these accounts after an organization-defined time\n period. Such a process and capability greatly reduces the risk that accounts\n will be misused, hijacked, or application data compromised.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP. This requirement applies to cases where it is necessary to\n have accounts directly managed by Oracle.\n\n If it is possible for any temporary emergency accounts to be created and\n managed by Oracle, then the DBMS or application must provide or utilize a\n mechanism to automatically terminate such accounts after an\n organization-defined time period.\n\n Emergency database accounts must be automatically terminated after an\n organization-defined time period in order to mitigate the risk of the account\n being misused." + "default": "Information system backup is a critical step in maintaining data\n assurance and availability.\n\n User-level information is data generated by information system and/or\n application users. In order to assure availability of this data in the event of\n a system failure, DoD organizations are required to ensure user-generated data\n is backed up at a defined frequency. This includes data stored on file systems,\n within databases or within any other storage media.\n\n Applications performing backups must be capable of backing up user-level\n information per the DoD-defined frequency.\n\n Databases that do not backup information regularly risk the loss of that\n information in the event of a system failure. Most databases contain\n functionality to allow regular backups; it is important that this functionality\n is enabled and configured correctly to prevent data loss." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000234-DB-000157", - "gid": "V-61777", - "rid": "SV-76267r1_rule", - "stig_id": "O121-C2-018600", - "fix_id": "F-67693r1_fix", - "cci": [ - "CCI-001682" - ], - "nist": [ - "AC-2 (2)", - "Rev_4" - ], - "false_negatives": null, - "false_positives": null, - "documentable": false, - "mitigations": null, - "severity_override_guidance": false, - "potential_impacts": null, - "third_party_tools": null, - "mitigation_controls": null, - "responsibility": null, - "ia_controls": null, - "check": "If the organization has a policy, consistently enforced,\n forbidding the creation of emergency or temporary accounts, this is not a\n finding.\n\n Check DBMS settings, OS settings, and/or enterprise-level authentication/access\n mechanisms settings to determine if emergency accounts are being automatically\n terminated by the system after an organization-defined time period. Check also\n for custom code (scheduled jobs, procedures, triggers, etc.) for achieving\n this.\n\n If emergency accounts are not being terminated after an organization-defined\n time period, this is a finding.", - "fix": "Create a profile specifically for emergency or temporary\n accounts. When creating the accounts, assign them to this profile. Configure\n DBMS, OS, and/or enterprise-level authentication/access mechanisms, or\n implement custom code, to terminate accounts with this profile after an\n organization-defined time period." - }, - "code": "control 'V-61777' do\n title \"The DBMS must automatically terminate emergency accounts after an\n organization-defined time period for each type of account.\"\n desc \"Emergency application accounts are typically created due to an\n unforeseen operational event or could ostensibly be used in the event of a\n vendor support visit where a support representative requires a temporary unique\n account in order to perform diagnostic testing or conduct some other\n support-related activity. When these types of accounts are created, there is a\n risk that the temporary account may remain in place and active after the\n support representative has left.\n\n In the event emergency application accounts are required, the application\n must ensure accounts that are designated as temporary in nature shall\n automatically terminate these accounts after an organization-defined time\n period. Such a process and capability greatly reduces the risk that accounts\n will be misused, hijacked, or application data compromised.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP. This requirement applies to cases where it is necessary to\n have accounts directly managed by Oracle.\n\n If it is possible for any temporary emergency accounts to be created and\n managed by Oracle, then the DBMS or application must provide or utilize a\n mechanism to automatically terminate such accounts after an\n organization-defined time period.\n\n Emergency database accounts must be automatically terminated after an\n organization-defined time period in order to mitigate the risk of the account\n being misused.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000234-DB-000157'\n tag \"gid\": 'V-61777'\n tag \"rid\": 'SV-76267r1_rule'\n tag \"stig_id\": 'O121-C2-018600'\n tag \"fix_id\": 'F-67693r1_fix'\n tag \"cci\": ['CCI-001682']\n tag \"nist\": ['AC-2 (2)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If the organization has a policy, consistently enforced,\n forbidding the creation of emergency or temporary accounts, this is not a\n finding.\n\n Check DBMS settings, OS settings, and/or enterprise-level authentication/access\n mechanisms settings to determine if emergency accounts are being automatically\n terminated by the system after an organization-defined time period. Check also\n for custom code (scheduled jobs, procedures, triggers, etc.) for achieving\n this.\n\n If emergency accounts are not being terminated after an organization-defined\n time period, this is a finding.\"\n tag \"fix\": \"Create a profile specifically for emergency or temporary\n accounts. When creating the accounts, assign them to this profile. Configure\n DBMS, OS, and/or enterprise-level authentication/access mechanisms, or\n implement custom code, to terminate accounts with this profile after an\n organization-defined time period.\"\n describe 'A manual review is required to ensure the DBMS automatically terminates emergency accounts after an\n organization-defined time period for each type of account' do\n skip 'A manual review is required to ensure the DBMS automatically terminates emergency accounts after an\n organization-defined time period for each type of account'\n end\nend\n", - "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61777.rb", - "line": 1 - }, - "id": "V-61777" - }, - { - "title": "Fixed user and public database links must be authorized for use.", - "desc": "Database links define connections that may be used by the local\n database to access remote Oracle databases. These links provide a means for a\n compromise to the local database to spread to remote databases in the\n distributed database environment. Limiting or eliminating use of database links\n where they are not required to support the operational system can help isolate\n compromises to the local or a limited number of databases.", - "descriptions": { - "default": "Database links define connections that may be used by the local\n database to access remote Oracle databases. These links provide a means for a\n compromise to the local database to spread to remote databases in the\n distributed database environment. Limiting or eliminating use of database links\n where they are not required to support the operational system can help isolate\n compromises to the local or a limited number of databases." - }, - "impact": 0, - "refs": [], - "tags": { - "gtitle": "SRG-APP-000516-DB-999900", - "gid": "V-61415", - "rid": "SV-75905r2_rule", - "stig_id": "O121-BP-021400", - "fix_id": "F-67331r1_fix", + "gtitle": "SRG-APP-000145-DB-000095", + "gid": "V-61693", + "rid": "SV-76183r2_rule", + "stig_id": "O121-C2-012200", + "fix_id": "F-67609r1_fix", "cci": [ - "CCI-000366" + "CCI-000535" ], "nist": [ - "CM-6 b", + "CP-9 (a)", "Rev_4" ], "false_negatives": null, @@ -800,76 +723,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "From SQL*Plus:\n\n select owner||': '||db_link from dba_db_links;\n\n If no records are returned from the first SQL statement, this check is not a\n finding.\n\n Confirm the public and fixed user database links listed are documented in the\n System Security Plan, are authorized by the ISSO, and are used for replication\n or operational system requirements.\n\n If any are not, this is a finding.\n ", - "fix": "Document all authorized connections from the database to remote\n databases in the System Security Plan.\n\n Remove all unauthorized remote database connection definitions from the\n database.\n\n From SQL*Plus:\n\n drop database link [link name];\n OR\n drop public database link [link name];\n\n Review remote database connection definitions periodically and confirm their\n use is still required and authorized." + "check": "Review DBMS settings and site documentation to determine\n whether Oracle is configured to back up user-level data according to a defined\n frequency.\n\n If it is not, this is a finding.\n\n (The V$RMAN_STATUS view displays the finished and on-going RMAN jobs. For\n on-going jobs, this view displays progress and status.)", + "fix": "Configure the Oracle DBMS to back up user-level data on a defined\n frequency." }, - "code": "control 'V-61415' do\n title 'Fixed user and public database links must be authorized for use.'\n desc \"Database links define connections that may be used by the local\n database to access remote Oracle databases. These links provide a means for a\n compromise to the local database to spread to remote databases in the\n distributed database environment. Limiting or eliminating use of database links\n where they are not required to support the operational system can help isolate\n compromises to the local or a limited number of databases.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000516-DB-999900'\n tag \"gid\": 'V-61415'\n tag \"rid\": 'SV-75905r2_rule'\n tag \"stig_id\": 'O121-BP-021400'\n tag \"fix_id\": 'F-67331r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"From SQL*Plus:\n\n select owner||': '||db_link from dba_db_links;\n\n If no records are returned from the first SQL statement, this check is not a\n finding.\n\n Confirm the public and fixed user database links listed are documented in the\n System Security Plan, are authorized by the ISSO, and are used for replication\n or operational system requirements.\n\n If any are not, this is a finding.\n \"\n tag \"fix\": \"Document all authorized connections from the database to remote\n databases in the System Security Plan.\n\n Remove all unauthorized remote database connection definitions from the\n database.\n\n From SQL*Plus:\n\n drop database link [link name];\n OR\n drop public database link [link name];\n\n Review remote database connection definitions periodically and confirm their\n use is still required and authorized.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n db_links = sql.query('SELECT DB_LINK FROM DBA_DB_LINKS;').column('db_link').uniq\n if db_links.empty?\n impact 0.0\n describe 'There are no oracle database links defined, control N/A' do\n skip 'There are no oracle database links defined, control N/A'\n end\n else\n db_links.each do |link|\n describe \"The defined oracle database link: #{link}\" do\n subject { link }\n it { should be_in input('allowed_db_links') }\n end\n end\n end\nend\n", + "code": "control 'V-61693' do\n title 'Oracle must back up user-level information per a defined frequency.'\n desc \"Information system backup is a critical step in maintaining data\n assurance and availability.\n\n User-level information is data generated by information system and/or\n application users. In order to assure availability of this data in the event of\n a system failure, DoD organizations are required to ensure user-generated data\n is backed up at a defined frequency. This includes data stored on file systems,\n within databases or within any other storage media.\n\n Applications performing backups must be capable of backing up user-level\n information per the DoD-defined frequency.\n\n Databases that do not backup information regularly risk the loss of that\n information in the event of a system failure. Most databases contain\n functionality to allow regular backups; it is important that this functionality\n is enabled and configured correctly to prevent data loss.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000145-DB-000095'\n tag \"gid\": 'V-61693'\n tag \"rid\": 'SV-76183r2_rule'\n tag \"stig_id\": 'O121-C2-012200'\n tag \"fix_id\": 'F-67609r1_fix'\n tag \"cci\": ['CCI-000535']\n tag \"nist\": ['CP-9 (a)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review DBMS settings and site documentation to determine\n whether Oracle is configured to back up user-level data according to a defined\n frequency.\n\n If it is not, this is a finding.\n\n (The V$RMAN_STATUS view displays the finished and on-going RMAN jobs. For\n on-going jobs, this view displays progress and status.)\"\n tag \"fix\": \"Configure the Oracle DBMS to back up user-level data on a defined\n frequency.\"\n describe 'A manual review is required to ensure Oracle backs up user-level information per a defined frequency' do\n skip 'A manual review is required to ensure Oracle backs up user-level information per a defined frequency'\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61415.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61693.rb", "line": 1 }, - "id": "V-61415" + "id": "V-61693" }, { - "title": "Applications must obscure feedback of authentication information\n during the authentication process to protect the information from possible\n exploitation/use by unauthorized individuals.", - "desc": "To prevent the compromise of authentication information, such as\n passwords, during the authentication process, the feedback from the information\n system shall not provide any information that would allow an unauthorized user\n to compromise the authentication mechanism.\n\n Obfuscation of user-provided information when typed into the system is a\n method used in addressing this risk.\n\n For example, displaying asterisks when a user types in a password, is an\n example of obscuring feedback of authentication information.\n\n Database applications may allow for entry of the account name and password\n as a visible parameter of the application execution command. This practice\n should be prohibited and disabled to prevent shoulder surfing.\n\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure operation\n of databases that they must not be ignored. At a minimum, the DBA must attempt\n to obtain assurances from the development organization that this issue has been\n addressed and must document what has been discovered.", + "title": "The DBMS software installation account must be restricted to\n authorized users.", + "desc": "When dealing with change control issues, it should be noted, any\n changes to the hardware, software, and/or firmware components of the\n information system and/or application can potentially have significant effects\n on the overall security of the system.\n\n If the application were to allow any user to make changes to software\n libraries, then those changes might be implemented without undergoing the\n appropriate testing and approvals that are part of a robust change management\n process.\n\n This requirement is contingent upon the language in which the application\n is programmed, as many application architectures in use today incorporate their\n software libraries into, and make them inseparable from, their compiled\n distributions, rendering them static and version-dependent. However, this\n requirement does apply to applications with software libraries accessible and\n configurable, as in the case of interpreted languages.\n\n Accordingly, only qualified and authorized individuals shall be allowed to\n obtain access to information system components for purposes of initiating\n changes, including upgrades and modifications.\n\n DBA and other privileged administrative or application owner accounts are\n granted privileges that allow actions that can have a greater impact on\n database security and operation. It is especially important to grant access to\n privileged accounts to only those persons who are qualified and authorized to\n use them.\n\n This requirement is particularly important because Oracle equates the\n installation account with the SYS account - the super-DBA. Once logged on to\n the operating system, this account can connect to the database AS SYSDBA\n without further authentication. It is very powerful and, by virtue of not\n being linked to any one person, cannot be audited to the level of the\n individual.", "descriptions": { - "default": "To prevent the compromise of authentication information, such as\n passwords, during the authentication process, the feedback from the information\n system shall not provide any information that would allow an unauthorized user\n to compromise the authentication mechanism.\n\n Obfuscation of user-provided information when typed into the system is a\n method used in addressing this risk.\n\n For example, displaying asterisks when a user types in a password, is an\n example of obscuring feedback of authentication information.\n\n Database applications may allow for entry of the account name and password\n as a visible parameter of the application execution command. This practice\n should be prohibited and disabled to prevent shoulder surfing.\n\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure operation\n of databases that they must not be ignored. At a minimum, the DBA must attempt\n to obtain assurances from the development organization that this issue has been\n addressed and must document what has been discovered." + "default": "When dealing with change control issues, it should be noted, any\n changes to the hardware, software, and/or firmware components of the\n information system and/or application can potentially have significant effects\n on the overall security of the system.\n\n If the application were to allow any user to make changes to software\n libraries, then those changes might be implemented without undergoing the\n appropriate testing and approvals that are part of a robust change management\n process.\n\n This requirement is contingent upon the language in which the application\n is programmed, as many application architectures in use today incorporate their\n software libraries into, and make them inseparable from, their compiled\n distributions, rendering them static and version-dependent. However, this\n requirement does apply to applications with software libraries accessible and\n configurable, as in the case of interpreted languages.\n\n Accordingly, only qualified and authorized individuals shall be allowed to\n obtain access to information system components for purposes of initiating\n changes, including upgrades and modifications.\n\n DBA and other privileged administrative or application owner accounts are\n granted privileges that allow actions that can have a greater impact on\n database security and operation. It is especially important to grant access to\n privileged accounts to only those persons who are qualified and authorized to\n use them.\n\n This requirement is particularly important because Oracle equates the\n installation account with the SYS account - the super-DBA. Once logged on to\n the operating system, this account can connect to the database AS SYSDBA\n without further authentication. It is very powerful and, by virtue of not\n being linked to any one person, cannot be audited to the level of the\n individual." }, "impact": 0.7, "refs": [], "tags": { - "gtitle": "SRG-APP-000178-DB-000083", - "gid": "V-61843", - "rid": "SV-76333r2_rule", - "stig_id": "O121-N1-015601", - "fix_id": "F-67759r1_fix", - "cci": [ - "CCI-000366" - ], - "nist": [ - "CM-6 b", - "Rev_4" - ], - "false_negatives": null, - "false_positives": null, - "documentable": false, - "mitigations": null, - "severity_override_guidance": false, - "potential_impacts": null, - "third_party_tools": null, - "mitigation_controls": null, - "responsibility": null, - "ia_controls": null, - "check": "Interview the DBA to determine if any applications that access\n the database allow for entry of the account name and password on the command\n line. If any do, determine whether these applications obfuscate authentication\n data. If they do not, this is a finding.", - "fix": "Configure or modify applications to prohibit display of passwords\n in clear text on the command line." - }, - "code": "control 'V-61843' do\n title \"Applications must obscure feedback of authentication information\n during the authentication process to protect the information from possible\n exploitation/use by unauthorized individuals.\"\n desc \"To prevent the compromise of authentication information, such as\n passwords, during the authentication process, the feedback from the information\n system shall not provide any information that would allow an unauthorized user\n to compromise the authentication mechanism.\n\n Obfuscation of user-provided information when typed into the system is a\n method used in addressing this risk.\n\n For example, displaying asterisks when a user types in a password, is an\n example of obscuring feedback of authentication information.\n\n Database applications may allow for entry of the account name and password\n as a visible parameter of the application execution command. This practice\n should be prohibited and disabled to prevent shoulder surfing.\n\n This calls for inspection of application source code, which will require\n collaboration with the application developers. It is recognized that in many\n cases, the database administrator (DBA) is organizationally separate from the\n application developers and may have limited, if any, access to source code.\n Nevertheless, protections of this type are so important to the secure operation\n of databases that they must not be ignored. At a minimum, the DBA must attempt\n to obtain assurances from the development organization that this issue has been\n addressed and must document what has been discovered.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-APP-000178-DB-000083'\n tag \"gid\": 'V-61843'\n tag \"rid\": 'SV-76333r2_rule'\n tag \"stig_id\": 'O121-N1-015601'\n tag \"fix_id\": 'F-67759r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Interview the DBA to determine if any applications that access\n the database allow for entry of the account name and password on the command\n line. If any do, determine whether these applications obfuscate authentication\n data. If they do not, this is a finding.\"\n tag \"fix\": \"Configure or modify applications to prohibit display of passwords\n in clear text on the command line.\"\n describe 'A manual review is required to ensure the applications obscures feedback of authentication information\n during the authentication process to protect the information from possible\n exploitation/use by unauthorized individuals' do\n skip 'A manual review is required to ensure the applications obscures feedback of authentication information\n during the authentication process to protect the information from possible\n exploitation/use by unauthorized individuals'\n end\nend\n", - "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61843.rb", - "line": 1 - }, - "id": "V-61843" - }, - { - "title": "Attempts to bypass access controls must be audited.", - "desc": "Information system auditing capability is critical for accurate\n forensic analysis. Audit record content that may be necessary to satisfy the\n requirement of this control includes: timestamps, source and destination\n addresses, user/process identifiers, event descriptions, success/fail\n indications, file names involved, and access control or flow control rules\n invoked.\n\n Detection of suspicious activity, including access attempts and successful\n access from unexpected places, during unexpected times, or other unusual\n indicators can support decisions to apply countermeasures to deter an attack.\n Without detection, malicious activity may proceed without hindrance.", - "descriptions": { - "default": "Information system auditing capability is critical for accurate\n forensic analysis. Audit record content that may be necessary to satisfy the\n requirement of this control includes: timestamps, source and destination\n addresses, user/process identifiers, event descriptions, success/fail\n indications, file names involved, and access control or flow control rules\n invoked.\n\n Detection of suspicious activity, including access attempts and successful\n access from unexpected places, during unexpected times, or other unusual\n indicators can support decisions to apply countermeasures to deter an attack.\n Without detection, malicious activity may proceed without hindrance." - }, - "impact": 0.5, - "refs": [], - "tags": { - "gtitle": "SRG-APP-000115-DB-000056", - "gid": "V-61651", - "rid": "SV-76141r1_rule", - "stig_id": "O121-C2-009000", - "fix_id": "F-67565r1_fix", + "gtitle": "SRG-APP-000133-DB-000198", + "gid": "V-61873", + "rid": "SV-76363r1_rule", + "stig_id": "O121-P2-010800", + "fix_id": "F-67789r1_fix", "cci": [ - "CCI-000158" + "CCI-001499" ], "nist": [ - "AU-7 (1)", + "CM-5 (6)", "Rev_4" ], "false_negatives": null, @@ -882,15 +764,15 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Review any audit settings for:\n - Unsuccessful logon attempts;\n - Account locking events;\n - Account disabling from a specific source location;\n - Failed database object attempts or attempts to access objects that do not\n exist; and\n - Other activities that may produce unexpected failures or trigger DBMS\n lockdown actions.\n\n If any of the above events as applicable to the DBMS are not audited, this is a\n finding.\n\n - - - - - -\n Check the current users in the database to see what profile they are assigned.\n The logon attempts past a site-defined allowable number, along with account\n locking, is best performed using a profile that defines the limits on these\n activities as designed by the DBA at a specific site. Failed database object\n access or attempt to access objects is monitored by auditing. Checking other\n activities that may produce unexpected failures or trigger database lockdown\n procedures is possible, but the check for the existence of those procedures is\n not possible unless they are defined.\n\n Check to see what profiles exist for the different users of the database.\n\n SQL>col name format a20\n col username format a21\n col profile format a10\n col \"tmp tba\" format a10\n select u.username,\n u.default_tablespace,\n u.temporary_tablespace \"TMP TBS\",\n u.profile,\n r.granted_role,\n r.admin_option,\n r.default_role\n from sys.dba_users u,\n sys.dba_role_privs r\n where u.username = r.grantee (+)\n group by u.username,\n u.default_tablespace,\n u.temporary_tablespace,\n u.profile,\n r.granted_role,\n r.admin_option,\n r.default_role;\n\n View existing profiles and see what their settings are.\n\n SQL> select profile, resource_name, limit\n from dba_profiles\n order by profile, resource_name;\n\n This is the audit table. Specific actions are logged in this table.\n\n If Standard Auditing is used:\n SQL> desc aud$;\n Name Null? Type\n ----------------- ------- ------\n SESSIONID NOT NULL NUMBER\n ENTRYID NOT NULL NUMBER\n STATEMENT NOT NULL NUMBER\n TIMESTAMP# DATE\n USERID VARCHAR2(30)\n USERHOST VARCHAR2(128)\n TERMINAL VARCHAR2(255)\n ACTION# NOT NULL NUMBER\n RETURNCODE NOT NULL NUMBER\n OBJ$CREATOR VARCHAR2(30)\n OBJ$NAME VARCHAR2(128)\n AUTH$PRIVILEGES VARCHAR2(16)\n AUTH$GRANTEE VARCHAR2(30)\n NEW$OWNER VARCHAR2(30)\n NEW$NAME VARCHAR2(128)\n SES$ACTIONS VARCHAR2(19)\n SES$TID NUMBER\n LOGOFF$LREAD NUMBER\n LOGOFF$PREAD NUMBER\n LOGOFF$LWRITE NUMBER\n LOGOFF$DEAD NUMBER\n LOGOFF$TIME DATE\n COMMENT$TEXT VARCHAR2(4000)\n CLIENTID VARCHAR2(64)\n SPARE1 VARCHAR2(255)\n SPARE2 NUMBER\n OBJ$LABEL RAW(255)\n SES$LABEL RAW(255)\n PRIV$USED NUMBER\n SESSIONCPU NUMBER\n NTIMESTAMP# TIMESTAMP(6)\n PROXY$SID NUMBER\n USER$GUID VARCHAR2(32)\n INSTANCE# NUMBER\n PROCESS# VARCHAR2(16)\n XID RAW(8)\n AUDITID VARCHAR2(64)\n SCN NUMBER\n DBID NUMBER\n SQLBIND CLOB\n SQLTEXT CLOB\n OBJ$EDITION VARCHAR2(30)\n\n If Unified Auditing is used:\n SQL> desc unified_audit_trail;\n Name Null Type\n -------------- ------ ------\n AUDIT_TYPE VARCHAR2(64)\n SESSIONID NUMBER\n PROXY_SESSIONID NUMBER\n OS_USERNAME VARCHAR2(30)\n USERHOST VARCHAR2(128)\n TERMINAL VARCHAR2(30)\n INSTANCE_ID NUMBER\n DBID NUMBER\n AUTHENTICATION_TYPE VARCHAR2(1024)\n DBUSERNAME VARCHAR2(30)\n DBPROXY_USERNAME VARCHAR2(30)\n EXTERNAL_USERID VARCHAR2(1024)\n GLOBAL_USERID VARCHAR2(32)\n CLIENT_PROGRAM_NAME VARCHAR2(48)\n DBLINK_INFO VARCHAR2(4000)\n XS_USER_NAME VARCHAR2(128)\n XS_SESSIONID RAW(33 BYTE)\n ENTRY_ID NUMBER\n STATEMENT_ID NUMBER\n EVENT_TIMESTAMP TIMESTAMP(6) WITH LOCAL TIME ZONE\n ACTION_NAME VARCHAR2(64)\n RETURN_CODE NUMBER\n OS_PROCESS VARCHAR2(16)\n TRANSACTION_ID RAW(8 BYTE)\n SCN NUMBER\n EXECUTION_ID VARCHAR2(64)\n OBJECT_SCHEMA VARCHAR2(30)\n OBJECT_NAME VARCHAR2(128)\n SQL_TEXT CLOB\n SQL_BINDS CLOB\n APPLICATION_CONTEXTS VARCHAR2(4000)\n CLIENT_IDENTIFIER VARCHAR2(64)\n NEW_SCHEMA VARCHAR2(30)\n NEW_NAME VARCHAR2(128)\n OBJECT_EDITION VARCHAR2(30)\n SYSTEM_PRIVILEGE_USED VARCHAR2(1024)\n SYSTEM_PRIVILEGE VARCHAR2(40)\n AUDIT_OPTION VARCHAR2(40)\n OBJECT_PRIVILEGES VARCHAR2(19)\n ROLE VARCHAR2(30)\n TARGET_USER VARCHAR2(30)\n EXCLUDED_USER VARCHAR2(30)\n EXCLUDED_SCHEMA VARCHAR2(30)\n EXCLUDED_OBJECT VARCHAR2(128)\n ADDITIONAL_INFO VARCHAR2(4000)\n UNIFIED_AUDIT_POLICIES VARCHAR2(4000)\n FGA_POLICY_NAME VARCHAR2(30)\n XS_INACTIVITY_TIMEOUT NUMBER\n XS_ENTITY_TYPE VARCHAR2(32)\n XS_TARGET_PRINCIPAL_NAME VARCHAR2(30)\n XS_PROXY_USER_NAME VARCHAR2(30)\n XS_DATASEC_POLICY_NAME VARCHAR2(30)\n XS_SCHEMA_NAME VARCHAR2(30)\n XS_CALLBACK_EVENT_TYPE VARCHAR2(32)\n XS_PACKAGE_NAME VARCHAR2(30)\n XS_PROCEDURE_NAME VARCHAR2(30)\n XS_ENABLED_ROLE VARCHAR2(30)\n XS_COOKIE VARCHAR2(1024)\n XS_NS_NAME VARCHAR2(30)\n XS_NS_ATTRIBUTE VARCHAR2(4000)\n XS_NS_ATTRIBUTE_OLD_VAL VARCHAR2(4000)\n XS_NS_ATTRIBUTE_NEW_VAL VARCHAR2(4000)\n DV_ACTION_CODE NUMBER\n DV_ACTION_NAME VARCHAR2(30)\n DV_EXTENDED_ACTION_CODE NUMBER\n DV_GRANTEE VARCHAR2(30)\n DV_RETURN_CODE NUMBER\n DV_ACTION_OBJECT_NAME VARCHAR2(128)\n DV_RULE_SET_NAME VARCHAR2(90)\n DV_COMMENT VARCHAR2(4000)\n DV_FACTOR_CONTEXT VARCHAR2(4000)\n DV_OBJECT_STATUS VARCHAR2(1)\n OLS_POLICY_NAME VARCHAR2(30)\n OLS_GRANTEE VARCHAR2(30)\n OLS_MAX_READ_LABEL VARCHAR2(4000)\n OLS_MAX_WRITE_LABEL VARCHAR2(4000)\n OLS_MIN_WRITE_LABEL VARCHAR2(4000)\n OLS_PRIVILEGES_GRANTED VARCHAR2(30)\n OLS_PROGRAM_UNIT_NAME VARCHAR2(30)\n OLS_PRIVILEGES_USED VARCHAR2(128)\n OLS_STRING_LABEL VARCHAR2(4000)\n OLS_LABEL_COMPONENT_TYPE VARCHAR2(12)\n OLS_LABEL_COMPONENT_NAME VARCHAR2(30)\n OLS_PARENT_GROUP_NAME VARCHAR2(30)\n OLS_OLD_VALUE VARCHAR2(4000)\n OLS_NEW_VALUE VARCHAR2(4000)\n RMAN_SESSION_RECID NUMBER\n RMAN_SESSION_STAMP NUMBER\n RMAN_OPERATION VARCHAR2(20)\n RMAN_OBJECT_TYPE VARCHAR2(20)\n RMAN_DEVICE_TYPE VARCHAR2(5)\n DP_TEXT_PARAMETERS1 VARCHAR2(512)\n DP_BOOLEAN_PARAMETERS1 VARCHAR2(512)\n DIRECT_PATH_NUM_COLUMNS_LOADED NUMBER", - "fix": "Configure auditing to capture the events listed below where\n available in the DBMS:\n - Unsuccessful logon attempts\n - Account locking events\n - Account disabling from a specific source location\n - Failed database object attempts or attempts to access objects that do not\n exist\n - Other activities that may produce unexpected failures or trigger DBMS\n lockdown actions" + "check": "Review procedures for controlling and granting access to use of\n the DBMS software installation account.\n\n If access or use of this account is not restricted to the minimum number of\n personnel required, or if unauthorized access to the account has been granted,\n this is a finding.", + "fix": "Develop, document, and implement procedures to restrict use of\n the DBMS software installation account." }, - "code": "control 'V-61651' do\n title 'Attempts to bypass access controls must be audited.'\n desc \"Information system auditing capability is critical for accurate\n forensic analysis. Audit record content that may be necessary to satisfy the\n requirement of this control includes: timestamps, source and destination\n addresses, user/process identifiers, event descriptions, success/fail\n indications, file names involved, and access control or flow control rules\n invoked.\n\n Detection of suspicious activity, including access attempts and successful\n access from unexpected places, during unexpected times, or other unusual\n indicators can support decisions to apply countermeasures to deter an attack.\n Without detection, malicious activity may proceed without hindrance.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000115-DB-000056'\n tag \"gid\": 'V-61651'\n tag \"rid\": 'SV-76141r1_rule'\n tag \"stig_id\": 'O121-C2-009000'\n tag \"fix_id\": 'F-67565r1_fix'\n tag \"cci\": ['CCI-000158']\n tag \"nist\": ['AU-7 (1)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review any audit settings for:\n - Unsuccessful logon attempts;\n - Account locking events;\n - Account disabling from a specific source location;\n - Failed database object attempts or attempts to access objects that do not\n exist; and\n - Other activities that may produce unexpected failures or trigger DBMS\n lockdown actions.\n\n If any of the above events as applicable to the DBMS are not audited, this is a\n finding.\n\n - - - - - -\n Check the current users in the database to see what profile they are assigned.\n The logon attempts past a site-defined allowable number, along with account\n locking, is best performed using a profile that defines the limits on these\n activities as designed by the DBA at a specific site. Failed database object\n access or attempt to access objects is monitored by auditing. Checking other\n activities that may produce unexpected failures or trigger database lockdown\n procedures is possible, but the check for the existence of those procedures is\n not possible unless they are defined.\n\n Check to see what profiles exist for the different users of the database.\n\n SQL>col name format a20\n col username format a21\n col profile format a10\n col \\\"tmp tba\\\" format a10\n select u.username,\n u.default_tablespace,\n u.temporary_tablespace \\\"TMP TBS\\\",\n u.profile,\n r.granted_role,\n r.admin_option,\n r.default_role\n from sys.dba_users u,\n sys.dba_role_privs r\n where u.username = r.grantee (+)\n group by u.username,\n u.default_tablespace,\n u.temporary_tablespace,\n u.profile,\n r.granted_role,\n r.admin_option,\n r.default_role;\n\n View existing profiles and see what their settings are.\n\n SQL> select profile, resource_name, limit\n from dba_profiles\n order by profile, resource_name;\n\n This is the audit table. Specific actions are logged in this table.\n\n If Standard Auditing is used:\n SQL> desc aud$;\n Name Null? Type\n ----------------- ------- ------\n SESSIONID NOT NULL NUMBER\n ENTRYID NOT NULL NUMBER\n STATEMENT NOT NULL NUMBER\n TIMESTAMP# DATE\n USERID VARCHAR2(30)\n USERHOST VARCHAR2(128)\n TERMINAL VARCHAR2(255)\n ACTION# NOT NULL NUMBER\n RETURNCODE NOT NULL NUMBER\n OBJ$CREATOR VARCHAR2(30)\n OBJ$NAME VARCHAR2(128)\n AUTH$PRIVILEGES VARCHAR2(16)\n AUTH$GRANTEE VARCHAR2(30)\n NEW$OWNER VARCHAR2(30)\n NEW$NAME VARCHAR2(128)\n SES$ACTIONS VARCHAR2(19)\n SES$TID NUMBER\n LOGOFF$LREAD NUMBER\n LOGOFF$PREAD NUMBER\n LOGOFF$LWRITE NUMBER\n LOGOFF$DEAD NUMBER\n LOGOFF$TIME DATE\n COMMENT$TEXT VARCHAR2(4000)\n CLIENTID VARCHAR2(64)\n SPARE1 VARCHAR2(255)\n SPARE2 NUMBER\n OBJ$LABEL RAW(255)\n SES$LABEL RAW(255)\n PRIV$USED NUMBER\n SESSIONCPU NUMBER\n NTIMESTAMP# TIMESTAMP(6)\n PROXY$SID NUMBER\n USER$GUID VARCHAR2(32)\n INSTANCE# NUMBER\n PROCESS# VARCHAR2(16)\n XID RAW(8)\n AUDITID VARCHAR2(64)\n SCN NUMBER\n DBID NUMBER\n SQLBIND CLOB\n SQLTEXT CLOB\n OBJ$EDITION VARCHAR2(30)\n\n If Unified Auditing is used:\n SQL> desc unified_audit_trail;\n Name Null Type\n -------------- ------ ------\n AUDIT_TYPE VARCHAR2(64)\n SESSIONID NUMBER\n PROXY_SESSIONID NUMBER\n OS_USERNAME VARCHAR2(30)\n USERHOST VARCHAR2(128)\n TERMINAL VARCHAR2(30)\n INSTANCE_ID NUMBER\n DBID NUMBER\n AUTHENTICATION_TYPE VARCHAR2(1024)\n DBUSERNAME VARCHAR2(30)\n DBPROXY_USERNAME VARCHAR2(30)\n EXTERNAL_USERID VARCHAR2(1024)\n GLOBAL_USERID VARCHAR2(32)\n CLIENT_PROGRAM_NAME VARCHAR2(48)\n DBLINK_INFO VARCHAR2(4000)\n XS_USER_NAME VARCHAR2(128)\n XS_SESSIONID RAW(33 BYTE)\n ENTRY_ID NUMBER\n STATEMENT_ID NUMBER\n EVENT_TIMESTAMP TIMESTAMP(6) WITH LOCAL TIME ZONE\n ACTION_NAME VARCHAR2(64)\n RETURN_CODE NUMBER\n OS_PROCESS VARCHAR2(16)\n TRANSACTION_ID RAW(8 BYTE)\n SCN NUMBER\n EXECUTION_ID VARCHAR2(64)\n OBJECT_SCHEMA VARCHAR2(30)\n OBJECT_NAME VARCHAR2(128)\n SQL_TEXT CLOB\n SQL_BINDS CLOB\n APPLICATION_CONTEXTS VARCHAR2(4000)\n CLIENT_IDENTIFIER VARCHAR2(64)\n NEW_SCHEMA VARCHAR2(30)\n NEW_NAME VARCHAR2(128)\n OBJECT_EDITION VARCHAR2(30)\n SYSTEM_PRIVILEGE_USED VARCHAR2(1024)\n SYSTEM_PRIVILEGE VARCHAR2(40)\n AUDIT_OPTION VARCHAR2(40)\n OBJECT_PRIVILEGES VARCHAR2(19)\n ROLE VARCHAR2(30)\n TARGET_USER VARCHAR2(30)\n EXCLUDED_USER VARCHAR2(30)\n EXCLUDED_SCHEMA VARCHAR2(30)\n EXCLUDED_OBJECT VARCHAR2(128)\n ADDITIONAL_INFO VARCHAR2(4000)\n UNIFIED_AUDIT_POLICIES VARCHAR2(4000)\n FGA_POLICY_NAME VARCHAR2(30)\n XS_INACTIVITY_TIMEOUT NUMBER\n XS_ENTITY_TYPE VARCHAR2(32)\n XS_TARGET_PRINCIPAL_NAME VARCHAR2(30)\n XS_PROXY_USER_NAME VARCHAR2(30)\n XS_DATASEC_POLICY_NAME VARCHAR2(30)\n XS_SCHEMA_NAME VARCHAR2(30)\n XS_CALLBACK_EVENT_TYPE VARCHAR2(32)\n XS_PACKAGE_NAME VARCHAR2(30)\n XS_PROCEDURE_NAME VARCHAR2(30)\n XS_ENABLED_ROLE VARCHAR2(30)\n XS_COOKIE VARCHAR2(1024)\n XS_NS_NAME VARCHAR2(30)\n XS_NS_ATTRIBUTE VARCHAR2(4000)\n XS_NS_ATTRIBUTE_OLD_VAL VARCHAR2(4000)\n XS_NS_ATTRIBUTE_NEW_VAL VARCHAR2(4000)\n DV_ACTION_CODE NUMBER\n DV_ACTION_NAME VARCHAR2(30)\n DV_EXTENDED_ACTION_CODE NUMBER\n DV_GRANTEE VARCHAR2(30)\n DV_RETURN_CODE NUMBER\n DV_ACTION_OBJECT_NAME VARCHAR2(128)\n DV_RULE_SET_NAME VARCHAR2(90)\n DV_COMMENT VARCHAR2(4000)\n DV_FACTOR_CONTEXT VARCHAR2(4000)\n DV_OBJECT_STATUS VARCHAR2(1)\n OLS_POLICY_NAME VARCHAR2(30)\n OLS_GRANTEE VARCHAR2(30)\n OLS_MAX_READ_LABEL VARCHAR2(4000)\n OLS_MAX_WRITE_LABEL VARCHAR2(4000)\n OLS_MIN_WRITE_LABEL VARCHAR2(4000)\n OLS_PRIVILEGES_GRANTED VARCHAR2(30)\n OLS_PROGRAM_UNIT_NAME VARCHAR2(30)\n OLS_PRIVILEGES_USED VARCHAR2(128)\n OLS_STRING_LABEL VARCHAR2(4000)\n OLS_LABEL_COMPONENT_TYPE VARCHAR2(12)\n OLS_LABEL_COMPONENT_NAME VARCHAR2(30)\n OLS_PARENT_GROUP_NAME VARCHAR2(30)\n OLS_OLD_VALUE VARCHAR2(4000)\n OLS_NEW_VALUE VARCHAR2(4000)\n RMAN_SESSION_RECID NUMBER\n RMAN_SESSION_STAMP NUMBER\n RMAN_OPERATION VARCHAR2(20)\n RMAN_OBJECT_TYPE VARCHAR2(20)\n RMAN_DEVICE_TYPE VARCHAR2(5)\n DP_TEXT_PARAMETERS1 VARCHAR2(512)\n DP_BOOLEAN_PARAMETERS1 VARCHAR2(512)\n DIRECT_PATH_NUM_COLUMNS_LOADED NUMBER\"\n tag \"fix\": \"Configure auditing to capture the events listed below where\n available in the DBMS:\n - Unsuccessful logon attempts\n - Account locking events\n - Account disabling from a specific source location\n - Failed database object attempts or attempts to access objects that do not\n exist\n - Other activities that may produce unexpected failures or trigger DBMS\n lockdown actions\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n standard_auditing_used = input('standard_auditing_used')\n unified_auditing_used = input('unified_auditing_used')\n\n describe.one do\n describe 'Standard auditing is in use for audit purposes' do\n subject { standard_auditing_used }\n it { should be true }\n end\n\n describe 'Unified auditing is in use for audit purposes' do\n subject { unified_auditing_used }\n it { should be true }\n end\n end\n\n audit_trail = sql.query(\"select value from v$parameter where name = 'audit_trail';\").column('value')\n audit_info_captured = sql.query('SELECT EVENT_TIMESTAMP FROM UNIFIED_AUDIT_TRAIL ORDER BY EVENT_TIMESTAMP DESC FETCH FIRST 10 ROWS ONLY;').column('event_timestamp')\n\n if standard_auditing_used\n describe 'The oracle database audit_trail parameter' do\n subject { audit_trail }\n it { should_not cmp 'NONE' }\n end\n end\n\n unified_auditing = sql.query(\"SELECT value FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';\").column('value')\n\n if unified_auditing_used\n describe 'The oracle database unified auditing parameter' do\n subject { unified_auditing }\n it { should_not cmp 'FALSE' }\n end\n\n describe 'The oracle database unified auditing events captured' do\n subject { audit_info_captured }\n it { should_not be_empty }\n end\n\n end\nend\n", + "code": "control 'V-61873' do\n title \"The DBMS software installation account must be restricted to\n authorized users.\"\n desc \"When dealing with change control issues, it should be noted, any\n changes to the hardware, software, and/or firmware components of the\n information system and/or application can potentially have significant effects\n on the overall security of the system.\n\n If the application were to allow any user to make changes to software\n libraries, then those changes might be implemented without undergoing the\n appropriate testing and approvals that are part of a robust change management\n process.\n\n This requirement is contingent upon the language in which the application\n is programmed, as many application architectures in use today incorporate their\n software libraries into, and make them inseparable from, their compiled\n distributions, rendering them static and version-dependent. However, this\n requirement does apply to applications with software libraries accessible and\n configurable, as in the case of interpreted languages.\n\n Accordingly, only qualified and authorized individuals shall be allowed to\n obtain access to information system components for purposes of initiating\n changes, including upgrades and modifications.\n\n DBA and other privileged administrative or application owner accounts are\n granted privileges that allow actions that can have a greater impact on\n database security and operation. It is especially important to grant access to\n privileged accounts to only those persons who are qualified and authorized to\n use them.\n\n This requirement is particularly important because Oracle equates the\n installation account with the SYS account - the super-DBA. Once logged on to\n the operating system, this account can connect to the database AS SYSDBA\n without further authentication. It is very powerful and, by virtue of not\n being linked to any one person, cannot be audited to the level of the\n individual.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-APP-000133-DB-000198'\n tag \"gid\": 'V-61873'\n tag \"rid\": 'SV-76363r1_rule'\n tag \"stig_id\": 'O121-P2-010800'\n tag \"fix_id\": 'F-67789r1_fix'\n tag \"cci\": ['CCI-001499']\n tag \"nist\": ['CM-5 (6)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review procedures for controlling and granting access to use of\n the DBMS software installation account.\n\n If access or use of this account is not restricted to the minimum number of\n personnel required, or if unauthorized access to the account has been granted,\n this is a finding.\"\n tag \"fix\": \"Develop, document, and implement procedures to restrict use of\n the DBMS software installation account.\"\n describe 'A manual review is required to ensure the DBMS software installation account is restricted to\n authorized users' do\n\n skip 'A manual review is required to ensure the DBMS software installation account is restricted to\n authorized users'\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61651.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61873.rb", "line": 1 }, - "id": "V-61651" + "id": "V-61873" }, { "title": "The DBMS must limit the number of concurrent sessions for each system\n account to an organization-defined number of sessions.", @@ -934,28 +816,28 @@ "id": "V-61967" }, { - "title": "The DBMS must verify account lockouts persist until reset by an\n administrator.", - "desc": "Anytime an authentication method is exposed, to allow for the\n utilization of an application, there is a risk that attempts will be made to\n obtain unauthorized access.\n \n To defeat these attempts, organizations define the number of times a user\n account may consecutively fail a logon attempt. The organization also defines\n the period of time in which these consecutive failed attempts may occur.\n \n By limiting the number of failed logon attempts, the risk of unauthorized\n system access via user password guessing, otherwise known as brute forcing, is\n reduced. Limits are imposed by locking the account.\n \n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP. This requirement applies to cases where it is necessary to\n have accounts directly managed by Oracle.", + "title": "Database software, applications, and configuration files must be\n monitored to discover unauthorized changes.", + "desc": "Any changes to the hardware, software, and/or firmware components of\n the information system and/or application can potentially have significant\n effects on the overall security of the system.\n\n If the system were to allow any user to make changes to software libraries,\n then those changes might be implemented without undergoing the appropriate\n testing and approvals that are part of a robust change management process.\n\n Accordingly, only qualified and authorized individuals shall be allowed to\n obtain access to information system components for purposes of initiating\n changes, including upgrades and modifications.\n\n Unmanaged changes that occur to the database software libraries or\n configuration can lead to unauthorized or compromised installations.", "descriptions": { - "default": "Anytime an authentication method is exposed, to allow for the\n utilization of an application, there is a risk that attempts will be made to\n obtain unauthorized access.\n \n To defeat these attempts, organizations define the number of times a user\n account may consecutively fail a logon attempt. The organization also defines\n the period of time in which these consecutive failed attempts may occur.\n \n By limiting the number of failed logon attempts, the risk of unauthorized\n system access via user password guessing, otherwise known as brute forcing, is\n reduced. Limits are imposed by locking the account.\n \n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP. This requirement applies to cases where it is necessary to\n have accounts directly managed by Oracle." + "default": "Any changes to the hardware, software, and/or firmware components of\n the information system and/or application can potentially have significant\n effects on the overall security of the system.\n\n If the system were to allow any user to make changes to software libraries,\n then those changes might be implemented without undergoing the appropriate\n testing and approvals that are part of a robust change management process.\n\n Accordingly, only qualified and authorized individuals shall be allowed to\n obtain access to information system components for purposes of initiating\n changes, including upgrades and modifications.\n\n Unmanaged changes that occur to the database software libraries or\n configuration can lead to unauthorized or compromised installations." }, - "impact": 0.5, + "impact": 0, "refs": [ { "ref": [] } ], "tags": { - "gtitle": "SRG-APP-000065-DB-000024", - "gid": "V-61603", - "rid": "SV-76093r2_rule", - "stig_id": "O121-C2-004900", - "fix_id": "F-67519r1_fix", + "gtitle": "SRG-APP-000133-DB-000179", + "gid": "V-61867", + "rid": "SV-76357r2_rule", + "stig_id": "O121-OS-010700", + "fix_id": "F-67783r2_fix", "cci": [ - "CCI-002236" + "CCI-001499" ], "nist": [ - "AC-7 b", + "CM-5 (6)", "Rev_4" ], "false_negatives": null, @@ -968,30 +850,30 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "The account lockout duration is defined in the profile assigned\n to a user.\n \n To see what profile is assigned to a user, enter the query:\n \n SQL>SELECT profile FROM dba_users WHERE username = ''\n \n This will return the profile name assigned to that user.\n \n The user profile, ORA_STIG_PROFILE, has been provided (starting with Oracle\n 12.1.0.2) to satisfy the STIG requirements pertaining to the profile\n parameters. Oracle recommends that this profile be customized with any\n site-specific requirements and assigned to all users where applicable. Note:\n It remains necessary to create a customized replacement for the password\n validation function, ORA12C_STRONG_VERIFY_FUNCTION, if relying on this\n technique to verify password complexity.\n \n Now check the values assigned to the profile returned from the query above:\n \n column profile format a20\n column limit format a20\n SQL>SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE PROFILE =\n 'ORA_STIG_PROFILE';\n \n Check the settings for password_lock_time - this specifies how long to lock the\n account after the number of consecutive failed logon attempts reaches the\n limit. If the value is not UNLIMITED, this is a finding.", - "fix": "Configure the DBMS settings to specify indefinite lockout\n duration:\n ALTER PROFILE ORA_STIG_PROFILE LIMIT PASSWORD_LOCK_TIME UNLIMITED;" + "check": "Review monitoring procedures and implementation evidence to\n verify that monitoring of changes to database software libraries, related\n applications, and configuration files is done.\n\n Verify that the list of files and directories being monitored is complete. If\n monitoring does not occur or is not complete, this is a finding.", + "fix": "Implement procedures to monitor for unauthorized changes to DBMS\n software libraries, related software application libraries, and configuration\n files. If a third-party automated tool is not employed, an automated job that\n reports file information on the directories and files of interest and compares\n them to the baseline report for the same will meet the requirement.\n\n File hashes or checksums should be used for comparisons since file dates may be\n manipulated by malicious users." }, - "code": " control 'V-61603' do\n title \"The DBMS must verify account lockouts persist until reset by an\n administrator.\"\n desc \"Anytime an authentication method is exposed, to allow for the\n utilization of an application, there is a risk that attempts will be made to\n obtain unauthorized access.\n \n To defeat these attempts, organizations define the number of times a user\n account may consecutively fail a logon attempt. The organization also defines\n the period of time in which these consecutive failed attempts may occur.\n \n By limiting the number of failed logon attempts, the risk of unauthorized\n system access via user password guessing, otherwise known as brute forcing, is\n reduced. Limits are imposed by locking the account.\n \n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP. This requirement applies to cases where it is necessary to\n have accounts directly managed by Oracle.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000065-DB-000024'\n tag \"gid\": 'V-61603'\n tag \"rid\": 'SV-76093r2_rule'\n tag \"stig_id\": 'O121-C2-004900'\n tag \"fix_id\": 'F-67519r1_fix'\n tag \"cci\": ['CCI-002236']\n tag \"nist\": ['AC-7 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The account lockout duration is defined in the profile assigned\n to a user.\n \n To see what profile is assigned to a user, enter the query:\n \n SQL>SELECT profile FROM dba_users WHERE username = ''\n \n This will return the profile name assigned to that user.\n \n The user profile, ORA_STIG_PROFILE, has been provided (starting with Oracle\n 12.1.0.2) to satisfy the STIG requirements pertaining to the profile\n parameters. Oracle recommends that this profile be customized with any\n site-specific requirements and assigned to all users where applicable. Note:\n It remains necessary to create a customized replacement for the password\n validation function, ORA12C_STRONG_VERIFY_FUNCTION, if relying on this\n technique to verify password complexity.\n \n Now check the values assigned to the profile returned from the query above:\n \n column profile format a20\n column limit format a20\n SQL>SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE PROFILE =\n 'ORA_STIG_PROFILE';\n \n Check the settings for password_lock_time - this specifies how long to lock the\n account after the number of consecutive failed logon attempts reaches the\n limit. If the value is not UNLIMITED, this is a finding.\"\n tag \"fix\": \"Configure the DBMS settings to specify indefinite lockout\n duration:\n ALTER PROFILE ORA_STIG_PROFILE LIMIT PASSWORD_LOCK_TIME UNLIMITED;\"\n \n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n \n query = %{\n SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE PROFILE =\n '%s' AND RESOURCE_NAME = 'PASSWORD_LOCK_TIME'\n }\n \n user_profiles = sql.query('SELECT profile FROM dba_users;').column('profile').uniq\n \n user_profiles.each do |profile|\n next if profile == \"RDSADMIN\"\n password_lock_time = sql.query(format(query, profile: profile)).column('limit')\n \n describe \"The oracle database account password lock time for profile: #{profile}\" do\n subject { password_lock_time }\n it { should cmp 'UNLIMITED' }\n end\n end\n if user_profiles.empty?\n describe 'There are no user profiles, therefore this control is NA' do\n skip 'There are no user profiles, therefore this control is NA'\n end\n end\n end\n", + "code": " control 'V-61867' do\n impact 0.0\n describe 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on' do\n skip 'This control is not applicable on oracle within aws rds, as aws manages the operating system in which the oracle database is running on'\n end\n end\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61603.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61867.rb", "line": 1 }, - "id": "V-61603" + "id": "V-61867" }, { - "title": "Database job/batch queues must be reviewed regularly to detect\n unauthorized database job submissions.", - "desc": "Unauthorized users may bypass security mechanisms by submitting jobs\n to job queues managed by the database to be run under a more privileged\n security context of the database or host system. These queues must be monitored\n regularly to detect any such unauthorized job submissions.", + "title": "The DBMS must support the disabling of network protocols deemed by the\n organization to be nonsecure.", + "desc": "This requirement is related to remote access, but more specifically to\n the networking protocols allowing systems to communicate. Remote access is any\n access to an organizational information system by a user (or an information\n system) communicating through an external, non-organization controlled network\n (e.g., the Internet). Examples of remote access methods include dial-up,\n broadband, and wireless.\n\n Some networking protocols allowing remote access may not meet security\n requirements to protect data and components. Bluetooth and peer-to-peer\n networking are examples of less than secure networking protocols.\n\n The DoD Ports, Protocols, and Services Management (PPSM) program provides\n implementation guidance on the use of IP protocols and application and data\n services traversing the DoD Networks in a manner supporting net-centric\n operations.\n\n Applications implementing or utilizing remote access network protocols need\n to ensure the application is developed and implemented in accordance with the\n PPSM requirements. In situations where it has been determined that specific\n operational requirements outweigh the risks of enabling an insecure network\n protocol, the organization may pursue a risk acceptance.\n\n Using protocols deemed nonsecure would compromise the ability of the DBMS\n to operate in a secure fashion. The database must be able to disable network\n protocols deemed nonsecure.", "descriptions": { - "default": "Unauthorized users may bypass security mechanisms by submitting jobs\n to job queues managed by the database to be run under a more privileged\n security context of the database or host system. These queues must be monitored\n regularly to detect any such unauthorized job submissions." + "default": "This requirement is related to remote access, but more specifically to\n the networking protocols allowing systems to communicate. Remote access is any\n access to an organizational information system by a user (or an information\n system) communicating through an external, non-organization controlled network\n (e.g., the Internet). Examples of remote access methods include dial-up,\n broadband, and wireless.\n\n Some networking protocols allowing remote access may not meet security\n requirements to protect data and components. Bluetooth and peer-to-peer\n networking are examples of less than secure networking protocols.\n\n The DoD Ports, Protocols, and Services Management (PPSM) program provides\n implementation guidance on the use of IP protocols and application and data\n services traversing the DoD Networks in a manner supporting net-centric\n operations.\n\n Applications implementing or utilizing remote access network protocols need\n to ensure the application is developed and implemented in accordance with the\n PPSM requirements. In situations where it has been determined that specific\n operational requirements outweigh the risks of enabling an insecure network\n protocol, the organization may pursue a risk acceptance.\n\n Using protocols deemed nonsecure would compromise the ability of the DBMS\n to operate in a secure fashion. The database must be able to disable network\n protocols deemed nonsecure." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000516-DB-999900", - "gid": "V-61449", - "rid": "SV-75939r3_rule", - "stig_id": "O121-BP-023100", - "fix_id": "F-67365r2_fix", + "gtitle": "SRG-APP-000020-DB-000194", + "gid": "V-61555", + "rid": "SV-76045r1_rule", + "stig_id": "O121-C2-001700", + "fix_id": "F-67471r1_fix", "cci": [ "CCI-000366" ], @@ -1009,35 +891,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "The DBMS_JOB PL/SQL package has been replaced by DBMS_SCHEDULER\n in Oracle versions 10.1 and higher, though it continues to be supported for\n backward compatibility.\n\n Run this query:\n select value from v$parameter where name = 'job_queue_processes';\n\n Run this query:\n select value from all_scheduler_global_attribute\n where ATTRIBUTE_NAME = 'MAX_JOB_SLAVE_PROCESSES';\n\n To understand the relationship between these settings, review:\n https://docs.oracle.com/database/121/ADMIN/appendix_a.htm#ADMIN11002\n\n Review documented and implemented procedures for monitoring the Oracle DBMS\n job/batch queues for unauthorized submissions. If procedures for job queue\n review are not defined, documented or evidence of implementation does not\n exist, this is a finding.\n\n Job queue information is available from the DBA_JOBS view. The following\n command lists jobs submitted to the queue. DBMS_JOB does not generate a\n 'history' of previous job executions.\n\n Run this query:\n select job, next_date, next_sec, failures, broken from dba_jobs;\n\n Scheduler queue information is available from the DBA_SCHEDULER_JOBS view. The\n following command lists jobs submitted to the queue.\n\n Run this query:\n select owner, job_name, state, job_class, job_type, job_action\n from dba_scheduler_jobs;", - "fix": "Develop, document and implement procedures to monitor the\n database job queues for unauthorized job submissions.\n\n Develop, document and implement a formal migration plan to convert jobs using\n DBMS_JOB to use DBMS_SCHEDULER instead for Oracle versions 10.1 and higher.\n (This does not apply to DBMS_JOB jobs generated by Oracle itself, such as those\n for refreshing materialized views.)\n\n Set the value of the job_queue_processes parameter to a low value to restrict\n concurrent DBMS_JOB executions.\n\n Use auditing to capture use of the DBMS_JOB package in the audit trail. Review\n the audit trail for unauthorized use of the DBMS_JOB package." + "check": "Review the PPSM Technical Assurance List to acquire an\n up-to-date list of network protocols deemed nonsecure.\n (For definitive information on Ports, Protocols and Services Management (PPSM),\n refer to\n http://www.disa.mil/Services/Network-Services/Enterprise-Connections/PPSM)\n\n Review DBMS settings to determine if the database is utilizing any network\n protocols deemed nonsecure. If the DBMS is not using any network protocols\n deemed nonsecure, this is not a finding.\n\n If the database is utilizing protocols specified as nonsecure in the PPSM,\n verify the protocols are explicitly identified in the System Security Plan and\n that they are in support of specific operational requirements. If they are not\n identified in the SSP or are not supporting specific operational requirements,\n this is a finding.\n\n If nonsecure network protocols are not being used but are not disabled in the\n DBMS's configuration, this is a finding.\n\n After determining the site-specific operational requirements and which\n protocols are explicitly defined in the System Security Plan, check the\n $TNS_ADMIN setting for the location of the Oracle listener.ora file. The\n listener.ora file is a configuration file for Oracle Net Listener that\n identifies the following:\n\n A unique name for the listener, typically LISTENER\n A protocol address that it is accepting connection requests on, and\n A service it is listening for.\n\n If the listener.ora file shows a PROTOCOL= statement and the PROTOCOL is deemed\n nonsecure, that is a finding.\n\n LISTENER=\n (DESCRIPTION=\n (ADDRESS_LIST=\n (ADDRESS=(PROTOCOL=tcp)(HOST=sale-server)(PORT=1521))\n (ADDRESS=(PROTOCOL=ipc)(KEY=extproc))))\n SID_LIST_LISTENER=\n (SID_LIST=\n (SID_DESC=\n (GLOBAL_DBNAME=sales.us.example.com)\n (ORACLE_HOME=/oracle12c)\n (SID_NAME=sales))\n (SID_DESC=\n (SID_NAME=plsextproc)\n (ORACLE_HOME=/oracle12c)\n (PROGRAM=extproc)))\n\n Protocol Parameters\n\n The Oracle Listener and the Oracle Connection Manager are identified by\n protocol addresses. The information below contains the \"Protocol-Specific\n Parameters\" used by the Oracle protocol support.\n\n Protocol-Specific Parameters\n\n Protocol: IPC Parameter: PROTOCOL Notes: Specify ipc as the value.\n Protocol: IPC Parameter: KEY Notes: Specify a unique name for the\n service. Oracle recommends using the service name or SID of the service.\n Example: (PROTOCOL=ipc)(KEY=sales)\n\n Protocol: Named Pipes Parameter: PROTOCOL Notes: Specify nmp as the value.\n Protocol: Named Pipes Parameter: SERVER Notes: Specify the name of the\n Oracle server.\n Protocol: Named Pipes Parameter: PIPE Notes: Specify the pipe name used\n to connect to the database server.\n This is the same PIPE keyword specified on the server with Named Pipes. This\n name can be any name.\n Example: (Protocol=nmp) (SERVER=USDOD) (PIPE=dbpipe01)\n\n Protocol: SDP Parameter: PROTOCOL Notes: Specify sdp as the value.\n Protocol: SDP Parameter: HOST Notes: Specify the host name or IP\n address of the computer.\n Protocol: SDP Parameter: PORT Notes: Specify the listening port number.\n Example: (PROTOCOL=sdp)(HOST=sales-server)(PORT=1521)\n (PROTOCOL=sdp)(HOST=192.168.2.204)(PORT=1521)\n\n Protocol: TCP/IP Parameter: PROTOCOL Notes: Specify TCP as the value.\n Protocol: TCP/IP Parameter: HOST Notes: Specify the host name or IP\n address of the computer.\n Protocol: TCP/IP Parameter: PORT Notes: Specify the listening port number.\n Example: (PROTOCOL=tcp)(HOST=sales-server)(PORT=1521)\n (PROTOCOL=tcp)(HOST=192.168.2.204)(PORT=1521)\n\n Protocol: TCP/IP with TLS Parameter: PROTOCOL Notes: Specify tcps as the\n value.\n Protocol: TCP/IP with TLS Parameter: HOST Notes: Specify the host name or\n IP address of the computer.\n Protocol: TCP/IP with TLS Parameter: PORT Notes: Specify the listening\n port number.\n\n Example:(PROTOCOL=tcps)(HOST=sales-server) (PORT=2484)\n (PROTOCOL=tcps)(HOST=192.168.2.204)(PORT=2484)", + "fix": "Disable any network protocol listed as nonsecure in the PPSM\n documentation.\n\n To disable the protocol deemed not secure, stop the listener by issuing the\n following command as the Oracle Software owner, typically Oracle.\n $ lsnrctl stop\n This will stop the listener. Edit the LISTENER.ORA file and remove the\n protocols deemed not secure and restart the listener.\n\n For example, if TCP was deemed as not secure, the listener.ora would need to be\n changed and the tcp entry would need to be removed. That would only allow the\n listener to listen for an IPC connection.\n\n LISTENER=\n (DESCRIPTION=\n (ADDRESS_LIST=\n (ADDRESS=(PROTOCOL=tcp)(HOST=sale-server)(PORT=1521)) - remove this line\n and properly balance the parentheses -\n (ADDRESS=(PROTOCOL=ipc)(KEY=extproc))))\n SID_LIST_LISTENER=\n (SID_LIST=\n (SID_DESC=\n (GLOBAL_DBNAME=sales.us.example.com)\n (ORACLE_HOME=/oracle12c)\n (SID_NAME=sales))\n (SID_DESC=\n (SID_NAME=plsextproc)\n (ORACLE_HOME=/oracle12c)\n (PROGRAM=extproc)))\n\n Revise the client side TNSNAMES.ORA to align the PROTOCOL value in the PROTOCOL\n portion of the connect string. For example, if TCP was deemed as not secure\n and the listener.ora was changed to listen for an IPC connection the code below\n would be required:\n\n net_service_name=\n (DESCRIPTION=\n (ADDRESS=(PROTOCOL=tcp)(HOST=sales1-svr)(PORT=1521))\n (ADDRESS=(PROTOCOL=tcp)(HOST=sales2-svr)(PORT=1521))\n (CONNECT_DATA=\n (SERVICE_NAME=sales.us.example.com)))" }, - "code": "control 'V-61449' do\n title \"Database job/batch queues must be reviewed regularly to detect\n unauthorized database job submissions.\"\n desc \"Unauthorized users may bypass security mechanisms by submitting jobs\n to job queues managed by the database to be run under a more privileged\n security context of the database or host system. These queues must be monitored\n regularly to detect any such unauthorized job submissions.\"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000516-DB-999900'\n tag \"gid\": 'V-61449'\n tag \"rid\": 'SV-75939r3_rule'\n tag \"stig_id\": 'O121-BP-023100'\n tag \"fix_id\": 'F-67365r2_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"The DBMS_JOB PL/SQL package has been replaced by DBMS_SCHEDULER\n in Oracle versions 10.1 and higher, though it continues to be supported for\n backward compatibility.\n\n Run this query:\n select value from v$parameter where name = 'job_queue_processes';\n\n Run this query:\n select value from all_scheduler_global_attribute\n where ATTRIBUTE_NAME = 'MAX_JOB_SLAVE_PROCESSES';\n\n To understand the relationship between these settings, review:\n https://docs.oracle.com/database/121/ADMIN/appendix_a.htm#ADMIN11002\n\n Review documented and implemented procedures for monitoring the Oracle DBMS\n job/batch queues for unauthorized submissions. If procedures for job queue\n review are not defined, documented or evidence of implementation does not\n exist, this is a finding.\n\n Job queue information is available from the DBA_JOBS view. The following\n command lists jobs submitted to the queue. DBMS_JOB does not generate a\n 'history' of previous job executions.\n\n Run this query:\n select job, next_date, next_sec, failures, broken from dba_jobs;\n\n Scheduler queue information is available from the DBA_SCHEDULER_JOBS view. The\n following command lists jobs submitted to the queue.\n\n Run this query:\n select owner, job_name, state, job_class, job_type, job_action\n from dba_scheduler_jobs;\"\n tag \"fix\": \"Develop, document and implement procedures to monitor the\n database job queues for unauthorized job submissions.\n\n Develop, document and implement a formal migration plan to convert jobs using\n DBMS_JOB to use DBMS_SCHEDULER instead for Oracle versions 10.1 and higher.\n (This does not apply to DBMS_JOB jobs generated by Oracle itself, such as those\n for refreshing materialized views.)\n\n Set the value of the job_queue_processes parameter to a low value to restrict\n concurrent DBMS_JOB executions.\n\n Use auditing to capture use of the DBMS_JOB package in the audit trail. Review\n the audit trail for unauthorized use of the DBMS_JOB package.\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n database_jobs = sql.query(\"select owner, job_name, state, job_class, job_type, job_action\n from dba_scheduler_jobs;\").column('job_name')\n\n describe \"You must manually review the database jobs to detect unauthorized database job submissions. The jobs to review are: #{database_jobs}\" do\n skip \"You must manually review the database jobs to detect unauthorized database job submissions. The jobs to review are: #{database_jobs}\"\n end\nend\n", + "code": "control 'V-61555' do\n title \"The DBMS must support the disabling of network protocols deemed by the\n organization to be nonsecure.\"\n desc \"This requirement is related to remote access, but more specifically to\n the networking protocols allowing systems to communicate. Remote access is any\n access to an organizational information system by a user (or an information\n system) communicating through an external, non-organization controlled network\n (e.g., the Internet). Examples of remote access methods include dial-up,\n broadband, and wireless.\n\n Some networking protocols allowing remote access may not meet security\n requirements to protect data and components. Bluetooth and peer-to-peer\n networking are examples of less than secure networking protocols.\n\n The DoD Ports, Protocols, and Services Management (PPSM) program provides\n implementation guidance on the use of IP protocols and application and data\n services traversing the DoD Networks in a manner supporting net-centric\n operations.\n\n Applications implementing or utilizing remote access network protocols need\n to ensure the application is developed and implemented in accordance with the\n PPSM requirements. In situations where it has been determined that specific\n operational requirements outweigh the risks of enabling an insecure network\n protocol, the organization may pursue a risk acceptance.\n\n Using protocols deemed nonsecure would compromise the ability of the DBMS\n to operate in a secure fashion. The database must be able to disable network\n protocols deemed nonsecure.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000020-DB-000194'\n tag \"gid\": 'V-61555'\n tag \"rid\": 'SV-76045r1_rule'\n tag \"stig_id\": 'O121-C2-001700'\n tag \"fix_id\": 'F-67471r1_fix'\n tag \"cci\": ['CCI-000366']\n tag \"nist\": ['CM-6 b', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review the PPSM Technical Assurance List to acquire an\n up-to-date list of network protocols deemed nonsecure.\n (For definitive information on Ports, Protocols and Services Management (PPSM),\n refer to\n http://www.disa.mil/Services/Network-Services/Enterprise-Connections/PPSM)\n\n Review DBMS settings to determine if the database is utilizing any network\n protocols deemed nonsecure. If the DBMS is not using any network protocols\n deemed nonsecure, this is not a finding.\n\n If the database is utilizing protocols specified as nonsecure in the PPSM,\n verify the protocols are explicitly identified in the System Security Plan and\n that they are in support of specific operational requirements. If they are not\n identified in the SSP or are not supporting specific operational requirements,\n this is a finding.\n\n If nonsecure network protocols are not being used but are not disabled in the\n DBMS's configuration, this is a finding.\n\n After determining the site-specific operational requirements and which\n protocols are explicitly defined in the System Security Plan, check the\n $TNS_ADMIN setting for the location of the Oracle listener.ora file. The\n listener.ora file is a configuration file for Oracle Net Listener that\n identifies the following:\n\n A unique name for the listener, typically LISTENER\n A protocol address that it is accepting connection requests on, and\n A service it is listening for.\n\n If the listener.ora file shows a PROTOCOL= statement and the PROTOCOL is deemed\n nonsecure, that is a finding.\n\n LISTENER=\n (DESCRIPTION=\n (ADDRESS_LIST=\n (ADDRESS=(PROTOCOL=tcp)(HOST=sale-server)(PORT=1521))\n (ADDRESS=(PROTOCOL=ipc)(KEY=extproc))))\n SID_LIST_LISTENER=\n (SID_LIST=\n (SID_DESC=\n (GLOBAL_DBNAME=sales.us.example.com)\n (ORACLE_HOME=/oracle12c)\n (SID_NAME=sales))\n (SID_DESC=\n (SID_NAME=plsextproc)\n (ORACLE_HOME=/oracle12c)\n (PROGRAM=extproc)))\n\n Protocol Parameters\n\n The Oracle Listener and the Oracle Connection Manager are identified by\n protocol addresses. The information below contains the \\\"Protocol-Specific\n Parameters\\\" used by the Oracle protocol support.\n\n Protocol-Specific Parameters\n\n Protocol: IPC Parameter: PROTOCOL Notes: Specify ipc as the value.\n Protocol: IPC Parameter: KEY Notes: Specify a unique name for the\n service. Oracle recommends using the service name or SID of the service.\n Example: (PROTOCOL=ipc)(KEY=sales)\n\n Protocol: Named Pipes Parameter: PROTOCOL Notes: Specify nmp as the value.\n Protocol: Named Pipes Parameter: SERVER Notes: Specify the name of the\n Oracle server.\n Protocol: Named Pipes Parameter: PIPE Notes: Specify the pipe name used\n to connect to the database server.\n This is the same PIPE keyword specified on the server with Named Pipes. This\n name can be any name.\n Example: (Protocol=nmp) (SERVER=USDOD) (PIPE=dbpipe01)\n\n Protocol: SDP Parameter: PROTOCOL Notes: Specify sdp as the value.\n Protocol: SDP Parameter: HOST Notes: Specify the host name or IP\n address of the computer.\n Protocol: SDP Parameter: PORT Notes: Specify the listening port number.\n Example: (PROTOCOL=sdp)(HOST=sales-server)(PORT=1521)\n (PROTOCOL=sdp)(HOST=192.168.2.204)(PORT=1521)\n\n Protocol: TCP/IP Parameter: PROTOCOL Notes: Specify TCP as the value.\n Protocol: TCP/IP Parameter: HOST Notes: Specify the host name or IP\n address of the computer.\n Protocol: TCP/IP Parameter: PORT Notes: Specify the listening port number.\n Example: (PROTOCOL=tcp)(HOST=sales-server)(PORT=1521)\n (PROTOCOL=tcp)(HOST=192.168.2.204)(PORT=1521)\n\n Protocol: TCP/IP with TLS Parameter: PROTOCOL Notes: Specify tcps as the\n value.\n Protocol: TCP/IP with TLS Parameter: HOST Notes: Specify the host name or\n IP address of the computer.\n Protocol: TCP/IP with TLS Parameter: PORT Notes: Specify the listening\n port number.\n\n Example:(PROTOCOL=tcps)(HOST=sales-server) (PORT=2484)\n (PROTOCOL=tcps)(HOST=192.168.2.204)(PORT=2484)\"\n tag \"fix\": \"Disable any network protocol listed as nonsecure in the PPSM\n documentation.\n\n To disable the protocol deemed not secure, stop the listener by issuing the\n following command as the Oracle Software owner, typically Oracle.\n $ lsnrctl stop\n This will stop the listener. Edit the LISTENER.ORA file and remove the\n protocols deemed not secure and restart the listener.\n\n For example, if TCP was deemed as not secure, the listener.ora would need to be\n changed and the tcp entry would need to be removed. That would only allow the\n listener to listen for an IPC connection.\n\n LISTENER=\n (DESCRIPTION=\n (ADDRESS_LIST=\n (ADDRESS=(PROTOCOL=tcp)(HOST=sale-server)(PORT=1521)) - remove this line\n and properly balance the parentheses -\n (ADDRESS=(PROTOCOL=ipc)(KEY=extproc))))\n SID_LIST_LISTENER=\n (SID_LIST=\n (SID_DESC=\n (GLOBAL_DBNAME=sales.us.example.com)\n (ORACLE_HOME=/oracle12c)\n (SID_NAME=sales))\n (SID_DESC=\n (SID_NAME=plsextproc)\n (ORACLE_HOME=/oracle12c)\n (PROGRAM=extproc)))\n\n Revise the client side TNSNAMES.ORA to align the PROTOCOL value in the PROTOCOL\n portion of the connect string. For example, if TCP was deemed as not secure\n and the listener.ora was changed to listen for an IPC connection the code below\n would be required:\n\n net_service_name=\n (DESCRIPTION=\n (ADDRESS=(PROTOCOL=tcp)(HOST=sales1-svr)(PORT=1521))\n (ADDRESS=(PROTOCOL=tcp)(HOST=sales2-svr)(PORT=1521))\n (CONNECT_DATA=\n (SERVICE_NAME=sales.us.example.com)))\"\n describe 'A manual review is required to ensure the DBMS supports the disabling of network protocols deemed by the\n organization to be nonsecure' do\n skip 'A manual review is required to ensure the DBMS supports the disabling of network protocols deemed by the\n organization to be nonsecure'\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61449.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61555.rb", "line": 1 }, - "id": "V-61449" + "id": "V-61555" }, { - "title": "The system must employ automated mechanisms for supporting Oracle user\n account management.", - "desc": "A comprehensive application account management process that includes\n automation helps to ensure accounts designated as requiring attention are\n consistently and promptly addressed. Examples include, but are not limited to,\n using automation to take action on multiple accounts designated as inactive,\n suspended, or terminated, or by disabling accounts located in non-centralized\n account stores, such as multiple servers.\n\n Enterprise environments make application user account management\n challenging and complex. A user management process requiring administrators to\n manually address account management functions adds risk of potential oversight.\n\n Automated mechanisms may be comprised of differing technologies that when\n placed together contain an overall automated mechanism supporting an\n organization's automated account management requirements.\n\n Databases can have large numbers of users in disparate locations and job\n functions. Automatic account management can help mitigate the risk of human\n error found in manually managing database access.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP. This requirement applies to cases where it is necessary to\n have accounts directly managed by Oracle.", + "title": "Logic modules within the database (to include packages, procedures,\n functions and triggers) must be monitored to discover unauthorized changes.", + "desc": "Any changes to the hardware, software, and/or firmware components of\n the information system and/or application can potentially have significant\n effects on the overall security of the system. This includes the logic modules\n implemented within the database, such as packages, procedures, functions and\n triggers.\n\n If the DBMS were to allow any user to make changes to these, then those\n changes might be implemented without undergoing the appropriate testing and\n approvals that are part of a robust change management process.\n\n Accordingly, only qualified and authorized individuals shall be allowed to\n obtain access to information system components for purposes of initiating\n changes, including upgrades and modifications.\n\n Unmanaged changes that occur to the database logic modules can lead to\n unauthorized or compromised installations.", "descriptions": { - "default": "A comprehensive application account management process that includes\n automation helps to ensure accounts designated as requiring attention are\n consistently and promptly addressed. Examples include, but are not limited to,\n using automation to take action on multiple accounts designated as inactive,\n suspended, or terminated, or by disabling accounts located in non-centralized\n account stores, such as multiple servers.\n\n Enterprise environments make application user account management\n challenging and complex. A user management process requiring administrators to\n manually address account management functions adds risk of potential oversight.\n\n Automated mechanisms may be comprised of differing technologies that when\n placed together contain an overall automated mechanism supporting an\n organization's automated account management requirements.\n\n Databases can have large numbers of users in disparate locations and job\n functions. Automatic account management can help mitigate the risk of human\n error found in manually managing database access.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP. This requirement applies to cases where it is necessary to\n have accounts directly managed by Oracle." + "default": "Any changes to the hardware, software, and/or firmware components of\n the information system and/or application can potentially have significant\n effects on the overall security of the system. This includes the logic modules\n implemented within the database, such as packages, procedures, functions and\n triggers.\n\n If the DBMS were to allow any user to make changes to these, then those\n changes might be implemented without undergoing the appropriate testing and\n approvals that are part of a robust change management process.\n\n Accordingly, only qualified and authorized individuals shall be allowed to\n obtain access to information system components for purposes of initiating\n changes, including upgrades and modifications.\n\n Unmanaged changes that occur to the database logic modules can lead to\n unauthorized or compromised installations." }, "impact": 0.5, "refs": [], "tags": { - "gtitle": "SRG-APP-000023-DB-000001", - "gid": "V-61557", - "rid": "SV-76047r2_rule", - "stig_id": "O121-C2-001800", - "fix_id": "F-67473r2_fix", + "gtitle": "SRG-APP-000133-DB-000179", + "gid": "V-68863", + "rid": "SV-83467r1_rule", + "stig_id": "O121-OS-010710", + "fix_id": "F-75045r1_fix", "cci": [ - "CCI-000015" + "CCI-001499" ], "nist": [ - "AC-2 (1)", + "CM-5 (6)", "Rev_4" ], "false_negatives": null, @@ -1050,35 +932,39 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "If all user accounts are authenticated by the OS or an\n enterprise-level authentication/access mechanism, and not by Oracle, this is\n not a finding.\n\n If an Oracle feature/product, an OS feature, a third-party product, or custom\n code is used to automate account management, this is not a finding.\n\n Determine what the site-defined definition of an acceptably small level of\n manual account-management activity is. If the site has established the\n definition, documented it, and obtained ISSO-ISSM-AO approval, use that\n definition. If not, use the following rule of thumb as the definition: no\n more than 12 such accounts exist or are expected to exist; no more than 100\n manual account-management actions (account creation, modification, locking,\n unlocking, removal and the like) are expected to occur in the course of a year.\n\n If the amount of account management activity is small, as defined in the\n preceding paragraph, this is not a finding.\n\n Otherwise, this is a finding.", - "fix": "Utilize an Oracle feature/product, an OS feature, a third-party\n product, or custom code to automate some or all account maintenance\n functionality.\n\n - - - - -\n\n Roles and Profiles are two Oracle features that should be employed in account\n management. (Indeed, other requirements mandate the use of Roles.) Following\n are some notes from Oracle on the use of Profiles.\n\n A profile is a named set of resource limits and password parameters that\n restrict database usage and instance resources for a user. You can assign a\n profile to each user, and a default profile to all others. Each user can have\n only one profile, and creating a new one supersedes any earlier one.\n\n Profile resource limits are enforced only when you enable resource limitation\n for the associated database. Enabling such limitation can occur either before\n starting up the database (the RESOURCE_LIMIT initialization parameter) or while\n it is open (using an ALTER SYSTEM statement).\n\n While password parameters reside in profiles, they are unaffected by\n RESOURCE_LIMIT or ALTER SYSTEM and password management is always enabled." + "check": "Review monitoring procedures and implementation evidence to\n verify that monitoring of changes to database logic modules is done.\n\n Verify the list of objects (packages, procedures, functions, and triggers)\n being monitored is complete. If monitoring does not occur or is not complete,\n this is a finding.", + "fix": "Implement procedures to monitor for unauthorized changes to\n database logic modules. If a third-party automated tool is not employed, an\n automated job that reports on the objects of interest and compares them to the\n baseline report for the same will meet the requirement." }, - "code": "control 'V-61557' do\n title \"The system must employ automated mechanisms for supporting Oracle user\n account management.\"\n desc \"A comprehensive application account management process that includes\n automation helps to ensure accounts designated as requiring attention are\n consistently and promptly addressed. Examples include, but are not limited to,\n using automation to take action on multiple accounts designated as inactive,\n suspended, or terminated, or by disabling accounts located in non-centralized\n account stores, such as multiple servers.\n\n Enterprise environments make application user account management\n challenging and complex. A user management process requiring administrators to\n manually address account management functions adds risk of potential oversight.\n\n Automated mechanisms may be comprised of differing technologies that when\n placed together contain an overall automated mechanism supporting an\n organization's automated account management requirements.\n\n Databases can have large numbers of users in disparate locations and job\n functions. Automatic account management can help mitigate the risk of human\n error found in manually managing database access.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP. This requirement applies to cases where it is necessary to\n have accounts directly managed by Oracle.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000023-DB-000001'\n tag \"gid\": 'V-61557'\n tag \"rid\": 'SV-76047r2_rule'\n tag \"stig_id\": 'O121-C2-001800'\n tag \"fix_id\": 'F-67473r2_fix'\n tag \"cci\": ['CCI-000015']\n tag \"nist\": ['AC-2 (1)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If all user accounts are authenticated by the OS or an\n enterprise-level authentication/access mechanism, and not by Oracle, this is\n not a finding.\n\n If an Oracle feature/product, an OS feature, a third-party product, or custom\n code is used to automate account management, this is not a finding.\n\n Determine what the site-defined definition of an acceptably small level of\n manual account-management activity is. If the site has established the\n definition, documented it, and obtained ISSO-ISSM-AO approval, use that\n definition. If not, use the following rule of thumb as the definition: no\n more than 12 such accounts exist or are expected to exist; no more than 100\n manual account-management actions (account creation, modification, locking,\n unlocking, removal and the like) are expected to occur in the course of a year.\n\n If the amount of account management activity is small, as defined in the\n preceding paragraph, this is not a finding.\n\n Otherwise, this is a finding.\"\n tag \"fix\": \"Utilize an Oracle feature/product, an OS feature, a third-party\n product, or custom code to automate some or all account maintenance\n functionality.\n\n - - - - -\n\n Roles and Profiles are two Oracle features that should be employed in account\n management. (Indeed, other requirements mandate the use of Roles.) Following\n are some notes from Oracle on the use of Profiles.\n\n A profile is a named set of resource limits and password parameters that\n restrict database usage and instance resources for a user. You can assign a\n profile to each user, and a default profile to all others. Each user can have\n only one profile, and creating a new one supersedes any earlier one.\n\n Profile resource limits are enforced only when you enable resource limitation\n for the associated database. Enabling such limitation can occur either before\n starting up the database (the RESOURCE_LIMIT initialization parameter) or while\n it is open (using an ALTER SYSTEM statement).\n\n While password parameters reside in profiles, they are unaffected by\n RESOURCE_LIMIT or ALTER SYSTEM and password management is always enabled.\"\n describe 'A manual review is required to ensure the system must employs automated mechanisms for supporting Oracle user\n account management' do\n skip 'A manual review is required to ensure the system must employs automated mechanisms for supporting Oracle user\n account management'\n end\nend\n", + "code": "control 'V-68863' do\n title \"Logic modules within the database (to include packages, procedures,\n functions and triggers) must be monitored to discover unauthorized changes.\"\n desc \"Any changes to the hardware, software, and/or firmware components of\n the information system and/or application can potentially have significant\n effects on the overall security of the system. This includes the logic modules\n implemented within the database, such as packages, procedures, functions and\n triggers.\n\n If the DBMS were to allow any user to make changes to these, then those\n changes might be implemented without undergoing the appropriate testing and\n approvals that are part of a robust change management process.\n\n Accordingly, only qualified and authorized individuals shall be allowed to\n obtain access to information system components for purposes of initiating\n changes, including upgrades and modifications.\n\n Unmanaged changes that occur to the database logic modules can lead to\n unauthorized or compromised installations.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000133-DB-000179'\n tag \"gid\": 'V-68863'\n tag \"rid\": 'SV-83467r1_rule'\n tag \"stig_id\": 'O121-OS-010710'\n tag \"fix_id\": 'F-75045r1_fix'\n tag \"cci\": ['CCI-001499']\n tag \"nist\": ['CM-5 (6)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"Review monitoring procedures and implementation evidence to\n verify that monitoring of changes to database logic modules is done.\n\n Verify the list of objects (packages, procedures, functions, and triggers)\n being monitored is complete. If monitoring does not occur or is not complete,\n this is a finding.\"\n tag \"fix\": \"Implement procedures to monitor for unauthorized changes to\n database logic modules. If a third-party automated tool is not employed, an\n automated job that reports on the objects of interest and compares them to the\n baseline report for the same will meet the requirement.\"\n describe 'A manual review is required to ensure the logic modules within the database (to include packages, procedures,\n functions and triggers) are monitored to discover unauthorized changes' do\n skip 'A manual review is required to ensure the logic modules within the database (to include packages, procedures,\n functions and triggers) are monitored to discover unauthorized changes'\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61557.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-68863.rb", "line": 1 }, - "id": "V-61557" + "id": "V-68863" }, { - "title": "Oracle software must be evaluated and patched against newly found\n vulnerabilities.", - "desc": "Security faults with software applications and operating systems are\n discovered daily. Vendors are constantly updating and patching their products\n to address newly discovered security vulnerabilities. Organizations (including\n any contractor to the organization) are required to promptly install\n security-relevant software updates (e.g., patches, service packs, and hot\n fixes). Flaws discovered during security assessments, continuous monitoring,\n incident response activities, or information system error handling, must also\n be addressed expeditiously.\n\n Anytime new software code is introduced to a system there is the potential\n for unintended consequences. There have been documented instances where the\n application of a patch has caused problems with system integrity or\n availability. Due to information system integrity and availability concerns,\n organizations must give careful consideration to the methodology used to carry\n out automatic updates.\n\n Unsupported software versions are not patched by vendors to address newly\n discovered security versions. An unpatched version is vulnerable to attack.", + "title": "The DBMS must support organizational requirements to enforce the\n number of characters that get changed when passwords are changed.", + "desc": "Passwords need to be changed at specific policy-based intervals.\n\n If the information system or application allows the user to consecutively\n reuse extensive portions of their password when they change their password, the\n end result is a password that has not had enough elements changed to meet the\n policy requirements.\n\n Changing passwords frequently can thwart password-guessing attempts or\n re-establish protection of a compromised DBMS account. Minor changes to\n passwords may not accomplish this since password guessing may be able to\n continue to build on previous guesses, or the new password may be easily\n guessed using the old password.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP This requirement applies to cases where it is necessary to\n have accounts directly managed by Oracle.", "descriptions": { - "default": "Security faults with software applications and operating systems are\n discovered daily. Vendors are constantly updating and patching their products\n to address newly discovered security vulnerabilities. Organizations (including\n any contractor to the organization) are required to promptly install\n security-relevant software updates (e.g., patches, service packs, and hot\n fixes). Flaws discovered during security assessments, continuous monitoring,\n incident response activities, or information system error handling, must also\n be addressed expeditiously.\n\n Anytime new software code is introduced to a system there is the potential\n for unintended consequences. There have been documented instances where the\n application of a patch has caused problems with system integrity or\n availability. Due to information system integrity and availability concerns,\n organizations must give careful consideration to the methodology used to carry\n out automatic updates.\n\n Unsupported software versions are not patched by vendors to address newly\n discovered security versions. An unpatched version is vulnerable to attack." + "default": "Passwords need to be changed at specific policy-based intervals.\n\n If the information system or application allows the user to consecutively\n reuse extensive portions of their password when they change their password, the\n end result is a password that has not had enough elements changed to meet the\n policy requirements.\n\n Changing passwords frequently can thwart password-guessing attempts or\n re-establish protection of a compromised DBMS account. Minor changes to\n passwords may not accomplish this since password guessing may be able to\n continue to build on previous guesses, or the new password may be easily\n guessed using the old password.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP This requirement applies to cases where it is necessary to\n have accounts directly managed by Oracle." }, - "impact": 0.7, - "refs": [], + "impact": 0.5, + "refs": [ + { + "ref": [] + } + ], "tags": { - "gtitle": "SRG-APP-000133-DB-000205", - "gid": "V-61539", - "rid": "SV-76029r2_rule", - "stig_id": "O121-C1-011100", - "fix_id": "F-67455r4_fix", + "gtitle": "SRG-APP-000170-DB-000073", + "gid": "V-61731", + "rid": "SV-76221r1_rule", + "stig_id": "O121-C2-014500", + "fix_id": "F-67647r1_fix", "cci": [ - "CCI-001499" + "CCI-000195" ], "nist": [ - "CM-5 (6)", + "IA-5 (1) (b)", "Rev_4" ], "false_negatives": null, @@ -1091,35 +977,35 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "When the Quarterly CPU is released, check the CPU Notice and\n note the specific patch number for the system.\n\n Then, issue the following command:\n\n SELECT patch_id, version, action, status, description from\n dba_registry_sqlpatch;\n\n This will generate the patch levels for the home and any specific patches that\n have been applied to it.\n\n If the currently installed patch levels are lower than the latest, this is a\n finding.", - "fix": "Follow the process below to apply the security patch.\n\n Log on to My Oracle Support.\n\n Select patches and download the specific patch number and corresponding MD5\n checksum. Once the patch is downloaded to the server, check the MD5 checksum to\n make sure the patch is valid.\n\n To check the MD5 Checksum in Linux/UNIX, the command is:\n $md5sum absolute_path_of_file_name - file_name is the complete location of the\n downloaded file.\n $md5sum /home/oracle/test.zip\n a34d8cd98f00cf24e9800998ecf823e4 /home/oracle/test.zip\n\n Once the checksum is validated, apply the patch:\n $ cd $ORACLE_HOME\n $ opatch apply\n\n Check that the patch was applied and the inventory was updated with the\n following command (UNIX/Linux):\n $ opatch lsinventory -detail\n\n Windows:\n opatch lsinventory –detail" + "check": "If all user accounts are managed and authenticated by the OS or\n an enterprise-level authentication/access mechanism, and not by Oracle, this is\n not a finding.\n\n For each profile that can be applied to accounts where authentication is under\n Oracle's control, determine the password verification function, if any, that is\n in use:\n\n SELECT * FROM SYS.DBA_PROFILES\n WHERE RESOURCE_NAME = 'PASSWORD_VERIFY_FUNCTION'\n [AND PROFILE NOT IN ()] ORDER BY PROFILE;\n\n Bearing in mind that a profile can inherit from another profile, and the root\n profile is called DEFAULT, determine the name of the password verification\n function effective for each profile.\n\n If, for any profile, the function name is null, this is a finding.\n\n For each password verification function, examine its source code.\n\n If it does not enforce the organization-defined minimum number of characters by\n which the password must differ from the previous password (eight of the\n characters unless otherwise specified), this is a finding.", + "fix": "If any user accounts are managed by Oracle: Develop, test and\n implement a password verification function that enforces DoD requirements.\n\n (Oracle supplies a sample function called ORA12C_STRONG_VERIFY_FUNCTION, in the\n script file /RDBMS/ADMIN/utlpwdmg.sql. This can be used as the\n starting point for a customized function.)" }, - "code": "control 'V-61539' do\n title \"Oracle software must be evaluated and patched against newly found\n vulnerabilities.\"\n desc \"Security faults with software applications and operating systems are\n discovered daily. Vendors are constantly updating and patching their products\n to address newly discovered security vulnerabilities. Organizations (including\n any contractor to the organization) are required to promptly install\n security-relevant software updates (e.g., patches, service packs, and hot\n fixes). Flaws discovered during security assessments, continuous monitoring,\n incident response activities, or information system error handling, must also\n be addressed expeditiously.\n\n Anytime new software code is introduced to a system there is the potential\n for unintended consequences. There have been documented instances where the\n application of a patch has caused problems with system integrity or\n availability. Due to information system integrity and availability concerns,\n organizations must give careful consideration to the methodology used to carry\n out automatic updates.\n\n Unsupported software versions are not patched by vendors to address newly\n discovered security versions. An unpatched version is vulnerable to attack.\n \"\n impact 0.7\n tag \"gtitle\": 'SRG-APP-000133-DB-000205'\n tag \"gid\": 'V-61539'\n tag \"rid\": 'SV-76029r2_rule'\n tag \"stig_id\": 'O121-C1-011100'\n tag \"fix_id\": 'F-67455r4_fix'\n tag \"cci\": ['CCI-001499']\n tag \"nist\": ['CM-5 (6)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"When the Quarterly CPU is released, check the CPU Notice and\n note the specific patch number for the system.\n\n Then, issue the following command:\n\n SELECT patch_id, version, action, status, description from\n dba_registry_sqlpatch;\n\n This will generate the patch levels for the home and any specific patches that\n have been applied to it.\n\n If the currently installed patch levels are lower than the latest, this is a\n finding.\"\n tag \"fix\": \"Follow the process below to apply the security patch.\n\n Log on to My Oracle Support.\n\n Select patches and download the specific patch number and corresponding MD5\n checksum. Once the patch is downloaded to the server, check the MD5 checksum to\n make sure the patch is valid.\n\n To check the MD5 Checksum in Linux/UNIX, the command is:\n $md5sum absolute_path_of_file_name - file_name is the complete location of the\n downloaded file.\n $md5sum /home/oracle/test.zip\n a34d8cd98f00cf24e9800998ecf823e4 /home/oracle/test.zip\n\n Once the checksum is validated, apply the patch:\n $ cd $ORACLE_HOME\n $ opatch apply\n\n Check that the patch was applied and the inventory was updated with the\n following command (UNIX/Linux):\n $ opatch lsinventory -detail\n\n Windows:\n opatch lsinventory –detail\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n patches = sql.query('SELECT patch_id from dba_registry_sqlpatch;').column('patch_id')\n\n describe 'The oracle database installed patches' do\n subject { patches }\n it { should_not cmp nil }\n end\nend\n", + "code": "control 'V-61731' do\n title \"The DBMS must support organizational requirements to enforce the\n number of characters that get changed when passwords are changed.\"\n desc \"Passwords need to be changed at specific policy-based intervals.\n\n If the information system or application allows the user to consecutively\n reuse extensive portions of their password when they change their password, the\n end result is a password that has not had enough elements changed to meet the\n policy requirements.\n\n Changing passwords frequently can thwart password-guessing attempts or\n re-establish protection of a compromised DBMS account. Minor changes to\n passwords may not accomplish this since password guessing may be able to\n continue to build on previous guesses, or the new password may be easily\n guessed using the old password.\n\n Note that user authentication and account management must be done via an\n enterprise-wide mechanism whenever possible. Examples of enterprise-level\n authentication/access mechanisms include, but are not limited to, Active\n Directory and LDAP This requirement applies to cases where it is necessary to\n have accounts directly managed by Oracle.\n \"\n impact 0.5\n tag \"gtitle\": 'SRG-APP-000170-DB-000073'\n tag \"gid\": 'V-61731'\n tag \"rid\": 'SV-76221r1_rule'\n tag \"stig_id\": 'O121-C2-014500'\n tag \"fix_id\": 'F-67647r1_fix'\n tag \"cci\": ['CCI-000195']\n tag \"nist\": ['IA-5 (1) (b)', 'Rev_4']\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n tag \"check\": \"If all user accounts are managed and authenticated by the OS or\n an enterprise-level authentication/access mechanism, and not by Oracle, this is\n not a finding.\n\n For each profile that can be applied to accounts where authentication is under\n Oracle's control, determine the password verification function, if any, that is\n in use:\n\n SELECT * FROM SYS.DBA_PROFILES\n WHERE RESOURCE_NAME = 'PASSWORD_VERIFY_FUNCTION'\n [AND PROFILE NOT IN ()] ORDER BY PROFILE;\n\n Bearing in mind that a profile can inherit from another profile, and the root\n profile is called DEFAULT, determine the name of the password verification\n function effective for each profile.\n\n If, for any profile, the function name is null, this is a finding.\n\n For each password verification function, examine its source code.\n\n If it does not enforce the organization-defined minimum number of characters by\n which the password must differ from the previous password (eight of the\n characters unless otherwise specified), this is a finding.\"\n tag \"fix\": \"If any user accounts are managed by Oracle: Develop, test and\n implement a password verification function that enforces DoD requirements.\n\n (Oracle supplies a sample function called ORA12C_STRONG_VERIFY_FUNCTION, in the\n script file /RDBMS/ADMIN/utlpwdmg.sql. This can be used as the\n starting point for a customized function.)\"\n\n sql = oracledb_session(user: input('user'), password: input('password'), host: input('host'), service: input('service'), sqlplus_bin: input('sqlplus_bin'))\n\n query = %{\n SELECT PROFILE, RESOURCE_NAME, LIMIT FROM DBA_PROFILES WHERE PROFILE =\n '%s' AND RESOURCE_NAME = 'PASSWORD_VERIFY_FUNCTION'\n }\n\n user_profiles = sql.query('SELECT profile FROM dba_users;').column('profile').uniq\n\n user_profiles.each do |profile|\n next if profile == \"RDSADMIN\"\n password_verify_function = sql.query(format(query, profile: profile)).column('limit')\n\n describe \"The oracle database account password verify function for profile: #{profile}\" do\n subject { password_verify_function }\n it { should_not eq ['NULL'] }\n end\n end\n if user_profiles.empty?\n describe 'There are no user profiles, therefore this control is NA' do\n skip 'There are no user profiles, therefore this control is NA'\n end\n end\nend\n", "source_location": { - "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61539.rb", + "ref": "/github/home/.inspec/cache/36f5c955872642c88d8c0b6017a096a137ceb67a/controls/V-61731.rb", "line": 1 }, - "id": "V-61539" + "id": "V-61731" }, { - "title": "Unused database components that are integrated in the DBMS and cannot\n be uninstalled must be disabled.", - "desc": "Information systems are capable of providing a wide variety of\n functions and services. Some of the functions and services, provided by\n default, may not be necessary to support essential organizational operations\n (e.g., key missions, functions).\n\n It is detrimental for applications to provide, or install by default,\n functionality exceeding requirements or mission objectives. Examples include,\n but are not limited to, installing advertising software, demonstrations, or\n browser plug-ins not related to requirements or providing a wide array of\n functionality not required for the mission.\n\n Applications must adhere to the principles of least functionality by\n providing only essential capabilities.\n\n Unused, unnecessary DBMS components increase the attack vector for the DBMS\n by introducing additional targets for attack. By minimizing the services and\n applications installed on the system, the number of potential vulnerabilities\n is reduced. Components of the system that are unused and cannot be uninstalled\n must be disabled.", + "title": "The system must protect audit tools from unauthorized deletion.", + "desc": "Protecting audit data also includes identifying and protecting the\n tools used to view and manipulate log data.\n\n Depending upon the log format and application, system and application log\n tools may provide the only means to manipulate and manage application and\n system log data.\n\n It is, therefore, imperative that access to audit tools be controlled and\n protected from unauthorized access.\n\n Applications providing tools to interface with audit data will leverage\n user permissions and roles identifying the user accessing the tools and the\n corresponding rights the user enjoys in order make access decisions regarding\n the access to audit tools.\n\n Audit tools include, but are not limited to, OS-provided audit tools,\n vendor-provided audit tools, and open source audit tools needed to successfully\n view and manipulate audit information system activity and records.\n\n If an attacker were to gain access to audit tools, he could analyze audit\n logs for system weaknesses or weaknesses in the auditing itself. An attacker\n could also manipulate logs to hide evidence of malicious activity.", "descriptions": { - "default": "Information systems are capable of providing a wide variety of\n functions and services. Some of the functions and services, provided by\n default, may not be necessary to support essential organizational operations\n (e.g., key missions, functions).\n\n It is detrimental for applications to provide, or install by default,\n functionality exceeding requirements or mission objectives. Examples include,\n but are not limited to, installing advertising software, demonstrations, or\n browser plug-ins not related to requirements or providing a wide array of\n functionality not required for the mission.\n\n Applications must adhere to the principles of least functionality by\n providing only essential capabilities.\n\n Unused, unnecessary DBMS components increase the attack vector for the DBMS\n by introducing additional targets for attack. By minimizing the services and\n applications installed on the system, the number of potential vulnerabilities\n is reduced. Components of the system that are unused and cannot be uninstalled\n must be disabled." + "default": "Protecting audit data also includes identifying and protecting the\n tools used to view and manipulate log data.\n\n Depending upon the log format and application, system and application log\n tools may provide the only means to manipulate and manage application and\n system log data.\n\n It is, therefore, imperative that access to audit tools be controlled and\n protected from unauthorized access.\n\n Applications providing tools to interface with audit data will leverage\n user permissions and roles identifying the user accessing the tools and the\n corresponding rights the user enjoys in order make access decisions regarding\n the access to audit tools.\n\n Audit tools include, but are not limited to, OS-provided audit tools,\n vendor-provided audit tools, and open source audit tools needed to successfully\n view and manipulate audit information system activity and records.\n\n If an attacker were to gain access to audit tools, he could analyze audit\n logs for system weaknesses or weaknesses in the auditing itself. An attacker\n could also manipulate logs to hide evidence of malicious activity." }, "impact": 0, "refs": [], "tags": { - "gtitle": "SRG-APP-000141-DB-000092", - "gid": "V-61681", - "rid": "SV-76171r2_rule", - "stig_id": "O121-C2-011700", - "fix_id": "F-67595r3_fix", + "gtitle": "SRG-APP-000123-DB-000204", + "gid": "V-61663", + "rid": "SV-76153r1_rule", + "stig_id": "O121-C2-009800", + "fix_id": "F-67577r1_fix", "cci": [ - "CCI-000381" + "CCI-001495" ], "nist": [ - "CM-7 a", + "AU-9", "Rev_4" ], "false_negatives": null, @@ -1132,35 +1018,36 @@ "mitigation_controls": null, "responsibility": null, "ia_controls": null, - "check": "Run this query to check to see what integrated components are\n installed in the database:\n\n SELECT parameter, value\n from v$option\n where parameter in\n (\n 'Data Mining',\n 'Oracle Database Extensions for .NET',\n 'OLAP',\n 'Partitioning',\n 'Real Application Testing'\n );\n\n This will return all of the relevant database options and their status. TRUE\n means that the option is installed. If the option is not installed, the option\n will be set to FALSE.\n\n Review the options and check the system documentation to see what is required.\n If all listed components are authorized to be in use, this is not a finding.\n\n If any unused components or features are listed by the query as TRUE, this is a\n finding.", - "fix": "In the system documentation list the integrated components\n required for operation of applications that will be accessing the DBMS.\n\n For Oracle Database 12.1, only the following components can be enabled/disabled:\n\n Oracle Data Mining (dm)\n Oracle Database Extensions for .NET (ode_net)\n Oracle OLAP (olap)\n Oracle Partitioning (partitioning)\n Real Application Testing (rat)\n\n Use the chopt utility (an Oracle-supplied operating system command that resides\n in the /bin directory) to disable each option that should not\n be available. The command format is\n\n chopt