ORACLE DATABASE

SECURITY CHECKLIST

Version 8, Release 1.3

31 March 2009

Developed by DISA for the DoD

UNCLASSIFIED
This page is intentionally left blank.

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

TABLE OF CONTENTS
1. INTRODUCTION ........................................................................................................................... 1-1
1.1 OVERVIEW ................................................................................................................................ 1-1
1.2 ORGANIZATION OF THE CHECKLIST .......................................................................................... 1-1
1.3 SUPPORTED VERSIONS .............................................................................................................. 1-3
1.4 DOCUMENT EFFECTIVE DATE ................................................................................................... 1-3
1.5 REVIEW METHOD ...................................................................................................................... 1-3
1.6 REFERENCED DOCUMENTS........................................................................................................ 1-3
2. ORACLE DATABASE SRR RESULTS REPORT ...................................................................... 2-1
2.1 SITE INFORMATION ................................................................................................................... 2-1
2.2 SYSTEM INFORMATION ............................................................................................................. 2-2
2.3 SRR RESULTS ........................................................................................................................... 2-1
3. ORACLE DATABASE SERVER SECURITY REVIEW PROCEDURES ............................... 3-1
3.1 REVIEW PROCESS NOTES .......................................................................................................... 3-1
3.2 IAVM COMPLIANCE ................................................................................................................. 3-2
3.3 REVIEW TOOLS AND INTERFACES ............................................................................................. 3-2
3.4 SYSTEM SECURITY PLAN OVERVIEW ........................................................................................ 3-3
3.5 AUTOMATED INFORMATION SYSTEM (AIS) FUNCTIONAL ARCHITECTURE DOCUMENT............ 3-4
3.6 SENSITIVE DATA PROTECTION AND DEFINITION ....................................................................... 3-4
3.7 PROCESS NOTES ........................................................................................................................ 3-5
3.8 CHECK REFERENCE NUMBERING SCHEME ................................................................................ 3-5
3.9 DOCUMENTATION CONVENTIONS ............................................................................................. 3-6
3.10 PROCEDURE TABLE DATA......................................................................................................... 3-6
4. ORACLE DATABASE AUTOMATED CHECK PROCEDURES ............................................ 4-8
4.1 DO0240: ORACLE OS_ROLES PARAMETER ............................................................................ 4-8
4.2 DO0241: ORACLE AUDIT_SYS_OPERATIONS PARAMETER................................................ 4-9
4.3 DO0242: ORACLE GLOBAL_NAMES PARAMETER .............................................................. 4-10
4.4 DO0243: ORACLE _TRACE_FILES_PUBLIC PARAMETER .................................................. 4-11
4.5 DO3413: ORACLE AUDIT_TRAIL PARAMETER .................................................................... 4-12
4.6 DO3447: ORACLE OS_AUTHENT_PREFIX PARAMETER..................................................... 4-13
4.7 DO3538: ORACLE REMOTE_OS_AUTHENT PARAMETER .................................................. 4-14
4.8 DO3539: ORACLE REMOTE_OS_ROLES PARAMETER ........................................................ 4-15
4.9 DO3540: ORACLE SQL92_SECURITY PARAMETER ............................................................. 4-16
4.10 DO3546: ORACLE REMOTE_LOGIN_PASSWORDFILE PARAMETER ............................... 4-17
4.11 DO3547: ORACLE UTL_FILE_DIR PARAMETER ................................................................... 4-18
4.12 DO3685: ORACLE O7_DICTIONARY_ACCESSIBILITY PARAMETER ............................... 4-19
4.13 DO3696: ORACLE RESOURCE_LIMIT PARAMETER ............................................................ 4-20
4.14 DO3698: ORACLE DBLINK_ENCRYPT_LOGIN PARAMETER............................................. 4-21
4.15 DO6748: ORACLE SEC_CASE_SENSITIVE_LOGON PARAMETER..................................... 4-22
4.16 DO6749: ORACLE SEC_MAX_FAILED_LOGIN_ATTEMPTS PARAMETER....................... 4-23
4.17 DO6750: ORACLE SEC_PROTOCOL_ERROR_FURTHER_ACTION PARAMETER ........... 4-24
4.18 DO6752: ORACLE SEC_PROTOCOL_ERROR_TRACE_ACTION PARAMETER................. 4-25
4.19 DG0117: DBMS ADMINISTRATIVE PRIVILEGE ASSIGNMENT .................................................. 4-26
4.20 DO0155: ORACLE DEFAULT TABLESPACE ASSIGNMENT ......................................................... 4-27
4.21 DO3451: WITH GRANT OPTION PRIVILEGES ..................................................................... 4-28
4.22 DO3609: SYSTEM PRIVILEGES GRANTED WITH ADMIN OPTION ....................................... 4-29
4.23 DO3612: ORACLE SYSTEM PRIVILEGE ASSIGNMENT ............................................................... 4-30
4.24 DO3473: APPLICATION USER ROLE PRIVILEGES ...................................................................... 4-31
4.25 DO3475: ORACLE PUBLIC ACCESS TO RESTRICTED PACKAGES ............................................ 4-32
4.26 DO3686: ORACLE SYS.LINK$ TABLE ACCESS (10.1 AND EARLIER) ...................................... 4-34
4.27 DO3689: ORACLE OBJECT PERMISSION ASSIGNMENT TO PUBLIC ......................................... 4-35
i V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.28 DO0170: ORACLE PREDEFINED ROLES .................................................................................... 4-36

4.29 DO0320: ORACLE PUBLIC ROLE PRIVILEGES ........................................................................ 4-38
4.30 DO3709: ORACLE DIRECT PRIVILEGE ASSIGNMENT TO ACCOUNTS ......................................... 4-39
4.31 DG0133: DBMS ACCOUNT LOCK TIME .................................................................................. 4-41
4.32 DO0400: ORACLE DEMO APPLICATIONS AND ACCOUNTS ........................................................ 4-42
4.33 DO3445: ORACLE DEFAULT ACCOUNT PASSWORDS................................................................ 4-44
4.34 DO3487: ORACLE PASSWORD REUSE RESTRICTIONS ............................................................... 4-52
4.35 DO3504: ORACLE PASSWORD_VERIFY_FUNCTION PROFILE PARAMETER .................... 4-54
4.36 DO3537: ORACLE FAILED_LOGIN_ATTEMPTS PROFILE PARAMETER ............................. 4-60
4.37 DO0270: ORACLE REDO LOG FILE AVAILABILITY ................................................................... 4-62
4.38 DO3610: ORACLE MINIMUM OBJECT AUDITING ...................................................................... 4-63
4.39 DO3692: ORACLE AUDITED EVENTS ....................................................................................... 4-65
5. ORACLE DATABASE INTERVIEW CHECK PROCEDURES ............................................. 5-67
5.1 DG0030: DBMS AUDIT DATA MAINTENANCE ........................................................................ 5-67
5.2 DG0076: SENSITIVE DATA IMPORT TO DEVELOPMENT DBMS................................................ 5-68
5.3 DG0080: APPLICATION USER PRIVILEGE ASSIGNMENT REVIEW .............................................. 5-69
5.4 DG0165: DBMS SYMMETRIC KEY MANAGEMENT .................................................................. 5-70
5.5 DG0138: DBMS ACCESS TO SENSITIVE DATA......................................................................... 5-71
5.6 DG0074: DBMS INACTIVE ACCOUNTS ................................................................................... 5-72
5.7 DO0140: ORACLE DEFAULT ACCOUNT ACCESS....................................................................... 5-73
5.8 DG0031: DBMS AUDIT OF CHANGES TO DATA ....................................................................... 5-74
5.9 DG0135: DBMS CONNECTION ALERT .................................................................................... 5-75
6. ORACLE DATABASE MANUAL CHECK PROCEDURES................................................... 6-76
6.1 DG0060: DBMS SHARED ACCOUNT AUTHORIZATION ............................................................ 6-76
6.2 DG0070: DBMS USER ACCOUNT AUTHORIZATION ................................................................. 6-77
6.3 DG0089: DEVELOPER DBMS PRIVILEGES ON PRODUCTION DATABASES ................................ 6-78
6.4 DG0100: REPLICATION ACCOUNT PRIVILEGES ........................................................................ 6-79
7. ORACLE DATABASE VERIFY CHECK PROCEDURES ..................................................... 7-80
7.1 DG0166: PROTECTION OF DBMS ASYMMETRIC ENCRYPTION KEYS ....................................... 7-80
7.2 DO0233: ORACLE DIAGNOSTIC_DEST PARAMETER .......................................................... 7-82
7.3 DO0234: ORACLE AUDIT_FILE_DEST PARAMETER ........................................................... 7-84
7.4 DO0235: ORACLE USER_DUMP_DEST PARAMETER .......................................................... 7-86
7.5 DO0236: ORACLE BACKGROUND_DUMP_DEST PARAMETER......................................... 7-88
7.6 DO0237: ORACLE CORE_DUMP_DEST PARAMETER .......................................................... 7-90
7.7 DO0238: ORACLE LOG_ARCHIVE_DEST PARAMETER ...................................................... 7-92
7.8 DG0112: DBMS DATA FILE PROTECTION ............................................................................... 7-94
7.9 DO0275: ORACLE CRITICAL FILE ACCESS ............................................................................... 7-95
7.10 DG0015: DATA DEFINITION LANGUAGE USE.......................................................................... 7-97
7.11 DO0157: ORACLE STORAGE USE PRIVILEGES.......................................................................... 7-98
7.12 DO0350: ORACLE SYSTEM PRIVILEGE ASSIGNMENT ............................................................... 7-99
7.13 DO3622: ORACLE ROLES GRANTED WITH ADMIN OPTION ............................................. 7-101
7.14 DG0077: PRODUCTION DATA PROTECTION ON A SHARED SYSTEM ........................................ 7-102
7.15 DO0150: ORACLE OBJECT OWNERSHIP ................................................................................. 7-104
7.16 DO0190: ORACLE AUDIT TABLE OWNERSHIP ........................................................................ 7-106
7.17 DO0231: ORACLE APPLICATION OBJECT OWNER TABLESPACES ............................................ 7-107
7.18 DO0310: ORACLE SYSTEM DATA AND TABLE ACCESS .......................................................... 7-108
7.19 DO3446: ORACLE AUDIT RECORD ACCESS............................................................................ 7-110
7.20 DO0340: ORACLE APPLICATION ADMINISTRATION ROLES ENABLEMENT .............................. 7-111
7.21 DO3440: ORACLE DBA ROLE ASSIGNMENT ......................................................................... 7-112
7.22 DG0071: PASSWORD CHANGE VARIANCE ............................................................................. 7-113
7.23 DG0072: DBMS PASSWORD CHANGE TIME LIMIT................................................................. 7-115
7.24 DG0127: DBMS ACCOUNT PASSWORD EASILY GUESSED ..................................................... 7-117
7.25 DO0160: ORACLE APPLICATION OBJECT OWNER ACCOUNTS ................................................ 7-119
ii V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.26 DO0210: ORACLE SHARED REPLICATION ACCOUNT ACCESS ................................................. 7-121

7.27 DO3485: ORACLE PASSWORD_LIFE_TIME PROFILE PARAMETER................................... 7-122
7.28 DO3536: ORACLE IDLE_TIME PROFILE PARAMETER.......................................................... 7-124
7.29 DO0380: ORACLE SYSDBA PASSWORD FILE USERS ............................................................ 7-126
7.30 DG0075: DBMS LINKS TO EXTERNAL DATABASES ............................................................... 7-127
7.31 DG0087: DBMS SENSITIVE DATA LABELING ........................................................................ 7-129
7.32 DG0091: DBMS SOURCE CODE ENCODING OR ENCRYPTION................................................. 7-130
7.33 DG0172: DBMS CLASSIFICATION LEVEL AUDIT ................................................................... 7-132
7.34 DO0220: ORACLE INSTANCE NAMES .................................................................................... 7-133
7.35 DO0221: ORACLE DEFAULT SID NAME ................................................................................ 7-134
7.36 DO0250: ORACLE DATABASE LINK USAGE ........................................................................... 7-135
7.37 DO0260: ORACLE CONTROL FILE AVAILABILITY .................................................................. 7-136
7.38 DO0420: ORACLE XML DB ................................................................................................. 7-137
8. ORACLE HOME AUTOMATED CHECK PROCEDURES ................................................. 8-138
8.1 DG0003: DBMS PATCHSET/CPU SECURITY PATCH LEVEL ................................................... 8-138
8.2 DO0100: ORACLE VERSION SUPPORT ................................................................................... 8-141
9. ORACLE HOME INTERVIEW CHECK PROCEDURES .................................................... 9-143
9.1 DG0010: DBMS SOFTWARE MONITORING ............................................................................ 9-143
9.2 DG0011: DBMS CONFIGURATION MANAGEMENT ............................................................... 9-144
9.3 DG0013: DATABASE BACKUP PROCEDURES ......................................................................... 9-145
9.4 DG0020: DBMS BACKUP AND RECOVERY TESTING.............................................................. 9-147
9.5 DG0050: DBMS SOFTWARE AND CONFIGURATION FILE MONITORING.................................. 9-148
9.6 DG0053: DBMS CLIENT CONNECTION DEFINITION FILE ....................................................... 9-150
9.7 DG0066: TEMPORARY PASSWORD PROCEDURES .................................................................. 9-151
9.8 DG0067: DBMS ACCOUNT PASSWORD EXTERNAL STORAGE................................................ 9-152
9.9 DG0068: DBMS APPLICATION PASSWORD DISPLAY ............................................................. 9-153
9.10 DG0069: PRODUCTION DATA IMPORT TO DEVELOPMENT DBMS ......................................... 9-154
9.11 DG0083: AUDIT RECORD REPORT AUTOMATION ................................................................... 9-155
9.12 DG0086: DBA ROLE PRIVILEGE MONITORING ...................................................................... 9-156
9.13 DG0088: DBMS VULNERABILITY MGMT AND IA COMPLIANCE TESTING .............................. 9-157
9.14 DG0095: DBMS AUDIT TRAIL DATA REVIEW ....................................................................... 9-158
9.15 DG0096: DBMS IA POLICY AND PROCEDURE REVIEW ......................................................... 9-159
9.16 DG0097: DBMS TESTING PLANS AND PROCEDURES ........................................................... 9-160
9.17 DG0107: SENSITIVE DATA IDENTIFICATION IN THE DBMS................................................... 9-161
9.18 DG0108: DBMS RESTORATION PRIORITY............................................................................. 9-162
9.19 DG0110: DBMS HOST SHARED WITH A SECURITY SERVICE .................................................. 9-163
9.20 DG0154: DBMS SYSTEM SECURITY PLAN ........................................................................... 9-164
9.21 DG0159: REVIEW OF DBMS REMOTE ADMINISTRATIVE ACCESS .......................................... 9-165
9.22 DG0161: DBMS AUDIT TOOL ............................................................................................... 9-166
9.23 DG0186: DBMS NETWORK PERIMETER PROTECTION ........................................................... 9-167
9.24 DG0187: DBMS SOFTWARE FILE BACKUPS .......................................................................... 9-168
9.25 DG0194: DBMS DEVELOPER PRIVILEGE MONITORING ON SHARED DBMS .......................... 9-169
9.26 DG0064: DBMS BACKUP AND RESTORATION FILE PROTECTION........................................... 9-170
9.27 DG0118: IAM REVIEW OF CHANGE IN DBA ASSIGNMENTS .................................................. 9-171
9.28 DG0040: DBMS SOFTWARE OWNER ACCOUNT ACCESS........................................................ 9-172
9.29 DG0041: DBMS INSTALLATION ACCOUNT USE LOGGING ..................................................... 9-173
9.30 DG0042: DBMS SOFTWARE INSTALLATION ACCOUNT USE .................................................. 9-174
10. ORACLE HOME MANUAL CHECK PROCEDURES........................................................ 10-175
10.1 DG0017: DBMS SHARED PRODUCTION/DEVELOPMENT USE ............................................... 10-175
10.2 DG0021: DBMS SOFTWARE AND CONFIGURATION BASELINE ............................................ 10-177
10.3 DG0052: DBMS SOFTWARE ACCESS AUDIT ....................................................................... 10-178
10.4 DG0054: DBMS SOFTWARE ACCESS AUDIT REVIEW .......................................................... 10-179
10.5 DG0109: DBMS DEDICATED HOST.................................................................................... 10-180
iii V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.6 DG0175: DBMS HOST AND COMPONENT STIG COMPLIANCY ............................................ 10-182
10.7 DG0176: DBMS AUDIT LOG BACKUPS ............................................................................... 10-183
10.8 DG0012: DBMS SOFTWARE STORAGE LOCATION .............................................................. 10-184
10.9 DG0019: DBMS SOFTWARE OWNERSHIP............................................................................ 10-185
10.10 DG0092: DBMS DATA FILE ENCRYPTION ........................................................................... 10-187
10.11 DG0195: DBMS HOST FILE PRIVILEGES ASSIGNED TO DEVELOPERS ................................... 10-188
10.12 DO0133: ORACLE CONNECTION CREDENTIAL PROTECTION ................................................ 10-189
10.13 DO3847: ORACLE SPOOLMAIN.LOG FILE (ORACLE 9I) ........................................................ 10-191
10.14 DO5037: ORACLE SQLNET AND LISTENER LOG FILES PROTECTION ................................... 10-192
10.15 DG0140: DBMS SECURITY DATA ACCESS AUDIT ............................................................... 10-195
10.16 DO0145: ORACLE SYSDBA OS GROUP MEMBERSHIP ....................................................... 10-196
10.17 DG0025: DBMS ENCRYPTION COMPLIANCE ...................................................................... 10-197
10.18 DG0093: REMOTE ADMINISTRATION ENCRYPTION FOR CONFIDENTIALITY ......................... 10-199
10.19 DG0103: DBMS LISTENER NETWORK RESTRICTIONS ......................................................... 10-201
10.20 DG0167: ENCRYPTION OF DBMS SENSITIVE DATA IN TRANSIT .......................................... 10-203
10.21 DG0198: DBMS REMOTE ADMINISTRATION ENCRYPTION .................................................. 10-204
10.22 DO0285: ORACLE LISTENER NETWORK PORT ASSIGNMENT ................................................ 10-205
10.23 DO0286: ORACLE CONNECTION TIMEOUT PARAMETER ...................................................... 10-206
10.24 DO0287: ORACLE SQLNET.EXPIRE_TIME PARAMETER ................................................ 10-208
10.25 DO3630: ORACLE LISTENER AUTHENTICATION .................................................................. 10-209
10.26 DO6740: ORACLE LISTENER ADMIN_RESTRICTIONS PARAMETER ............................... 10-213
10.27 DO6746: ORACLE LISTENER HOST REFERENCES ................................................................. 10-214
10.28 DO6747: CONNECTION MANAGER REMOTE ADMINISTRATION ........................................... 10-215
10.29 DO6751: SQLNET.ALLOWED_LOGON_VERSION ..................................................... 10-216
10.30 DG0005: DBMS ADMINISTRATION OS ACCOUNTS ............................................................. 10-217
10.31 DO0120: ORACLE PROCESS ACCOUNT HOST SYSTEM PRIVILEGES ....................................... 10-219
10.32 DO0121: ORACLE SERVICE AND PROCESS DEDICATED ACCOUNTS ...................................... 10-221
10.33 DO0279: ORACLE SOFTWARE OWNER UMASK SETTING ...................................................... 10-223
10.34 DG0016: DBMS UNUSED COMPONENTS ............................................................................. 10-225
10.35 DO6754: ORACLE CONFIGURATION MANAGER .................................................................. 10-227
10.36 DG0104: DBMS SERVICE IDENTIFICATION ......................................................................... 10-228
10.37 DG0106: DATABASE DATA ENCRYPTION CONFIGURATION ................................................. 10-230
10.38 DO0280: ORACLE EXTERNAL PROCEDURE ACCESS ............................................................. 10-231
10.39 DO5036: ORACLE NET TRACE_LEVEL ........................................................................... 10-236
11. ORACLE HOME VERIFY CHECK PROCEDURES........................................................... 11-238
11.1 DG0051: DATABASE JOB/BATCH QUEUE MONITORING ....................................................... 11-238
11.2 DG0090: SENSITIVE DATA IDENTIFICATION AND ENCRYPTION ........................................... 11-240
11.3 DO0360: DBMS MID-TIER APPLICATION ACCOUNT ACCESS ............................................... 11-242
11.4 DG0002: DBMS VERSION UPGRADE PLAN ......................................................................... 11-244
11.5 DO6753: ORACLE APPLICATION EXPRESS .......................................................................... 11-246
11.6 DG0179: DBMS WARNING BANNER ................................................................................... 11-247
11.7 DO0430: ORACLE MANAGEMENT AGENT USE ..................................................................... 11-250
12. APPENDIX A – IAVM BULLETIN COMPLIANCE............................................................ 12-252

13. APPENDIX B – RECORD OF CHANGES............................................................................. 13-253

14. APPENDIX C – VMS SRR PROCESS GUIDE FOR ORACLE DB SERVER................... 14-254
14.1 VMS TERMINOLOGY .......................................................................................................... 14-254
14.2 DATABASE VMS MAINTENANCE ........................................................................................ 14-255
15. APPENDIX D – VMS KEY AND STIGID CROSS REFERENCE AND INDEX ............... 15-259

16. APPENDIX E – STIG STIGID / CHECKLIST DISCREPANCY LIST .............................. 16-263

iv V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

1. Introduction

1.1 Overview

The Oracle Database Security Readiness Review (SRR) targets conditions that undermine
the integrity of security, contribute to inefficient security operations and administration,
or may lead to interruption of production operations specific to databases. Additionally,
the review ensures the site has properly installed and implemented the database
environment and that it is being managed in a way that is secure. The items reviewed are
derived from the general requirements listed in the Database Security Technical
Implementation Guide (STIG) as they apply to an Oracle Database Server installation.
The Database STIG requirements are in turn derived from DoD policy documents, most
notably, Department of Defense (DoD) Directive 8500.1 and DoD Instruction 8500.2 and
the Information Assurance (IA) Controls defined therein. This document and the security
check procedures it provides are intended to be used to measure compliance with the
security requirements listed in the Database STIG. Please see the Database STIG for
additional security explanation and discussion to assist in understanding the nature of the
security requirements.

Each security item to review is listed in this document with a procedure for measuring
compliance with the security requirement. The result of the procedure is a status of
compliance with the requirement. Results are assigned as one of the following: O = Open
finding or non-compliance; NF = not a Finding or compliance; NA = Not Applicable or
the item is not applicable to the database version, database use or host platform being
reviewed; and, NR = Not Reviewed or the procedure was not completed so compliance is
not determined.

DISA Field Security Operations (FSO) has assigned a level of urgency to each finding
based on Chief Information Officer (CIO) established criteria for certification and
accreditation. All findings are based on regulations and guidelines. All findings require
correction by the host organization. Category I findings are any vulnerabilities that
provide an attacker immediate access into a machine, super user access, or access that
bypasses a firewall. Category II findings are any vulnerabilities that provide information
that has a high potential of giving access to an intruder. Category III findings are any
vulnerabilities that provide information that potentially could lead to compromise.

NOTE: Security patches required by the DoD IAVM process are reviewed during an
operating system security review.

1.2 Organization of the Checklist

The Database Security Checklist is composed of five major sections and three
appendices. The organizational breakdown proceeds as follows:

1-1 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Section 1 Introduction
This section contains summary information about the sections and
appendices that comprise the Oracle Database Security Checklist
V8, and defines its scope. Supporting documents consulted are
listed in this section.

Section 2 SRR Result Report

This section is the matrix that provides a table list for the reviewer
manually to document review results of the generic (not product-
specific) SRR process for databases.

Section 3 Checklist Procedures

This section includes instruction to the reviewer on how to
proceed with the conduct of the Oracle Database security review.
It includes a list of interfaces and tools required to complete the
review.

Sections 4-7 Oracle Database Check Procedures

These sections include the procedures to determine the final
finding result for each check against the Oracle Database.

Sections 8-11 Oracle Home Check Procedures

These sections include the procedures to determine the final
finding result for each check against the Oracle Home or software
installation.

Appendix A Information Assurance Vulnerability Management (IAVM)

Bulletin Compliance
IAVM’s issued against the Oracle Database Server are assigned to
the host platform. This section provides this information.

Appendix B Record of Changes

This appendix summarizes the changes made to this document.

Appendix C VMS Oracle SRR Process Guide for Databases

This appendix provides instructions for entering SRR results into
VMS.

Appendix D STIGID/VMS Key cross reference and index

This appendix provides a cross reference of VMS key and STIGID
check ref numbers with page references.

1-2 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Appendix E STIG STIGID / CHECKLIST DISCREPANCY LIST

This appendix contains a list of general requirements listed in the
Database STIG that are not directly addressed in this checklist.

1.3 Supported Versions

This checklist provides instructions for review of Oracle Database Server versions 9.2
through version 11.1.

1.4 Document Effective Date

This document is current as of the release date. Updates are made to update underlying
DoD policy or to correct errors, omissions, or to clarify guidance.

1.5 Review Method

The goal is to perform a successful Security Readiness Review (SRR) of an Oracle

database. An SRR evaluation script that measures compliance for some check items listed
in this document is available. These checks show Check Type: Auto in the informational
table supplied for the check. Checks may also be marked as Check Type: Interview,
Manual or Verify. In these cases, the script cannot determine the outcome of the script
results and manual procedures are required to complete the check.

1.6 Referenced Documents

The following table enumerates the documents and resources consulted:

Date Document Description

19 Sep 2007 Database Security Technical Implementation Guide, Version 8.1
Release 1

1-3 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

2. Oracle Database SRR Results Report

Unclassified UNTIL FILLED IN
CIRCLE ONE
FOR OFFICIAL USE ONLY (mark each page)
CONFIDENTIAL and SECRET (mark each page and each finding)

Classification is based on classification of system reviewed:

Unclassified System = FOUO Checklist
Confidential System = CONFIDENTIAL Checklist
Secret System = SECRET Checklist
Top Secret System = SECRET Checklist

This checklist will become effective on 15 Jun 2008.

Reviewer: Date:
Type of Review (Remote,
System: Sample, Full):_____________

Finding Totals: Comments:

Category I:
Category II:
Category III:

Total:

2.1 Site Information

Site:

System Administrator Information:

Name:
E-mail Address:
Phone # (Commercial): ( ) DSN:

IAO Information:
Name:
E-Mail Address
Phone # (Commercial) ( ) DSN:

DBA Information:
Name:
E-mail Address:
Phone # (Commercial): ( ) DSN:

2-1 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

2.2 System Information

System Detail

System ID or Host Name

Hardware Platform
Operating System
Operating System Version
Relational Database Management System
Relational Database Management System
Version
RDBMS Software OS Owner Account Name
Database Instance Identifier
COTS/GOTS Application / Schema Name(s)
Application Software OS Owner Account
Name
Instance IP Port Listening on
Number/Name of Other Instances/RDBMS on
this Host

Summary of Database SRR Findings By Category

Total Possible Actual

Category Findings Findings
Category I 10
Category II 134
Category III 24
Total Findings 168

2-2 V8R1.3 Mar 2009

UNCLASSIFIED
 Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

2.3 SRR Results

Method:
Auto = Automated by script
Verify = Script returns information to complete review
Manual = Script does not provide data. Results determined by following technical procedure
Interview = Results determined by examining documentation and interviewing responsible personnel (usually IAO or DBA)

Listed in order of STIGID / VMSKEY

Page Method Result Finding Details STIGID/ Short Description CAT

VMSKEY
4-8 Auto o Open Finding The OS_ROLES configuration DO0240 / Oracle OS_ROLES CAT 3
o Not a Finding parameter is not set to FALSE V0002519 parameter
o Not Applicable
o Not Reviewed
4-9 Auto o Open Finding The AUDIT_SYS_OPERATIONS DO0241 / Oracle CAT 2
o Not a Finding parameter is not set to TRUE V0003855 AUDIT_SYS_OPERATIO
o Not Applicable NS parameter
o Not Reviewed
4-10 Auto o Open Finding The GLOBAL_NAMES parameter is DO0242 / Oracle GLOBAL_NAMES CAT 3
o Not a Finding not set to TRUE V0003856 parameter
o Not Applicable
o Not Reviewed
4-11 Auto o Open Finding The _TRACE_FILES_PUBLIC DO0243 / Oracle CAT 2
o Not a Finding parameter is present and set to TRUE V0003857 _TRACE_FILES_PUBLIC
o Not Applicable parameter
o Not Reviewed

2-1 V8R1.3 Mar 2009

UNCLASSIFIED
 Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Page Method Result Finding Details STIGID/ Short Description CAT

VMSKEY
4-12 Auto o Open Finding The AUDIT_TRAIL parameter is set to DO3413 / Oracle AUDIT_TRAIL CAT 2
o Not a Finding NONE V0002523 parameter
o Not Applicable
o Not Reviewed
4-13 Auto o Open Finding The OS_AUTHENT_PREFIX has not DO3447 / Oracle CAT 3
o Not a Finding been set to a value other than OPS$. V0002531 OS_AUTHENT_PREFIX
o Not Applicable parameter
o Not Reviewed
4-14 Auto o Open Finding The REMOTE_OS_AUTHENT DO3538 / Oracle CAT 1
o Not a Finding configuration parameter is set to V0002554 REMOTE_OS_AUTHENT
o Not Applicable TRUE. parameter
o Not Reviewed
4-15 Auto o Open Finding The REMOTE_OS_ROLES DO3539 / Oracle CAT 1
o Not a Finding configuration parameter is set to V0002555 REMOTE_OS_ROLES
o Not Applicable TRUE. parameter
o Not Reviewed
4-16 Auto o Open Finding The SQL92_SECURITY configuration DO3540 / Oracle CAT 2
o Not a Finding parameter is not set to TRUE. V0002556 SQL92_SECURITY
o Not Applicable parameter
o Not Reviewed
4-17 Auto o Open Finding The DO3546 / Oracle CAT 2
o Not a Finding REMOTE_LOGIN_PASSWORDFILE is V0002558 REMOTE_LOGIN_PASS
o Not Applicable set to SHARED. WORDFILE parameter
o Not Reviewed
4-18 Auto o Open Finding The UTL_FILE_DIR configuration DO3547 / Oracle UTL_FILE_DIR CAT 1
o Not a Finding parameter is set to *. V0002559 parameter
o Not Applicable
o Not Reviewed

2-2 V8R1.3 Mar 2009

UNCLASSIFIED
 Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Page Method Result Finding Details STIGID/ Short Description CAT

VMSKEY
4-19 Auto o Open Finding The DO3685 / Oracle CAT 3
o Not a Finding O7_DICTIONARY_ACCESSIBILITY V0002586 O7_DICTIONARY_ACCE
o Not Applicable configuration parameter is set to SSIBILITY parameter
o Not Reviewed TRUE.
4-20 Auto o Open Finding The RESOURCE_LIMIT configuration DO3696 / Oracle CAT 2
o Not a Finding parameter is set to FALSE. V0002593 RESOURCE_LIMIT
o Not Applicable parameter
o Not Reviewed
4-21 Auto o Open Finding The DBLINK_ENCRYPT_LOGIN DO3698 / Oracle CAT 1
o Not a Finding configuration parameter is set to V0002595 DBLINK_ENCRYPT_LOG
o Not Applicable FALSE. IN parameter
o Not Reviewed
4-22 Auto o Open Finding Case sensitivity for passwords is DO6748 / Oracle CAT 2
o Not a Finding disabled. V0016033 SEC_CASE_SENSITIVE
o Not Applicable _LOGON parameter
o Not Reviewed
4-23 Auto o Open Finding The Oracle DO6749 / Oracle CAT 2
o Not a Finding SEC_MAX_FAILED_LOGIN_ATTEMP V0016035 SEC_MAX_FAILED_LOG
o Not Applicable TS parameter is set to 0 or greater IN_ATTEMPTS
o Not Reviewed than 10. parameter
4-24 Auto o Open Finding The Oracle DO6750 / Oracle CAT 2
o Not a Finding SEC_PROTOCOL_ERROR_FURTHE V0016053 SEC_PROTOCOL_ERR
o Not Applicable R_ACTION parameter is not set to OR_FURTHER_ACTION
o Not Reviewed DELAY or DROP. parameter
4-25 Auto o Open Finding The Oracle DO6752 / Oracle CAT 2
o Not a Finding SEC_PROTOCOL_ERROR_TRACE_ V0016054 SEC_PROTOCOL_ERR
o Not Applicable ACTION parameter is set to NONE. OR_TRACE_ACTION
o Not Reviewed parameter

2-3 V8R1.3 Mar 2009

UNCLASSIFIED
 Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Page Method Result Finding Details STIGID/ Short Description CAT

VMSKEY
4-26 Auto o Open Finding Administrative privileges have been DG0117 / DBMS administrative CAT 2
o Not a Finding directly assigned to database accounts V0015627 privilege assignment
o Not Applicable and not assigned via roles.
o Not Reviewed
4-27 Auto o Open Finding The following user accounts have the DO0155 / Oracle default tablespace CAT 2
o Not a Finding SYSTEM tablespace specified as the V0003846 assignment
o Not Applicable default tablespace:
o Not Reviewed
4-28 Auto o Open Finding Users have been granted object DO3451 / WITH GRANT OPTION CAT 2
o Not a Finding permissions with the WITH GRANT V0002533 privileges
o Not Applicable OPTION.
o Not Reviewed
4-29 Auto o Open Finding Unauthorized users have been granted DO3609 / System privileges granted CAT 2
o Not a Finding system privileges with the WITH V0002561 WITH ADMIN OPTION
o Not Applicable ADMIN OPTION.
o Not Reviewed
4-30 Auto o Open Finding System privileges have been granted DO3612 / Oracle system privilege CAT 2
o Not a Finding to PUBLIC. V0002564 assignment
o Not Applicable
o Not Reviewed
4-31 Auto o Open Finding Alter, index, and/or reference object DO3473 / Application user role CAT 2
o Not a Finding privileges have been granted to V0002537 privileges
o Not Applicable unauthorized database user accounts.
o Not Reviewed
4-32 Auto o Open Finding PUBLIC has been granted execute DO3475 / Oracle PUBLIC access to CAT 2
o Not a Finding permissions on one or more of the V0002539 restricted packages
o Not Applicable restricted packages: UTL_FILE,
o Not Reviewed UTL_SMTP, UTL_TCP, UTL_HTTP,
DBMS_RANDOM, DBMS_LOB,
DBMS_SQL, DBMS_SYS_SQL,
DBMS_JOB,

2-4 V8R1.3 Mar 2009

UNCLASSIFIED
 Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Page Method Result Finding Details STIGID/ Short Description CAT

VMSKEY
DBMS_BACKUP_RESTORE,
DBMS_OBFUSCATION_TOOLKIT

4-34 Auto o Open Finding Oracle accounts have permission to DO3686 / Oracle SYS.LINK$ table CAT 1
o Not a Finding view the table SYS.LINK$. V0002587 access (10.1 and earlier)
o Not Applicable
o Not Reviewed
4-35 Auto o Open Finding Permissions to application objects DO3689 / Oracle object permission CAT 2
o Not a Finding found granted to PUBLIC. V0002589 assignment to PUBLIC
o Not Applicable
o Not Reviewed
4-36 Auto o Open Finding Oracle predefined roles are granted to DO0170 / Oracle predefined roles CAT 2
o Not a Finding application roles, application users, or V0002514
o Not Applicable application administrators.
o Not Reviewed
4-38 Auto o Open Finding Application roles have been granted to DO0320 / Oracle PUBLIC role CAT 2
o Not a Finding PUBLIC. V0003437 privileges
o Not Applicable
o Not Reviewed
4-39 Auto o Open Finding Permissions are assigned directly to DO3709 / Oracle direct privilege CAT 2
o Not a Finding user accounts and not via roles. V0002596 assignment to accounts
o Not Applicable
o Not Reviewed
4-41 Auto o Open Finding Unlimited account lock times are not DG0133 / DBMS Account lock time CAT 2
o Not a Finding specified for locked accounts. V0015639
o Not Applicable
o Not Reviewed

2-5 V8R1.3 Mar 2009

UNCLASSIFIED
 Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Page Method Result Finding Details STIGID/ Short Description CAT

VMSKEY
4-42 Auto o Open Finding Demonstration accounts and DO0400 / Oracle demo applications CAT 2
o Not a Finding applications exist in the database. V0003444 and accounts
o Not Applicable
o Not Reviewed
4-44 Auto o Open Finding Passwords for default accounts have DO3445 / Oracle default account CAT 1
o Not a Finding not been changed from their default V0002529 passwords
o Not Applicable values.
o Not Reviewed
4-52 Auto o Open Finding Profiles have been found that exceed DO3487 / Oracle password reuse CAT 2
o Not a Finding either the maximum V0002541 restrictions
o Not Applicable PASSWORD_REUSE_MAX number or
o Not Reviewed the maximum
PASSWORD_REUSE_TIME.
4-54 Auto o Open Finding Profiles have been found without a DO3504 / Oracle CAT 2
o Not a Finding password verification function V0002543 PASSWORD_VERIFY_F
o Not Applicable specified. UNCTION profile
o Not Reviewed parameter
4-60 Auto o Open Finding The failed login attempts have not DO3537 / Oracle CAT 2
o Not a Finding been set to a maximum of 3 for V0002553 FAILED_LOGIN_ATTEM
o Not Applicable interactive accounts. PTS profile parameter
o Not Reviewed
4-62 Auto o Open Finding Two or more redo log file groups DO0270 / Oracle redo log file CAT 2
o Not a Finding located on separate physical disks and V0002522 availability
o Not Applicable with two members each have not been
o Not Reviewed configured.
4-63 Auto o Open Finding Application objects are not being DO3610 / Oracle minimum object CAT 2
o Not a Finding audited for RENAME. Default object V0002562 auditing
o Not Applicable auditing for RENAME actions by
o Not Reviewed access has not been enabled. The
AUD$ table is not being audited for
update and delete actions.

2-6 V8R1.3 Mar 2009

UNCLASSIFIED
 Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Page Method Result Finding Details STIGID/ Short Description CAT

VMSKEY
4-65 Auto o Open Finding Oracle auditing is not configured to DO3692 / Oracle audited events CAT 2
o Not a Finding audit all required events. V0002592
o Not Applicable
o Not Reviewed
5-67 Interview o Open Finding Audit trail data is not maintained for DG0030 / DBMS audit data CAT 2
o Not a Finding one year. V0002507 maintenance
o Not Applicable
o Not Reviewed
5-68 Interview o Open Finding Sensitive information from production DG0076 / Sensitive data import to CAT 2
o Not a Finding database exports remains unmodified V0003819 development DBMS
o Not Applicable after import to a development
o Not Reviewed database.
5-69 Interview o Open Finding Application user privilege assignment DG0080 / Application user privilege CAT 2
o Not a Finding is not reviewed monthly or more V0003821 assignment review
o Not Applicable frequently to ensure compliance with
o Not Reviewed least privilege and documented policy.
5-70 Interview o Open Finding DBMS symmetric keys are not DG0165 / DBMS symmetric key CAT 2
o Not a Finding protected in accordance with NSA or V0015654 management
o Not Applicable NIST-approved key management
o Not Reviewed technology or processes.
5-71 Interview o Open Finding Configured access controls do not DG0138 / DBMS access to sensitive CAT 2
o Not a Finding match those found in the System V0015642 data
o Not Applicable Security Plan.
o Not Reviewed
5-72 Interview o Open Finding Insufficient documentation and DG0074 / DBMS inactive accounts CAT 2
o Not a Finding implemented procedures exists for V0015130
o Not Applicable monitoring DBMS accounts.
o Not Reviewed

2-7 V8R1.3 Mar 2009

UNCLASSIFIED
 Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Page Method Result Finding Details STIGID/ Short Description CAT

VMSKEY
5-73 Interview o Open Finding Access to the Oracle Internal account DO0140 / Oracle default account CAT 2
o Not a Finding is not restricted to authorized DBAs. V0002511 access
o Not Applicable
o Not Reviewed
5-74 Interview o Open Finding Transaction logs are not being DG0031 / DBMS audit of changes to CAT 2
o Not a Finding reviewed for unauthorized modification V0015133 data
o Not Applicable of classified data. Users are not
o Not Reviewed notified of the last time and date of
modification to classified data.
5-75 Interview o Open Finding Users are not alerted upon login of DG0135 / DBMS connection alert CAT 2
o Not a Finding previous successful connections or V0015641
o Not Applicable unsuccessful attempts to access their
o Not Reviewed account.
6-76 Manual o Open Finding Unauthorized non-interactive, n-tier DG0060 / DBMS shared account CAT 2
o Not a Finding connection, or shared database V0002424 authorization
o Not Applicable accounts exist.
o Not Reviewed
6-77 Manual o Open Finding Unauthorized database accounts have DG0070 / DBMS user account CAT 2
o Not a Finding been found. V0002508 authorization
o Not Applicable
o Not Reviewed
6-78 Manual o Open Finding Privileges assigned to developers on a DG0089 / Developer DBMS CAT 3
o Not a Finding production system are not restricted to V0015114 privileges on production
o Not Applicable development objects and databases
o Not Reviewed configurations.
6-79 Manual o Open Finding Replication accounts are granted DBA DG0100 / Replication account CAT 2
o Not a Finding privileges. V0015619 privileges
o Not Applicable
o Not Reviewed

2-8 V8R1.3 Mar 2009

UNCLASSIFIED
 Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Page Method Result Finding Details STIGID/ Short Description CAT

VMSKEY
7-80 Verify o Open Finding Asymmetric keys used by the DBMS DG0166 / Protection of DBMS CAT 2
o Not a Finding for encryption of sensitive data do not V0015142 asymmetric encryption
o Not Applicable use DoD PKI Certificates. Private keys keys
o Not Reviewed used by the DBMS are not protected in
accordance with NIST (unclassified
data) or NSA (classified data)
approved key management and
processes.
7-82 Verify o Open Finding The diagnostic destination files and DO0233 / Oracle CAT 2
o Not a Finding directories are not protected from V0015747 DIAGNOSTIC_DEST
o Not Applicable unauthorized access. parameter
o Not Reviewed
7-84 Verify o Open Finding The audit file destination directory is DO0234 / Oracle CAT 2
o Not a Finding not protected from unauthorized V0003850 AUDIT_FILE_DEST
o Not Applicable access. parameter
o Not Reviewed
7-86 Verify o Open Finding The user dump file destination DO0235 / Oracle CAT 2
o Not a Finding directory is not protected from V0003851 USER_DUMP_DEST
o Not Applicable unauthorized access. parameter
o Not Reviewed
7-88 Verify o Open Finding The background dump file destination DO0236 / Oracle CAT 2
o Not a Finding directory is not protected from V0003852 BACKGROUND_DUMP_
o Not Applicable unauthorized access. DEST parameter
o Not Reviewed
7-90 Verify o Open Finding The core dump file destination DO0237 / Oracle CAT 2
o Not a Finding directory is not protected from V0003853 CORE_DUMP_DEST
o Not Applicable unauthorized access. parameter
o Not Reviewed

2-9 V8R1.3 Mar 2009

UNCLASSIFIED
 Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Page Method Result Finding Details STIGID/ Short Description CAT

VMSKEY
7-92 Verify o Open Finding The archive log file destination DO0238 / Oracle CAT 2
o Not a Finding directory is not protected from V0003854 LOG_ARCHIVE_DEST
o Not Applicable unauthorized access. parameter
o Not Reviewed
7-94 Verify o Open Finding DBMS system data files are not stored DG0112 / DBMS system data file CAT 2
o Not a Finding in dedicated disk partitions or V0015623 protection
o Not Applicable directories.
o Not Reviewed
7-95 Verify o Open Finding The spfileSID.ora and/or initSID.ora file DO0275 / Oracle critical file access CAT 2
o Not a Finding are not protected from unauthorized V0003858
o Not Applicable access.
o Not Reviewed
7-97 Verify o Open Finding Database applications have not been DG0015 / Data Definition Language CAT 3
o Not a Finding restricted from using static DDL V0003727 use
o Not Applicable statements to modify the application
o Not Reviewed schema.
7-98 Verify o Open Finding The following application user accounts DO0157 / Oracle storage use CAT 3
o Not a Finding have been granted storage quotas on V0003847 privileges
o Not Applicable the listed tablespace:
o Not Reviewed
7-99 Verify o Open Finding Unauthorized users have been granted DO0350 / Oracle system privilege CAT 2
o Not a Finding system privileges. V0003439 assignment
o Not Applicable
o Not Reviewed
7-101 Verify o Open Finding Roles have been granted using the DO3622 / Oracle roles granted CAT 2
o Not a Finding WITH ADMIN OPTION to non-DBA or V0002574 WITH ADMIN OPTION
o Not Applicable non-Application administrator
o Not Reviewed accounts.

2-10 V8R1.3 Mar 2009

UNCLASSIFIED
 Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Page Method Result Finding Details STIGID/ Short Description CAT

VMSKEY
7-102 Verify o Open Finding Production databases are not DG0077 / Production data CAT 2
o Not a Finding protected from unauthorized access by V0003820 protection on a shared
o Not Applicable developers on shared system
o Not Reviewed production/development host systems.
7-104 Verify o Open Finding Oracle object ownership is not DO0150 / Oracle object ownership CAT 2
o Not a Finding restricted to Oracle default accounts, V0002512
o Not Applicable DBAs, or Application Owner accounts.
o Not Reviewed The following unauthorized database
accounts own database objects:

7-106 Auto o Open Finding The audit table is not owned by SYS or DO0190 / Oracle audit table CAT 2
o Not a Finding SYSTEM. V0002515 ownership
o Not Applicable
o Not Reviewed
7-107 Verify o Open Finding The following application owner DO0231 / Oracle application object CAT 2
o Not a Finding accounts do not have a dedicated V0003849 owner tablespaces
o Not Applicable application tablespace:
o Not Reviewed
7-108 Verify o Open Finding Unauthorized user accounts have been DO0310 / Oracle system data and CAT 2
o Not a Finding granted access to system tables and/or V0003436 table access
o Not Applicable DBA views.
o Not Reviewed
7-110 Verify o Open Finding Accounts were found with unauthorized DO3446 / Oracle audit record CAT 2
o Not a Finding permissions on the audit table. V0002530 access
o Not Applicable
o Not Reviewed
7-111 Verify o Open Finding Application administration roles are DO0340 / Oracle Application CAT 2
o Not a Finding enabled by default. V0003438 administration roles
o Not Applicable enablement
o Not Reviewed

2-11 V8R1.3 Mar 2009

UNCLASSIFIED
 Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Page Method Result Finding Details STIGID/ Short Description CAT

VMSKEY
7-112 Verify o Open Finding The DBA role has been granted to DO3440 / Oracle DBA role CAT 2
o Not a Finding unauthorized users. V0002527 assignment
o Not Applicable
o Not Reviewed
7-113 Verify o Open Finding New passwords are not required to DG0071 / Password change CAT 2
o Not a Finding differ from old passwords by more than V0003815 variance
o Not Applicable four characters.
o Not Reviewed
7-115 Verify o Open Finding Users can change passwords within 24 DG0072 / DBMS password change CAT 2
o Not a Finding hours of the last password change. V0015612 time limit
o Not Applicable
o Not Reviewed
7-117 Verify o Open Finding Password-verify function is not in place DG0127 / DBMS account password CAT 2
o Not a Finding to prevent the use of easily guessed V0015634 easily guessed
o Not Applicable passwords.
o Not Reviewed
7-119 Verify o Open Finding Application object owner accounts are DO0160 / Oracle application object CAT 2
o Not a Finding not disabled. V0002513 owner accounts
o Not Applicable
o Not Reviewed
7-121 Verify o Open Finding Access to default replication accounts DO0210 / Oracle shared replication CAT 2
o Not a Finding is not restricted to authorized DBAs. V0002516 account access
o Not Applicable
o Not Reviewed
7-122 Verify o Open Finding Profiles have been found with DO3485 / Oracle CAT 2
o Not a Finding PASSWORD_LIFE_TIME not set, set to V0002609 PASSWORD_LIFE_TIME
o Not Applicable more than 60 days for interactive profile parameter
o Not Reviewed accounts and set to more than 365 days
for non-interactive accounts.

2-12 V8R1.3 Mar 2009

UNCLASSIFIED
 Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Page Method Result Finding Details STIGID/ Short Description CAT

VMSKEY
7-124 Verify o Open Finding Database DEFAULT profile has idle time DO3536 / Oracle IDLE_TIME profile CAT 2
o Not a Finding settings that exceed the maximum of 15 V0002552 parameter
o Not Applicable minutes. Database user profiles have an
o Not Reviewed idle time setting greater than 60 minutes
and/or are undocumented in the System
Security Plan.
7-126 Verify o Open Finding SYSDBA privileges are granted to DO0380 / Oracle SYSDBA CAT 2
o Not a Finding unauthorized DBAs. SYSDBA V0003442 password file users
o Not Applicable connections are used for daily DBA
o Not Reviewed operations and not restricted to
required use.
7-127 Verify o Open Finding Unauthorized database links are DG0075 / DBMS links to external CAT 2
o Not a Finding defined. The following database links V0003818 databases
o Not Applicable define connections between production
o Not Reviewed and development databases:
7-129 Verify o Open Finding Sensitive data is not labeled. DG0087 / DBMS sensitive data CAT 3
o Not a Finding V0015616 labeling
o Not Applicable
o Not Reviewed
7-130 Verify o Open Finding Custom and GOTS application source DG0091 / DBMS source code CAT 3
o Not a Finding code stored in the database has not V0003823 encoding or encryption
o Not Applicable been protected with encryption or
o Not Reviewed encoding.
7-132 Verify o Open Finding Changes to DBMS security labels are DG0172 / DBMS classification level CAT 2
o Not a Finding not audited. V0015657 audit
o Not Applicable
o Not Reviewed
7-133 Verify o Open Finding The Oracle instance names contain the DO0220 / Oracle instance names CAT 2
o Not a Finding Oracle version number. V0002517
o Not Applicable
o Not Reviewed

2-13 V8R1.3 Mar 2009

UNCLASSIFIED
 Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Page Method Result Finding Details STIGID/ Short Description CAT

VMSKEY
7-134 Verify o Open Finding The Oracle SID is a default database DO0221 / Oracle default SID name CAT 3
o Not a Finding SID. V0003848
o Not Applicable
o Not Reviewed
7-135 Verify o Open Finding Fixed User/Public database links are in DO0250 / Oracle database link CAT 2
o Not a Finding use without replication or authorization. V0002520 usage
o Not Applicable
o Not Reviewed
7-136 Verify o Open Finding A minimum of two Oracle control files DO0260 / Oracle control file CAT 2
o Not a Finding are not configured and stored on V0002521 availability
o Not Applicable separate physical disks.
o Not Reviewed
7-137 Verify o Open Finding The XDB Protocol server is not DO0420 / Oracle XML DB CAT 3
o Not a Finding disabled and is not required. V0003865
o Not Applicable
o Not Reviewed
8-138 Verify o Open Finding The latest patchset and CPU security DG0003 / DBMS patchset/CPU CAT 2
o Not a Finding patches have not been installed. V0005659 security patch level
o Not Applicable
o Not Reviewed
8-141 Auto o Open Finding The Oracle version is not a supported DO0100 / Oracle version support CAT 1
o Not a Finding version. V0002509
o Not Applicable
o Not Reviewed
9-143 Interview o Open Finding Database executable and configuration DG0010 / DBMS software CAT 3
o Not a Finding files are not being monitored for V0002420 monitoring
o Not Applicable unauthorized modifications.
o Not Reviewed

2-14 V8R1.3 Mar 2009

UNCLASSIFIED
 Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Page Method Result Finding Details STIGID/ Short Description CAT

VMSKEY
9-144 Interview o Open Finding Configuration management procedures DG0011 / DBMS Configuration CAT 3
o Not a Finding are not defined and implemented for V0003726 Management
o Not Applicable database software modifications.
o Not Reviewed
9-145 Interview o Open Finding Database backup procedures are not DG0013 / Database backup CAT 2
o Not a Finding defined and implemented. V0015126 procedures
o Not Applicable
o Not Reviewed
9-147 Interview o Open Finding Backup and recover procedures have DG0020 / DBMS backup and CAT 2
o Not a Finding not been implemented/tested. V0015129 recovery testing
o Not Applicable
o Not Reviewed
9-148 Interview o Open Finding Database software, applications and DG0050 / DBMS software and CAT 2
o Not a Finding configuration files are not monitored to V0002423 configuration file
o Not Applicable discover unauthorized changes. monitoring
o Not Reviewed
9-150 Interview o Open Finding A single database connection DG0053 / DBMS client connection CAT 2
o Not a Finding configuration file is used to configure V0003809 definition file
o Not Applicable all database clients regardless of
o Not Reviewed differing client access requirements.
9-151 Interview o Open Finding Procedures for establishing temporary DG0066 / Temporary password CAT 2
o Not a Finding passwords that meet DoD password V0003811 procedures
o Not Applicable requirements for new accounts are not
o Not Reviewed defined and implemented.
9-152 Interview o Open Finding Database passwords used by batch DG0067 / DBMS account password CAT 1
o Not a Finding and/or job processes are not stored in V0003812 external storage
o Not Applicable encrypted format.
o Not Reviewed

2-15 V8R1.3 Mar 2009

UNCLASSIFIED
 Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Page Method Result Finding Details STIGID/ Short Description CAT

VMSKEY
9-153 Interview o Open Finding Applications that access the database DG0068 / DBMS application CAT 2
o Not a Finding that echo or use the password entry in V0003813 password display
o Not Applicable clear text are not protected from
o Not Reviewed password display.
9-154 Interview o Open Finding Procedures and restrictions for import DG0069 / Production data import to CAT 2
o Not a Finding of production data to development V0015140 development DBMS
o Not Applicable databases are not implemented or
o Not Reviewed followed.
9-155 Interview o Open Finding Automated tools are not used to DG0083 / Audit record report CAT 2
o Not a Finding provide audit trail reports. V0015102 automation
o Not Applicable
o Not Reviewed
9-156 Interview o Open Finding Privileges assigned to DBA roles are DG0086 / DBA role privilege CAT 2
o Not a Finding not monitored to detect assignment of V0015106 monitoring
o Not Applicable unauthorized or excess privileges.
o Not Reviewed
9-157 Interview o Open Finding Procedures and evidence of DG0088 / DBMS vulnerability mgmt CAT 3
o Not a Finding implementation do not exist for periodic V0015112 and IA compliance testing
o Not Applicable reviews of DBMS IA and vulnerability
o Not Reviewed management compliance.
9-158 Interview o Open Finding Audit trail data is not reviewed daily or DG0095 / DBMS Audit trail data CAT 2
o Not a Finding more frequently. V0003827 review
o Not Applicable
o Not Reviewed
9-159 Interview o Open Finding The DBMS IA policies and procedures DG0096 / DBMS IA policy and CAT 3
o Not a Finding are not viewed annually or more V0015138 procedure review
o Not Applicable frequently.
o Not Reviewed

2-16 V8R1.3 Mar 2009

UNCLASSIFIED
 Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Page Method Result Finding Details STIGID/ Short Description CAT

VMSKEY
9-160 Interview o Open Finding Plans and procedures for testing DG0097 / DBMS Testing Plans and CAT 2
o Not a Finding DBMS installations, upgrades and V0015139 Procedures
o Not Applicable patches are not defined and followed
o Not Reviewed prior to production implementation.
9-161 Interview o Open Finding Sensitive data is stored in the DG0107 / Sensitive data CAT 2
o Not a Finding database, but is not identified in the V0015144 identification in the DBMS
o Not Applicable AIS Functional Architecture.
o Not Reviewed
9-162 Interview o Open Finding The DBMS restoration priority is not DG0108 / DBMS Restoration CAT 3
o Not a Finding assigned. V0015145 Priority
o Not Applicable
o Not Reviewed
9-163 Interview o Open Finding The DBMS host system is not DG0110 / DBMS Host Shared with a CAT 2
o Not a Finding prevented from also supporting an V0015179 Security Service
o Not Applicable independent security service.
o Not Reviewed
9-164 Interview o Open Finding The DBMS is not included in nor does DG0154 / DBMS System Security CAT 3
o Not a Finding it have defined for it a System Security V0015150 Plan
o Not Applicable Plan.
o Not Reviewed
9-165 Interview o Open Finding Remote administrative access to the DG0159 / Review of DBMS remote CAT 2
o Not a Finding database is not monitored by the IAO V0015118 administrative access
o Not Applicable or IAM.
o Not Reviewed
9-166 Interview o Open Finding An automated tool that monitors audit DG0161 / DBMS audit tool CAT 2
o Not a Finding data and immediately reports V0015103
o Not Applicable suspicious activity has not been
o Not Reviewed employed for the DBMS.

2-17 V8R1.3 Mar 2009

UNCLASSIFIED
 Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Page Method Result Finding Details STIGID/ Short Description CAT

VMSKEY
9-167 Interview o Open Finding The database is accessible to internet DG0186 / DBMS network perimeter CAT 2
o Not a Finding users and is not located in a DMZ. V0015122 protection
o Not Applicable
o Not Reviewed
9-168 Interview o Open Finding DBMS software libraries are not DG0187 / DBMS software file CAT 2
o Not a Finding backed up. V0015121 backups
o Not Applicable
o Not Reviewed
9-169 Interview o Open Finding Privileges assigned to developers on DG0194 / DBMS developer privilege CAT 2
o Not a Finding shared production and development V0015108 monitoring on shared
o Not Applicable DBMS hosts and the DBMS are not DBMS
o Not Reviewed monitored every three months or more
frequently for unauthorized changes.
9-170 Interview o Open Finding DBMS backup and restoration files are DG0064 / DBMS Backup and CAT 2
o Not a Finding not protected from unauthorized V0015120 Restoration File
o Not Applicable access. Protection
o Not Reviewed
9-171 Interview o Open Finding The IAM does not review changes to DG0118 / IAM review of change in CAT 2
o Not a Finding DBA role assignments. V0015127 DBA assignments
o Not Applicable
o Not Reviewed
9-172 Interview o Open Finding The DBMS software installation DG0040 / DBMS software owner CAT 2
o Not a Finding account is not restricted to authorized V0002422 account access
o Not Applicable users.
o Not Reviewed
9-173 Interview o Open Finding Use of the DBMS installation account DG0041 / DBMS Installation CAT 2
o Not a Finding is not logged. V0015110 account use logging
o Not Applicable
o Not Reviewed

2-18 V8R1.3 Mar 2009

UNCLASSIFIED
 Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Page Method Result Finding Details STIGID/ Short Description CAT

VMSKEY
9-174 Interview o Open Finding Use of the DBMS software installation DG0042 / DBMS software CAT 2
o Not a Finding account is not restricted to DBMS V0015111 installation account use
o Not Applicable software installation, upgrade and
o Not Reviewed maintenance.
10-175 Manual o Open Finding System resources and database DG0017 / DBMS shared CAT 2
o Not a Finding identifiers are not clearly separated V0003803 production/development
o Not Applicable and/or defined. use
o Not Reviewed
10-177 Manual o Open Finding A baseline of database application DG0021 / DBMS software and CAT 2
o Not a Finding software is not maintained. V0003806 configuration baseline
o Not Applicable
o Not Reviewed
10-178 Manual o Open Finding Applications used to access the DG0052 / DBMS software access CAT 2
o Not a Finding database are not logged in the DBMS V0003807 audit
o Not Applicable audit trail.
o Not Reviewed
10-179 Manual o Open Finding The audit logs are not monitored to DG0054 / DBMS software access CAT 3
o Not a Finding discover DBMS access using V0015611 audit review
o Not Applicable unauthorized applications.
o Not Reviewed
10-180 Manual o Open Finding The DBMS is operated without DG0109 / DBMS Dedicated Host CAT 2
o Not a Finding authorization on a host system V0015146
o Not Applicable supporting other application services.
o Not Reviewed
10-182 Manual o Open Finding The DBMS host platform and other DG0175 / DBMS host and CAT 2
o Not a Finding dependent applications are not V0015116 component STIG
o Not Applicable configured in compliance with compliancy
o Not Reviewed applicable STIG requirements.

2-19 V8R1.3 Mar 2009

UNCLASSIFIED
 Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Page Method Result Finding Details STIGID/ Short Description CAT

VMSKEY
10-183 Manual o Open Finding The DBMS audit logs are not included DG0176 / DBMS audit log backups CAT 2
o Not a Finding in backup operations. V0015117
o Not Applicable
o Not Reviewed
10-184 Manual o Open Finding Database data files are stored in the DG0012 / DBMS software storage CAT 2
o Not a Finding same logical storage partition as V0004754 location
o Not Applicable database application software.
o Not Reviewed
10-185 Manual o Open Finding Application software is not owned by DG0019 / DBMS software CAT 3
o Not a Finding the Software Application account. V0003805 ownership
o Not Applicable
o Not Reviewed
10-187 Manual o Open Finding Database data files are not encrypted. DG0092 / DBMS data file encryption CAT 2
o Not a Finding V0015132
o Not Applicable
o Not Reviewed
10-188 Manual o Open Finding DBMS production application and data DG0195 / DBMS host file privileges CAT 2
o Not a Finding directories are not protected from V0015109 assigned to developers
o Not Applicable developers on shared
o Not Reviewed production/development DBMS host
systems.
10-189 Manual o Open Finding Files containing passwords or DO0133 / Oracle connection CAT 2
o Not a Finding cryptographic keys have not been V0003844 credential protection
o Not Applicable protected from unauthorized access.
o Not Reviewed
10-191 Manual o Open Finding The passwords have been stored DO3847 / Oracle spoolmain.log file CAT 2
o Not a Finding unencrypted in the spoolmain.log file. V0002607 (9i and earlier)
o Not Applicable
o Not Reviewed

2-20 V8R1.3 Mar 2009

UNCLASSIFIED
 Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Page Method Result Finding Details STIGID/ Short Description CAT

VMSKEY
10-192 Manual o Open Finding Unauthorized permissions have been DO5037 / Oracle SQLNet and CAT 2
o Not a Finding defined for the SQLNet and Listener V0002612 listener log files protection
o Not Applicable log files.
o Not Reviewed
10-195 Manual o Open Finding Access to DBMS security data is not DG0140 / DBMS security data CAT 2
o Not a Finding audited. V0015643 access audit
o Not Applicable
o Not Reviewed
10-196 Manual o Open Finding The OS DBA group contains DO0145 / Oracle SYSDBA OS CAT 3
o Not a Finding unauthorized members. V0003845 group membership
o Not Applicable
o Not Reviewed
10-197 Manual o Open Finding Cryptography is not configured to DG0025 / DBMS encryption CAT 2
o Not a Finding comply with FIPS 140-2 requirements. V0015610 compliance
o Not Applicable
o Not Reviewed
10-199 Manual o Open Finding Remote administrative connections to DG0093 / Remote administration CAT 2
o Not a Finding the database are not encrypted. V0003825 encryption for
o Not Applicable confidentiality
o Not Reviewed
10-201 Manual o Open Finding The DBMS listener does not restrict DG0103 / DBMS Listener network CAT 2
o Not a Finding database access by network address. V0015621 restrictions
o Not Applicable
o Not Reviewed
10-203 Manual o Open Finding Sensitive data served by the DBMS is DG0167 / Encryption of DBMS CAT 1
o Not a Finding not protected by encryption when V0015104 sensitive data in transit
o Not Applicable transmitted across the network.
o Not Reviewed

2-21 V8R1.3 Mar 2009

UNCLASSIFIED
 Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Page Method Result Finding Details STIGID/ Short Description CAT

VMSKEY
10-204 Manual o Open Finding Remote administration of the DBMS is DG0198 / DBMS remote CAT 2
o Not a Finding not restricted to dedicated and V0015662 administration encryption
o Not Applicable encrypted network addresses and
o Not Reviewed ports.
10-205 Manual o Open Finding The Oracle network listener is not DO0285 / Oracle listener network CAT 2
o Not a Finding configured to use a standard, default V0003861 port assignment
o Not Applicable port.
o Not Reviewed
10-206 Manual o Open Finding The INBOUND_CONNECT_TIMEOUT or DO0286 / Oracle connection timeout CAT 2
o Not a Finding CONNECT_TIMEOUT parameter is not V0003862 parameter
o Not Applicable set to a value greater than 0.
o Not Reviewed
10-208 Manual o Open Finding The SQLNET.EXPIRE_TIME has not DO0287 / Oracle CAT 2
o Not a Finding been set to a value greater than 0. V0003863 SQLNET.EXPIRE_TIME
o Not Applicable parameter
o Not Reviewed
10-209 Manual o Open Finding The Oracle listener is not protected by DO3630 / Oracle listener CAT 1
o Not a Finding authentication. V0002608 authentication
o Not Applicable
o Not Reviewed
10-213 Manual o Open Finding The Listener ADMIN_RESTRICTIONS DO6740 / Oracle listener CAT 2
o Not a Finding is not set to ON in the listener.ora file. V0003497 ADMIN_RESTRICTIONS
o Not Applicable parameter
o Not Reviewed
10-214 Manual o Open Finding The listener.ora file specifies host DO6746 / Oracle Listener host CAT 3
o Not a Finding names rather than IP addresses to V0016031 references
o Not Applicable identify hosts.
o Not Reviewed

2-22 V8R1.3 Mar 2009

UNCLASSIFIED
 Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Page Method Result Finding Details STIGID/ Short Description CAT

VMSKEY
10-215 Manual o Open Finding Remote administration is not disabled DO6747 / Connection Manager CAT 2
o Not a Finding on the connection manager. V0016032 remote administration
o Not Applicable
o Not Reviewed
10-216 Manual o Open Finding The SQLNET.ORA parameter DO6751 / SQLNET.ALLOWED_LO CAT 2
o Not a Finding SQLNET- V0016057 GON_VERSION
o Not Applicable ALLOWED_LOGON_VERSION Is not
o Not Reviewed set to 10 or higher.
10-217 Manual o Open Finding Unnecessary privileges to the host DG0005 / DBMS administration OS CAT 2
o Not a Finding system have been granted to DBA OS V0006756 accounts
o Not Applicable accounts.
o Not Reviewed
10-219 Manual o Open Finding The Oracle software installation DO0120 / Oracle process account CAT 2
o Not a Finding account has been granted excessive V0003842 host system privileges
o Not Applicable host system privileges.
o Not Reviewed
10-221 Manual o Open Finding Oracle processes are not owned by DO0121 / Oracle service and CAT 2
o Not a Finding separate Unix accounts. V0003843 process dedicated
o Not Applicable accounts
o Not Reviewed
10-223 Manual o Open Finding The Oracle software owner umask DO0279 / Oracle software owner CAT 2
o Not a Finding setting is not set to 022 or more V0003860 umask settings
o Not Applicable restrictive.
o Not Reviewed
10-225 Manual o Open Finding Unused database components, DG0016 / DBMS unused CAT 3
o Not a Finding database application software and V0003728 components
o Not Applicable database objects have not been
o Not Reviewed removed.

2-23 V8R1.3 Mar 2009

UNCLASSIFIED
 Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Page Method Result Finding Details STIGID/ Short Description CAT

VMSKEY
10-227 Manual o Open Finding Oracle Configuration Manager is not DO6754 / Oracle Configuration CAT 2
o Not a Finding set to disconnected mode for all V0016056 Manager
o Not Applicable database instances.
o Not Reviewed
10-228 Manual o Open Finding DBMS service identification is not DG0104 / DBMS Service CAT 3
o Not a Finding unique or does not clearly identify the V0015622 Identification
o Not Applicable service.
o Not Reviewed
10-230 Manual o Open Finding Database data encryption controls are DG0106 / Database data encryption CAT 2
o Not a Finding not configured in accordance with V0015143 configuration
o Not Applicable application requirements.
o Not Reviewed
10-231 Manual o Open Finding The EXTPROC module exists on the DO0280 / Oracle external procedure CAT 2
o Not a Finding host system and is not in use. The V0002841 access
o Not Applicable EXTPROC is in use and has not been
o Not Reviewed protected from unauthorized access.
10-236 Manual o Open Finding Oracle Net trace file generation is not DO5036 / Oracle Net CAT 2
o Not a Finding enabled. V0016049 TRACE_LEVEL
o Not Applicable
o Not Reviewed
11-238 Verify o Open Finding Database job/batch queues are not DG0051 / Database job/batch CAT 2
o Not a Finding reviewed regularly to detect V0003808 queue monitoring
o Not Applicable unauthorized database job
o Not Reviewed submissions.
11-240 Verify o Open Finding Sensitive information stored in the DG0090 / Sensitive data CAT 2
o Not a Finding database has not been identified and V0015131 identification and
o Not Applicable protected by encryption. encryption
o Not Reviewed

2-24 V8R1.3 Mar 2009

UNCLASSIFIED
 Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Page Method Result Finding Details STIGID/ Short Description CAT

VMSKEY
11-242 Verify o Open Finding The mid-tier database connection DO0360 / DBMS mid-tier application CAT 2
o Not a Finding account is not encrypted, restricted and V0003440 account access
o Not Applicable authenticated in compliance with the
o Not Reviewed policy.
11-244 Verify o Open Finding An upgrade/migration plan has not DG0002 / DBMS version upgrade CAT 2
o Not a Finding been developed to address an V0004758 plan
o Not Applicable unsupported DBMS software version.
o Not Reviewed
11-246 Verify o Open Finding Oracle Application Express is installed DO6753 / Oracle Application CAT 2
o Not a Finding on a production database. V0016055 Express
o Not Applicable
o Not Reviewed
11-247 Verify o Open Finding The DBMS warning banner does not DG0179 / DBMS warning banner CAT 2
o Not a Finding meet DoD policy requirements. V0015658
o Not Applicable
o Not Reviewed
11-250 Verify o Open Finding The Intelligent Agent is not disabled DO0430 / Oracle management CAT 3
o Not a Finding and is not required or is enabled on a V0003866 agent use
o Not Applicable database accessible from the Internet.
o Not Reviewed

2-25 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

3. Oracle Database Server Security Review Procedures

3.1 Review Process Notes

A security review of an Oracle Database Server may be completed by following the
procedures in this section. Each security compliance item of interest is listed with
procedures for determining whether the Oracle Database Server is configured to be
compliant with the requirement or not. Each security item procedure is referred to as a
“check”. A security item is also referred to as “vulnerability”.

There may be more than one installation of the Oracle DBMS software on a single host
platform. There may be multiple Oracle Database Instances (SIDs) defined for a single
Oracle DBMS software installation.

The checks are categorized into the following two categories and four types:

Categories:
− Oracle Home Checks – These checks are applicable once per each Oracle DBMS
software installation. Oracle refers to each installation as an Oracle Home and
assigns an identifier to each. Some of these checks refer to the Oracle network
communication configuration which in some cases occur only once per database
host server.
− Oracle Database Checks – These checks are applicable once per each Oracle
Database Instance (SID). Each Oracle Database Instance (SID) must be checked,
as there are significant security configurations that can be exploited per instance.

Types:
− Manual checks – The reviewer must complete a technical procedure using
SQL*Plus or a similar SQL interface to the Oracle database or another tool to
determine the compliance status.
− Interview checks – The procedure requires a review of available documentation
and interviews of the IAO, DBA or other database points-of-contact to determine
the compliance status.
− Verify checks – If the SRR evaluation script is used, it may or may not be able to
determine a final finding result without action by the reviewer. If it is unable to
provide a final finding result, it may provide information to help complete the
manual procedures provided.
− Automated checks – If the SRR evaluation script is used, it is able to determine
the final finding result without action by the reviewer. Manual procedures are
provided for manual review of compliance if desired.

The checks are listed in the following order:

- Check Category (Database, Installation)

- Check Type (Automated, Interview, Manual, Verify)
- Vulnerability type:
3-1 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

o policy/procedure
o initialization parameter
o file/dir permission
o registry permission
o windows user right
o database administration privilege
o database object privilege
o database role
o database account
o database client configuration
o database network communication
o database Operating System account privilege/configuration
o database software maintenance
o other database configuration
o audit
o privilege
o encryption
o account
o monitor / report
o manage / authorize
- STIGID

The purpose of this separation of checks by Oracle Home and Oracle Database is to
ensure that all multiple occurrences of security controls are reviewed individually and to
avoid duplication of control reviews that affect multiple other security levels. The
additional separations are meant to assist the reviewer to complete the review more
efficiently by grouping checks together that are completed using the same method or tool
such as referring to the documentation in the System Security Plan or using SQL*Plus to
review settings.

3.2 IAVM Compliance

Security patches required by the DoD IAVM process are reviewed during an operating
system security review. Information for security patch compliance for Oracle Database
Server is available in Appendix A of this Oracle Database Security Checklist.

3.3 Review Tools and Interfaces

You should run the review procedures and utilities listed below from the Oracle Database
Server host system. In addition to the operating system tools listed below, some checks
also refer to SQL commands that may be submitted to the database using Oracle’s
SQL*Plus command line utility. Other tools with the same capability as SQL*Plus may
be used.

An SRR evaluation script is also available for use to complete the Oracle Database
security review. The script provides results for all checks designated as being
“automated”. It also provides results for SQL commands specified to complete a manual
review. These checks are indicated as “verify” checks. Checks for which the script
3-2 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

provides no results are marked “Interview” or “Manual”. The SRR script is run locally
from the host prompt. The script is not tested for access to remote databases.

Windows platform tools:

− Windows explorer – review file directory permissions and disk partition
information
− Windows registry editor – review registry values and permissions
− Windows Microsoft Management Console (MMC) – review various Windows
items including users, groups, and services

UNIX platform shell commands and tools:

− vi, gedit or other text editor

In addition to familiarity with operating system tools and commands, the procedures also
assume a familiarity with the Structured Query Language (SQL).

3.4 System Security Plan Overview

Some procedures within this checklist refer to the System Security Plan (SSP). The
System Security Plan is referenced in the DoD Instruction 8500.2 in the following IA
control as:

DCSD-1 IA Documentation
All appointments to required IA roles (e.g., DAA and IAM/IAO) are established in
writing, to include assigned duties and appointment criteria such as training, security
clearance and IT-designation. A System Security Plan is established that describes the
technical, administrative and procedural IA program and policies that govern the DoD
information system, and identifies all IA personnel and specific IA requirements and
objectives (e.g., requirements for data handling or dissemination, system redundancy
and backup or emergency response).

A template for creating an SSP may be found on the DIACAP Knowledge Service
(https://diacap.iaportal.navy.mil/), DIACAP Resources, DIACAP Reference
Library, Sample Documents, ISP_Sample.doc (zipped) or the National Institute of
Standards and Technology (NIST), Special Publication (SP) 800-18, Guide for
Developing Security Plans for Federal Information Systems. This document may be
found at http://csrc.nist.gov/publications/PubsSPs.html. The DIACAP Knowledge
Service also provides a matrix of documentation requirements for the IA Controls to
those required under the previous DITSCAP System Security Authorization Agreement
(SSAA). The matrix may be found under IA Controls, Information on the IA Controls
Matrix of IA Controls to Documentation.

Information required and verified by the procedures in this checklist should be contained
in the SSP under the IA control referenced. However, this document concerns itself only
with the specific controls referenced in it and does not review and verify the entirety of
the SSP.

3-3 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

3.5 Automated Information System (AIS) Functional Architecture Document

The DoDI 8500.2 defines an AIS functional architecture document under IA control
DCFA as:

DCFA-1 Functional Architecture for AIS Applications

For AIS applications, a functional architecture that identifies the following has been
developed and is maintained:
− All external interfaces, the information being exchanged, and the protection
mechanisms associated with each interface - user roles required for access control
and the access privileges assigned to each role (See ECAN)
− Unique security requirements (e.g., encryption of key data elements at rest)
− Categories of sensitive information processed or stored by the AIS application,
and their specific protection plans (e.g., Privacy Act, HIPAA)
− Restoration priority of subsystems, processes, or information (See COEF)

Additional information may be obtained for this IA control from the DIACAP
Knowledge Service.

3.6 Sensitive Data Protection and Definition

Databases, as frequent repositories for sensitive data, are often relied upon for providing
an additional layer of protection for such data. The responsibility for determining what
protections should be employed for sensitive data falls to the Information Owner as the
person that best understands the purpose, function, and the possible impact of
unauthorized release of the data. Most commonly, authentication and authorizations are
sufficient to protect data against unauthorized release. However, in some cases
encryption may be used to assist in protecting against disclosure where authorizations do
not provide needed restrictions. For example, the access provided to DBAs to administer
the DBMS provides them with access to all data stored within the database.

The DoDD 8500.1 provides the following definition for sensitive data:

Information, the loss, misuse, or unauthorized access to or modification of, could adversely affect
the national interest or the conduct of Federal programs, or the privacy to which individuals are
entitled under Section 552a of title 5, United States Code, "The Privacy Act", but which has not been
specifically authorized under criteria established by Executive order or an Act of Congress to be kept
secret in the interest of national defense or foreign policy (Section 278g-3 of title 15, United States
Code, "The Computer Security Act of 1987"). Examples of sensitive information include, but are not
limited to information in DoD payroll, finance, logistics and personnel management systems.
Sensitive information sub-categories include, but are not limited to, the following:

For Official Use Only (FOUO) - In accordance with DoD 5400.7-R (reference (ab)), DoD
information exempted from mandatory public disclosure under the Freedom of Information Act
(FOIA) Privacy Data. Any record that is contained in a system of records as defined in the Privacy
Act of 1974 (5 U.S.C. 552a) (reference (z)) and information the disclosure of which would
constitute an unwarranted invasion of personal privacy.

DoD Unclassified Controlled Nuclear Information (DoD UCNI) - Unclassified Information on

security measures (including security plans, procedures, and equipment) for the physical
protection of DoD Special Nuclear Material (SNM), equipment, or facilities in accordance with DoD
Directive 5210.83. Information is Designated DoD UCNI only when it is determined that its
unauthorized disclosure could reasonably be expected to have a significant adverse effect on the
3-4 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

health and safety of the public or the common defense and security by increasing significantly
the likelihood of the illegal production of nuclear weapons or the theft, diversion, or sabotage of
DoD SNM, equipment, or facilities.

Unclassified Technical Data - Data that is not classified but is subject to export control and is
withheld from public disclosure according to DoD Directive 5230.25.

Proprietary Information - Information that is provided by a source or sources under the condition
that it not be released to other sources.

Foreign Government Information - Information that originated from a foreign government and
that is not classified CONFIDENTIAL or higher, but must be protected in accordance with DoD
5200.1-R.

Department of State Sensitive But Unclassified (DoS SBU) - Information that originated from the
Department of State (DoS) that has been determined to be SBU under appropriate DoS
information security polices.

Drug Enforcement Administration (DEA) Sensitive Information - Information that is originated by

the Drug Enforcement Administration and requires protection against unauthorized disclosure to
protect sources and methods of investigative activity, evidence, and the integrity of pretrial
investigative reports.

3.7 Process Notes

The SRR evaluation script and many manual procedures require Oracle DBA privileges
to the database and host platform. Some operating system commands require Root or
Administrator privileges to the host operating system. This will vary based on the
permissions assigned to the OS account used. It is recommended the account used for
installation of the Oracle software be used to process the security review as this account
is expected to have the access required. An authorized DBA or the IAO should log and
monitor the use of this account.

The SRR script also creates temporary tables in the Oracle Database. Definitions for the
tables are included in the script file “dbsrr-oracle-tables.sql”. The tables are created in the
USERS tablespace by default, however, if existing tables exist, the script will use those
tables. This allows the DBA to control which tablespace and storage is used by the SRR
script. This should be reviewed and considered as part of configuration management
especially on production systems. Please see the readme and release notes of the script
for additional information.

3.8 Check Reference Numbering Scheme

The checks use two different reference numbers: the STIGID and VMSKEY. The
STIGID is a manually assigned reference number. The database STIGID assignments
including those for Oracle are prefixed with two letters that indicate the following:

− DG – Identifies a general database check and the fundamental requirement is

specified for any DBMS product where available. The Oracle-specific checks and
fixes are listed in the subvul STIGID for these DG checks
− DO – Identifies an Oracle specific check and does not apply as written to any
other DBMS product.

3-5 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Only checks of type “DG” and “DO” are included in this checklist. All checks provide a
mapping to the security requirement listed in the Database STIG. Note that some CAT
findings may be higher for the DO checks than their mapped Database STIG checks due
to the potential ability to be exploited and

3.9 Documentation Conventions

The “[ ]” characters are used to indicate that a replacement value provided by the
reviewer is required. For example, the [partial] SQL query command, “alter user
[username]” where [username] should be replaced by the reviewer with the appropriate
user name, e.g. “alter user SYS”. The “[]” characters should not be included in the
command.

3.10 Procedure Table Data

Information Assurance (IA) Control

Each check is derived and associated with an IA Control from the DoD Instruction
8500.2. These are listed in the enclosures for the instruction and are applicable to the
DBMS based on the Mission Assurance Category (MAC) determined for the system.
Where the IA breakdown based on MAC is not listed in the table in this document, the
check requirement applies to all level systems or the IA control does not have
breakdowns. Where a check applies to only one IA control and MAC level, the level is
specified in the table.

Policy:
Each check is assigned a Gold, Platinum or All Policies (both) designation based on
implementation difficulty. Gold requirements are those whose implementation is
unlikely to interrupt system operation. Platinum requirements require consideration
that is more careful and testing prior to implementation. Please note that no changes to
the DBMS should be made without a careful review or test of potential impact. Also,
note that the Vulnerability Maintenance System (VMS) lists each “check” as being
Gold, Platinum or both. In most cases where Policy = All Policies in this document, in
VMS would be identified as both Gold and Platinum, with Platinum considerations to
be taken into account.

Mission Assurance Category (MAC)/Confidentiality:

This field shows the applicability of the check based on the mission criticality and
confidentiality of the system under review. The DoDI 8500.2 defines three levels of
mission criticality where a MAC level of 1 requires the highest level of integrity and
availability protection and a level three requires the lowest. The confidentiality levels
are Public, Sensitive and Classified. Please see DoDI 8500.2 for more information on
determining the MAC and Confidentiality for the system.

Check Type:
3-6 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

This indicates the method available for determining the compliance to the check. Auto
indicates that the available SRR evaluation script can be used to determine compliance.
Verify means that the SRR script provides information to assist in a manual
determination of check compliance and, in some cases, may be able to determine some
level of compliance such as applicability. Interview means that the check does not
require any technical or system hands-on actions. Rather it requires a review of
documentation and in some cases verbal confirmation by the DBA or IAO. A check
type of manual indicates the check procedure requires hands-on technical review of the
security configuration item that the script is unable to complete. In VMS, the checks
listed as (Script) are equivalent to Check Type: Auto.

Database Level:
This indicates whether the check is performed once per defined database instance
(TRUE) or once per installation of the DBMS (FALSE).

Documentable:
This field is used to indicate whether the check script result may be verified for pre-
determined compliance automatically in the Vulnerability Management System
(VMS).

VKEY:
This is the check reference number for VMS.

STIG Requirement:
This is the policy requirement as mapped from the Database STIG document. The
policy requirement is a general requirement for all databases. Some configuration
items specific to a particular DBMS product are more loosely associated with the
general statement.

Severity:
This is the severity code assignment for this check. The severity code may sometimes
differ from the severity assigned to the STIG requirement because it is has a more or
less severe implication. Severity code definitions are documented in Section 1.1 –
Overview in this document.

3-7 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4. Oracle Database Automated Check Procedures

4.1 DO0240: Oracle OS_ROLES parameter

Description: The OS_ROLES parameter specifies whether Oracle roles are defined and
managed by the DBMS or by the host operating system. To maintain and support the
separation of duties between host system administration and DBMS administration, the
DBMS must be configured to use only roles defined and managed by the DBA.
Separation of duties supports assignment of privileges by job function and supports
accountability.

Check:
From SQL*Plus:
select value from v$parameter where name='os_roles';

If the value returned is not FALSE, this is a Finding.

Fix:
From SQL*Plus:
alter system set os_roles=FALSE scope=spfile;

The above SQL*Plus command will set the parameter to take effect at next
system startup.

VKEY: V0002519 Severity: CAT 3 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DCSD Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Reference: Database STIG 3.1.9
STIG Requirement: (DG0153: CAT III) The IAO will assign and authorize DBA
responsibilities for the DBMS.

4-8 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.2 DO0241: Oracle AUDIT_SYS_OPERATIONS parameter

Description: The AUDIT_SYS_OPERATIONS parameter is used to enable auditing of
actions taken by the user SYS. The SYS user account is a shared account by definition
and holds all privileges in the Oracle database. It is the account accessed by users
connecting to the database with SYSDBA or SYSOPER privileges.

NOTE: The location of the audit data is determined by the audit_trail parameter in
DO3413.

Check:
From SQL*Plus:
select value from v$parameter where name='audit_sys_operations';

If the value returned is FALSE, this is a Finding.

Fix:
From SQL*Plus:
alter system set audit_sys_operations=TRUE scope=spfile;

The above SQL*Plus command will set the parameter to take effect at next
system startup.

VKEY: V0003855 Severity: CAT 2 Policy: All MAC/CONF: 1-

IA Control: ECAR
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Database STIG 3.3.2
(DG0142: CAT II) The DBA will ensure privileged DBMS actions
and changes to security labels or sensitivity markings of data in the
DBMS are audited.

4-9 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.3 DO0242: Oracle GLOBAL_NAMES parameter

Description: The Oracle GLOBAL_NAMES parameter is used to set the requirement
for database link names to be the same name as the remote database whose connection
they define. By using the same name for both, ambiguity is avoided and unauthorized or
unintended connections to remote databases are less likely.

Check:
From SQL*Plus:
select value from v$parameter where name='global_names';

If the value returned is FALSE, this is a Finding.

Fix:
From SQL*Plus:
alter system set global_names=TRUE scope=spfile;

NOTE: This parameter, if changed, will affect all currently defined Oracle
database links.

The above SQL*Plus command will set the parameter to take effect at next
system startup.

VKEY: V0003856 Severity: CAT 3 Policy: All MAC/CONF: 1-

IA Control: DCFA
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Database STIG 3.1.4.1
(DG0192: CAT II) The DBA will ensure credentials used to access
remote databases or other applications use fully qualified names, i.e.,
globally unique names that specify all hierarchical classification
names, in the connection specification.

4-10 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.4 DO0243: Oracle _TRACE_FILES_PUBLIC parameter

Description: The _TRACE_FILES_PUBLIC parameter is used to make trace files used
for debugging database applications and events available to all database users. Use of this
capability precludes the discrete assignment of privileges based on job function.
Additionally, its use may provide access to external files and data to unauthorized users.

Check:
From SQL*Plus:
select value from v$parameter where name='_trace_files_public';

If the value returned is TRUE, this is a Finding.

If the parameter does not exist, this is NA.

Fix:
From SQL*Plus (shutdown database instance):
shutdown immediate

From SQL*Plus (create a pfile from spfile):

create pfile='[PATH]init[SID].ora' from spfile;

Edit the init[SID].ora file and remove the following line:

*._trace_files_public=TRUE

From SQL*Plus (update the spfile using the pfile):

create spfile from pfile='[PATH]init[SID].ora';

From SQL*Plus (start the database instance):

startup

NOTE: [PATH] depends on the platform (Windows or UNIX). Ensure the file is
directed to a writable location. [SID] is equal to the oracle SID or database
instance ID.

VKEY: V0003857 Severity: CAT 2 Policy: All MAC/CONF: 1-

IA Control: ECAN
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Database STIG 3.3.1
(DG0123: CAT II) The DBA will ensure all access to sensitive
application data stored inside the database, and in external host files,
is granted only to database accounts and OS accounts in accordance
with user functions as specified by the Information Owner.

4-11 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.5 DO3413: Oracle AUDIT_TRAIL parameter

Description: Oracle auditing can be set to log audit data to the database or operating
system files. Logging events to the database prevents operating system users from
viewing the data, while logging events to operating system files prevents malicious
database users from accessing the data. The value NONE disables auditing and is,
therefore, not in compliance with policy.

Check:
From SQL*Plus:
select value from v$parameter where name='audit_trail';

If the value returned is NONE, this is a Finding.

Fix:
Enable database auditing.

Select the desired audit trail format (external file or internal database table).

From SQL*Plus:
alter system set audit_trail= [audit trail format] scope=spfile;

Compliant selections for [audit trail format] are (per MetaLink Note 30690.1):

Oracle 8.1.6 – 11.1 = 'true', 'os' & 'db' (true = os for backward compatibility)
Oracle 10.1 = 'db_extended'
Oracle 10.2 = 'db, extended', 'xml' & 'xml, extended'
Oracle 11.1 = 'db_extended', 'xml' & 'xml, extended'

The above SQL*Plus command will set the parameter to take effect at next
system startup.

VKEY: V0002523 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECAR Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Reference: Database STIG 3.3.2
STIG Requirement: (DG0029: CAT II) The DBA will ensure the DBMS auditing function
is enabled.

4-12 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.6 DO3447: Oracle OS_AUTHENT_PREFIX parameter

Description: The OS_AUTHENT_PREFIX parameter defines the prefix for database
account names to be identified EXTERNALLY by the operating system. When set to the
special value of OPS$, accounts defined with the prefix of OPS$ may authenticate either
with a password or with OS authentication. Use of more than one authentication method
to access a single account results in a loss of accountability, that is, it is similar to a
shared account. Setting this parameter to a value other than OPS$ prevents a shared usage
of a single account.

Check:
From SQL*Plus:
select value from v$parameter where name='os_authent_prefix';

If the value returned is OPS$ or ops$, this is a Finding.

Fix:
Specify an operating system authenticated username prefix other than OPS$.

From SQL*Plus:
alter system set os_authent_prefix=[prefix value] scope=spfile;

Compliant selections for [prefix value] are:

a null string ('')
a text value other than 'OPS$'

The above SQL*Plus command will set the parameter to take effect at next
system startup.

VKEY: V0002531 Severity: CAT 3 Policy: All MAC/CONF: 1-

IA Control: IAGA
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: Auto level: True IAO
Database STIG 3.2.1
(DG0060: CAT II) The IAO/DBA will ensure actions by a single
database account that is accessed by multiple interactive users are
attributable to an individual identifier.

4-13 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.7 DO3538: Oracle REMOTE_OS_AUTHENT parameter

Description: Setting this value to TRUE allows operating system authentication over an
unsecured connection. Trusting remote operating systems can allow a user to impersonate
another operating system user and connect to the database without having to supply a
password. If REMOTE_OS_AUTHENT is set to true, the only information a remote user
needs to connect to the database is the name of any user whose account is setup to be
authenticated by the operating system.

Check:
From SQL*Plus:
select value from v$parameter where name='remote_os_authent';

If the value returned does not equal FALSE, this is a Finding.

NOTE: This finding may be downgraded to a Category II severity code if the

following mitigations have been implemented:

- A logon trigger verifies that any connections to accounts identified externally

come from a single, specific IP address and kills the connection if determined
otherwise
- To help prevent access by a spoofed IP address, the single connecting system
and the database host are isolated behind a firewall with either Network
Address Translation (NAT) implemented and/or the firewall is configured to
reject connections from the single source IP address originating outside the
isolated segment

Fix:
Disable remote OS authentication.

From SQL*Plus:
alter system set remote_os_authent=FALSE scope=spfile;

The above SQL*Plus command will set the parameter to take effect at next
system startup.

VKEY: V0002554 Severity: CAT 1 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: IAIA Check Database Responsibility: Documentable: False
Type: Auto level: True IAO
Reference: Database STIG 3.2.2
STIG Requirement: (DG0078: CAT II) The DBA will ensure database user accounts are
configured to require individual authentication in order to connect to
the DBMS.

4-14 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.8 DO3539: Oracle REMOTE_OS_ROLES parameter

Description: Setting REMOTE_OS_ROLES to TRUE allows operating system groups
to control Oracle roles. The default value of FALSE causes roles to be identified and
managed by the database. If REMOTE_OS_ROLES is set to TRUE, a remote user could
impersonate another operating system user over a network connection.

Check:
From SQL*Plus:
select value from v$parameter where name='remote_os_roles';

If the returned value is not FALSE, this is a Finding.

Fix:
Disable use of remote OS roles.

From SQL*Plus:
alter system set remote_os_roles=FALSE scope=spfile;

The above SQL*Plus command will set the parameter to take effect at next
system startup.

VKEY: V0002555 Severity: CAT 1 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECLP Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Reference: Database STIG 3.3.11.2
STIG Requirement: (DG0116: CAT II) The IAO will ensure database privileged role
assignments are restricted to IAO-authorized accounts.

4-15 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.9 DO3540: Oracle SQL92_SECURITY parameter

Description: The parameter SQL92_SECURITY is not enabled. The configuration
option SQL92_SECURITY specifies whether table-level SELECT privileges are required
to execute an update or delete that references table column values. If this option is not
enabled (set to TRUE), the UPDATE privilege can be used to determine values that
should require SELECT privileges.

Check:
From SQL*Plus:
select value from v$parameter where name='sql92_security';

If the value returned is not set to TRUE, this is a Finding.

If the parameter does not exist, this is a Finding.

Fix:
Enable SQL92 security.

From SQL*Plus:
alter system set sql92_security=TRUE scope=spfile;

The above SQL*Plus command will set the parameter to take effect at next
system startup.

VKEY: V0002556 Severity: CAT 2 Policy: All MAC/CONF: 1-

IA Control: DCFA
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Database STIG 3.1.4.2
(DG0105: CAT II) The DBA will ensure all database application user
roles and the privileges assigned to them are authorized by the
Information Owner in the AIS functional architecture documentation.

4-16 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.10 DO3546: Oracle REMOTE_LOGIN_PASSWORDFILE parameter

Description: The REMOTE_LOGIN_PASSWORDFILE setting of "NONE" disallows
remote administration of the database. The REMOTE_LOGIN_PASSWORDFILE
setting of "EXCLUSIVE" allows for auditing of individual DBA logins to the SYS
account. If not set to "EXCLUSIVE" then remote connections to the database as
"internal" or "as SYSDBA" are not logged to an individual DBA.

Check:
From SQL*Plus:
select value from v$parameter where name='remote_login_passwordfile';

If the value returned does not equal 'EXCLUSIVE' or 'NONE', this is a Finding.

Fix:
Disable use of the remote_login_passwordfile where remote administration is not
authorized by specifying a value of NONE. If authorized, restrict use of a
password file to exclusive use by each database by specifying a value of
EXCLUSIVE.
.
From SQL*Plus:
alter system set remote_login_passwordfile='EXCLUSIVE' scope=spfile;
OR
alter system set remote_login_passwordfile='NONE' scope=spfile;

The above SQL*Plus command will set the parameter to take effect at next
system startup.

VKEY: V0002558 Severity: CAT 2 Policy: All MAC/CONF: 1-

IA Control: IAGA
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Database STIG 3.2.1
(DG0060: CAT II) The IAO/DBA will ensure actions by a single
database account that is accessed by multiple interactive users are
attributable to an individual identifier.

4-17 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.11 DO3547: Oracle UTL_FILE_DIR parameter

Description: The UTL_FILE package allows host file access from within the database
using the permissions and privileges assigned to the Oracle database process or service.
This package should be used with caution. All files accessible to using this package is
equally accessible to any database user with execute permissions to the UTL_FILE
package. When UTL_FILE_DIR is set to “*”, all directories accessible to the Oracle
database process, typically the Oracle installation account, are accessible via the
UTL_FILE package. This setting effectively turns off directory access checking, and
makes any directory accessible to the UTL_FILE functions. The UTL_FILE_DIR list
should specify only authorized and protected directories and should include only fully
specified path names.

Check:
From SQL*Plus:
select value from v$parameter where name='utl_file_dir';

If the returned value is '*', this is a Finding.

Fix:
Where its use is authorized, restrict access by a database session to external host
files.

From SQL*Plus:
alter system set utl_file_dir=[authorized directory] scope=spfile;

Replace [authorized directory] with the directory path where file access and
storage is authorized

Review Oracle MetaLink Note 39037.1 if you need to define multiple authorized
directories.

The above SQL*Plus command will set the parameter to take effect at next
system startup.

VKEY: V0002559 Severity: CAT 1 Policy: All MAC/CONF: 1-

IA Control: DCFA
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Database STIG 3.1.4.1
(DG0098: CAT II) The DBA will configure the database to disable
access from the database to objects stored externally to the database
on the local host unless mission and/or operationally required and
documented in the AIS functional architecture documentation.

4-18 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.12 DO3685: Oracle O7_DICTIONARY_ACCESSIBILITY parameter

Description: The database data dictionary tables contain the data used by the database
for database functions including database authentication and authorization as well as
database configuration and control. By default, the parameter
O7_DICTIONARY_ACCESSIBILITY is set to FALSE to prevent accounts with the
privilege SELECT ANY TABLE from selecting the data dictionary tables. This setting
protects the data dictionary from unintended access authorization by requiring full system
privileges or direct table access permissions.

Check:
From SQL*Plus:
select value from v$parameter where name='O7_dictionary_accessibility';

If the value returned is TRUE, this is a Finding.

If the parameter does not exist, this is not a Finding.

Fix:
Disable O7_dictionary_accessibility to restrict access to system tables to users
granted privileges to access objects owned by all users.

From SQL*Plus:
alter system set O7_dictionary_accessibility=FALSE scope=spfile;

The above SQL*Plus command will set the parameter to take effect at next
system startup.

VKEY: V0002586 Severity: CAT 3 Policy: All MAC/CONF: 1-

IA Control: ECAN
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Database STIG 3.3.1
(DG0123: CAT II) The DBA will ensure all access to sensitive
application data stored inside the database, and in external host files,
is granted only to database accounts and OS accounts in accordance
with user functions as specified by the Information Owner.

4-19 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.13 DO3696: Oracle RESOURCE_LIMIT parameter

Description: RESOURCE_LIMIT determines whether resource limits are enforced in
database profiles. If Oracle resource limits are disabled, any defined profile limits will be
ignored.

NOTE: This does not apply to password resources.

Check:
From SQL*Plus:
select value from v$parameter where name='resource_limit';

If the value returned is not set to TRUE, this is a Finding.

Fix:
Enable resource limit checking on the database.

From SQL*Plus:
alter system set resource_limit=TRUE scope=both;

The above SQL*Plus command will set the parameter to take effect immediately
and at next system startup.

VKEY: V0002593 Severity: CAT 2 Policy: All MAC/CONF: 1-

IA Control: ECLO
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Database STIG 3.3.10
(DG0134: CAT II) The DBA will configure where supported by the
DBMS a limit of concurrent connections by a single database account
to the limit specified in the System Security Plan, a number
determined by testing or review of logs to be appropriate for the
application. The limit will not be set to unlimited except where
operationally required and documented in the System Security Plan.

4-20 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.14 DO3698: Oracle DBLINK_ENCRYPT_LOGIN parameter

Description: The Oracle configuration parameter DBLINK_ENCRYPT_LOGIN
specifies whether attempts to connect to remote Oracle databases through database links
should use encrypted passwords. Prior to Oracle 7.2, passwords were not encrypted
before being sent over the network. In order to connect to older servers, Oracle included
this parameter to retry failed connections using the unencrypted format. If the
DBLINK_ENCRYPT_LOGIN parameter is TRUE, and the connection fails, Oracle does
not reattempt the connection. If this parameter is FALSE, Oracle reattempts the
connection using an unencrypted version of the password. Servers with
DBLINK_ENCRYPT_LOGIN set to FALSE can be coerced into sending unencrypted
passwords by machines between linked servers.

Check:
If the Oracle version is 10.1 or later, this check is NA.

From SQL*Plus:
select value from v$parameter where name='dblink_encrypt_login';

If the returned value is not equal to TRUE, this is a Finding.

Fix:
Force encryption of logins used by database links to remote databases.

From SQL*Plus:
alter system set dblink_encrypt_login=TRUE scope=spfile;

The above SQL*Plus command will set the parameter to take effect at next
system startup.

VKEY: V0002595 Severity: CAT 1 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECNK Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Reference: Database STIG 3.2.2.1
STIG Requirement: (DG0129: CAT I) The DBA will ensure all database account
passwords are encrypted when transmitted across the network.

4-21 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.15 DO6748: Oracle SEC_CASE_SENSITIVE_LOGON parameter

Description: Enablement of password case sensitivity allows Oracle password
complexity to meet DoD password requirements. Password complexity decreases the
likelihood of successful password attacks by malicious users.

Check:
If the Oracle version is not 11.1 or later, this check is NA.

From SQL*Plus:
select value from v$parameter where name='sec_case_sensitive_logon';

If the value returned is not TRUE, this is a Finding.

Fix:
Enable case sensitive passwords.

From SQL*Plus:
alter system set sec_case_sensitive_logon=TRUE scope=both;

The above SQL*Plus command will set the parameter to take effect immediately
and at next system startup.

VKEY: V0016033 Severity: CAT 2 Policy: All MAC/CONF: 1-

IA Control: IAIA
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Database STIG 3.2.2.2
(DG0079: CAT II) The DBA will ensure database password
complexity standards meet current minimum requirements for length
(9 characters or more for database application user accounts and 15
characters or more for privileged database accounts) and composition
(at least two uppercase characters, two lowercase characters, two
special characters, two digits ) where supported by the DBMS.

4-22 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.16 DO6749: Oracle SEC_MAX_FAILED_LOGIN_ATTEMPTS parameter

Description: The SEC_MAX_FAILED_LOGIN_ATTEMPTS prevents multiple failed
login attempts by a single connection. The parameter differs from the limit set on user
profiles and applied to failed login attempts to a single user account. Limiting failed
authentication attempts by a single connection helps protect against Denial of Service
(DoS) attacks and authentication attempts against multiple user accounts.

Check:
If the Oracle version is not 11.1 or later, this check is NA.

From SQL*Plus:
select value from v$parameter where name='sec_max_failed_login_attempts';

If the value returned is equal to 0 or greater than 10, this is a Finding.

Fix:
Limit the number of failed login attempts for the database. The number can be 3
or an IAO approved value between 1 and 10.

From SQL*Plus:
alter system set sec_max_failed_login_attempts=3 scope=both;

The above SQL*Plus command will set the parameter to take effect immediately
and at next system startup.

VKEY: V0016035 Severity: CAT 2 Policy: All MAC/CONF: 1-

IA Control: ECLO
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Database STIG 3.3.10
(DG0133: CAT II) The DBA will configure the DBMS to set the
duration of database account lockouts due to three consecutive
unsuccessful logon attempts to an unlimited time that requires the
DBA to manually unlock the account.

4-23 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.17 DO6750: Oracle SEC_PROTOCOL_ERROR_FURTHER_ACTION

parameter
Description: The database is vulnerable to exhaustion of resources that could result in a
Denial of Service (DoS) to other clients if not protected from a flood of bad packets
submitted by a malicious or errant client connection. The
sec_protocol_error_further_action initialization parameter can be set to delay or drop
acceptance of bad packets from a client in order to support the continued function of
other non-problematic connections.

Check:
If the Oracle version is not 11.1 or later, this check is NA.

From SQL*Plus:
select value from v$parameter where name='sec_protocol_error_further_action';

If the value returned is not DROP or DELAY, this is a Finding.

Fix:
Set the value for the sec_protocol_error_further_action initialization parameter to
DROP or DELAY. DROP provides better protection and is recommended.

From SQL*Plus:
alter system set sec_protocol_error_further_action='drop' scope=spfile;
OR
alter system set sec_protocol_error_further_action='drop,3' scope=spfile;

NOTE: The addition of the ‘,3’ above further limits the number of ‘bad packets’
to the specified number before forcefully terminating the connection.

The above SQL*Plus command will set the parameter to take effect at next
system startup.

VKEY: V0016053 Severity: CAT 2 Policy: All MAC/CONF: 1-

IA Control: ECLP
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Database STIG 3.3.11.1
(DG0080: CAT II) The DBA will ensure privileges granted to
application user database accounts are restricted to those required to
perform the specific application functions.

4-24 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.18 DO6752: Oracle SEC_PROTOCOL_ERROR_TRACE_ACTION parameter

Description: Undetected attacks using bad packets can lead to a successful Denial of
Service (DoS) to database clients. Notification of attacks based on a flood of bad packets
sent to the database can assist in discovery and response to this type of attack.

Check:
If the Oracle version is not 11.1 or later, this check is NA.

From SQL*Plus:
select value from v$parameter where name='sec_protocol_error_trace_action';

If the value returned is NONE, this is a Finding.

If the value returned is TRACE, LOG or ALERT, this is not a Finding.

Fix:
Set the value for the sec_protocol_error_trace_action initialization parameter to
ALERT or LOG. TRACE may be appropriate for testing or development, but
provides more detail than may be useful. Consider using ALERT for MAC 1
systems.

From SQL*Plus:
alter system set sec_protocol_error_trace_action='ALERT' scope=spfile;
OR
alter system set sec_protocol_error_trace_action='LOG' scope=spfile;

The above SQL*Plus command will set the parameter to take effect at next
system startup.

VKEY: V0016054 Severity: CAT 2 Policy: All MAC/CONF: 1-

IA Control: ECAT
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Database STIG 3.3.3
(DG0161: CAT II) The IAO will ensure an automated monitoring tool
or capability is employed to review DBMS audit data and immediately
report suspicious or unauthorized activity.

4-25 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.19 DG0117: DBMS administrative privilege assignment

Description: Privileges granted outside the role of the administrative user job function
are more likely to go unmanaged or without oversight for authorization. Maintenance of
privileges using roles defined for discrete job functions offers improved oversight of
administrative user privilege assignments and helps to protect against unauthorized
privilege assignment.

Check:
From SQL*Plus:
select grantee||': '||granted_role
from dba_role_privs
where grantee in
(select grantee from dba_role_privs where granted_role='DBA'
and grantee not in ('SYS','SYSTEM','SYSMAN'))
order by grantee;

(Disregard any default database component account privilege assignments that

may be returned.)

also:
select grantee||':'||privilege from dba_sys_privs
where grantee in
(select grantee from dba_role_privs
where granted_role='DBA')
and privilege<>'UNLIMITED TABLESPACE'
order by grantee;

If any administrative privileges have been assigned directly to a custom DBA

account, this is a Finding.

Fix:
Restrict DBA roles to use for DBA functions. Revoke any privileges outside of
the DBA role and the UNLIMITED TABLESPACE privilege from custom DBA
users.

VKEY: V0015627 Severity: CAT 2 Policy: All MAC/CONF: 1-

IA Control: ECPA
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: Auto level: True IAO
Database STIG 3.3.14
(DG0117: CAT II) The IAO will ensure all database administrative
privileges defined within the DBMS and externally to the database are
assigned using DBMS or OS roles.

4-26 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.20 DO0155: Oracle default tablespace assignment

Description: The Oracle SYSTEM tablespace is used by the database to store all DBMS
system objects. Other use of the system tablespace may compromise system availability
and the effectiveness of host system access controls to the tablespace files.

Check:
From SQL*Plus:
select username from dba_users
where (default_tablespace= 'SYSTEM' or temporary_tablespace= 'SYSTEM')
and username not in
('AURORA$JIS$UTILITY$','AURORA$ORB$UNAUTHENTICATED',
'DBSNMP','MDSYS','ORDPLUGINS','ORDSYS','OSE$HTTP$ADMIN',
'OUTLN','REPADMIN','SYS','SYSTEM','TRACESVR','MTSSYS','DIP');

If any non-default account records are returned, this is a Finding.

Fix:
Create and dedicate tablespaces to support only one application. Do not share
tablespaces between applications. Do not grant quotas to application object
owners on tablespaces not dedicated to their associated application.

From SQL*Plus:
alter user [username] default tablespace [tablespace_name];

Replace [username] with the named user account. Replace [tablespace_name]

with the new default tablespace name.

VKEY: V0003846 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECLP Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Reference: Database STIG 3.1.6
STIG Requirement: (DG0113: CAT II) The DBA will ensure database data files used by
third-party applications are defined and dedicated for each application.

4-27 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.21 DO3451: WITH GRANT OPTION privileges

Description: An account permission to grant privileges within the database is an
administrative function. Minimizing the number and privileges of administrative accounts
reduces the chances of privileged account exploitation. Application user accounts should
never require WITH GRANT OPTION privileges since, by definition, they require only
privileges to execute procedures or view / edit data.

Check:
From SQL*Plus:
select grantee||': '||owner||'.'||table_name from dba_tab_privs
where grantable='YES'
and owner not in (select distinct owner from dba_objects)
and grantee not in
(select grantee from dba_role_privs where granted_role='DBA')
order by grantee;

If any accounts are listed, this is a Finding.

Fix:
Revoke privileges granted the WITH GRANT OPTION from non-DBA and
accounts that do not own application objects. Re-grant privileges without
specifying WITH GRANT OPTION.

VKEY: V0002533 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECLP Check Database Responsibility: Documentable: False
Type: Auto level: True IAO
Reference: Database STIG 3.3.11.2
STIG Requirement: (DG0116: CAT II) The IAO will ensure database privileged role
assignments are restricted to IAO-authorized accounts.

4-28 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.22 DO3609: System privileges granted WITH ADMIN OPTION

Description: The WITH ADMIN OPTION allows the grantee to grant a privilege to
another database account. Best security practice restricts the privilege of assigning
privileges to authorized personnel. Authorized personnel include DBA's, object owners,
and, where designed and included in the application's functions, application
administrators. Restricting privilege-granting functions to authorized accounts can help
decrease mismanagement of privileges and wrongful assignments to unauthorized
accounts.

Check:
From SQL*Plus:
select grantee, privilege from dba_sys_privs
where grantee not in
('SYS','SYSTEM','AQ_ADMINISTRATOR_ROLE','DBA','MDSYS',
'LBACSYS', 'SCHEDULER_ADMIN','WMSYS')
and admin_option='YES'
and grantee not in
(select grantee from dba_role_privs where granted_role='DBA');

If any accounts are listed, this is a Finding.

Fix:
Revoke assignment of privileges with the WITH ADMIN OPTION from
unauthorized users and re-grant them without the option. Restrict use of the
WITH ADMIN OPTION to authorized administrators. Document authorized
privilege assignments with the WITH ADMIN OPTION in the System Security
Plan.

From SQL*Plus:
revoke [privilege name] from user [username];

Replace [privilege name] with the named privilege and [username] with the
named user.

VKEY: V0002561 Severity: CAT 2 Policy: All MAC/CONF: 1-

IA Control: ECLP
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Database STIG 3.3.11.1
(DG0080: CAT II) The DBA will ensure privileges granted to
application user database accounts are restricted to those required to
perform the specific application functions.

4-29 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.23 DO3612: Oracle system privilege assignment

Description: System privileges can be granted to users and roles and to the user group
PUBLIC. All privileges granted to PUBLIC are accessible to every user in the database.
Many of these privileges convey considerable authority over the database and should
only be granted to those persons responsible for administering the database. In general,
these privileges should be granted to roles and then the appropriate roles should be
granted to users. System privileges should never be granted to PUBLIC as this could
allow users to compromise the database.

Check:
From SQL*Plus:
select privilege from dba_sys_privs where grantee='PUBLIC';

If any records are returned, this is a Finding.

Fix:
Revoke any system privileges assigned to PUBLIC:

From SQL*Plus:
revoke [system privilege] from PUBLIC;

Replace [system privilege] with the named system privilege.

NOTE: System privileges are not granted to PUBLIC by default and would
indicate a custom action.

VKEY: V0002564 Severity: CAT 2 Policy: All MAC/CONF: 1-

IA Control: ECLP
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Database STIG 3.3.11.1
(DG0080: CAT II) The DBA will ensure privileges granted to
application user database accounts are restricted to those required to
perform the specific application functions.

4-30 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.24 DO3473: Application user role privileges

Description: Excessive privileges can lead to unauthorized actions on data and database
objects. Assigning only the privileges required to perform the job function authorized for
the user helps protect against exploits against application vulnerabilities such as SQL
injection attacks. The recommended method is to grant access only to stored procedures
that perform only static actions on the data authorized for the user. Where this is not
feasible, consider using data views or other methods to restrict users to only the data
suitable for their job function.

Check:
From SQL*Plus:
select grantee,owner,table_name,privilege from dba_tab_privs
where privilege in ('ALTER','REFERENCES','INDEX')
and grantee not in ('DBA','SYSTEM','LBACSYS','XDBADMIN')
and table_name not in
('SDO_IDX_TAB_SEQUENCE','XDB$ACL','XDB_ADMIN')
and grantee not in
(select grantee from dba_role_privs where granted_role='DBA')
and grantee not in (select distinct owner from dba_objects);

If any records are returned, this is a Finding.

Fix:
Revoke ALTER, REFERENCES, and INDEX privileges from application user
roles.

From SQL*Plus:
revoke [privilege] from [application user role];

Replace [privilege] with the identified ALTER, REFERENCES or INDEX

privilege and [application user role] with the identified application role.

VKEY: V0002537 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECLP Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Reference: Database STIG 3.3.11.1
STIG Requirement: (DG0119: CAT II) The DBA will ensure database application user
roles are restricted to select, insert, update, delete and execute
privileges.

4-31 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.25 DO3475: Oracle PUBLIC access to restricted packages

Description: Access to the following packages should be restricted to authorized
accounts only.

UTL_FILE: allows Oracle accounts to read and write files on the host operating
system.
UTL_SMTP: allows messages to be sent from an arbitrary user.
UTL_TCP: allows arbitrary data to be sent from the database server.
UTL_HTTP: allows the database server to send and receive data via HTTP.
DBMS_RANDOM: allows encrypting of data without requiring safe management of
encryption keys.
DBMS_LOB: allows users access to files stored outside the database.
DBMS_SQL: allows users to write dynamic SQL procedures.
DBMS_SYS_SQL: allows users to execute SQL with DBA privileges.
DBMS_JOB: allows users to submit jobs to the database job queue.
DBMS_BACKUP_RESTORE: allows users to backup and restore database data.
DBMS_OBFUSCATION_TOOLKIT: allows users access to encryption and
decryption functions.

Check:
From SQL*Plus:
select table_name from dba_tab_privs
where grantee='PUBLIC'
and privilege ='EXECUTE'
and table_name in
('UTL_FILE','UTL_SMTP','UTL_TCP','UTL_HTTP','DBMS_RANDOM',
'DBMS_LOB','DBMS_SQL','DBMS_SYS_SQL','DBMS_JOB',
'DBMS_BACKUP_RESTORE','DBMS_OBFUSCATION_TOOLKIT');

If any records are returned, this is a Finding.

Fix:
NOTE: Revoking all default installation privilege assignments from PUBLIC is
not required at this time. However, execute permissions to the specified packages
is required to be revoked from PUBLIC. Removal of these privileges from
PUBLIC may result in invalid packages in version 10.1 and later of Oracle and an
inability to execute default Oracle applications and utilities. To correct this
problem, grant execute privileges on these packages directly to the SYSMAN,
WKSYS, MDSYS and SYSTEM accounts as well as any other default Oracle
database accounts as necessary to support execution of applications/utilities
installed with an Oracle Database Server.

At a minimum, revoke the following:

4-32 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

From SQL*Plus:
revoke execute on UTL_FILE from PUBLIC;
revoke execute on UTL_SMTP from PUBLIC;
revoke execute on UTL_TCP from PUBLIC;
revoke execute on UTL_HTTP from PUBLIC;
revoke execute on DBMS_RANDOM from PUBLIC;
revoke execute on DBMS_LOB from PUBLIC;
revoke execute on DBMS_SQL from PUBLIC;
revoke execute on DBMS_SYS_SQL from PUBLIC;
revoke execute on DBMS_JOB from PUBLIC;
revoke execute on DBMS_BACKUP_RESTORE from PUBLIC;
revoke execute on DBMS_OBFUSCATION_TOOLKIT from PUBLIC;

VKEY: V0002539 Severity: CAT 2 Policy: All MAC/CONF: 1-

IA Control: ECLP
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Database STIG 3.3.11.1
(DG0080: CAT II) The DBA will ensure privileges granted to
application user database accounts are restricted to those required to
perform the specific application functions.

4-33 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.26 DO3686: Oracle SYS.LINK$ table access (10.1 and earlier)

Description: The SYS.LINK$ table contains unencrypted passwords to enable
transparent connections to remote databases. In addition, remote database connections
themselves can provide information to unauthorized users about remote databases that
may assist them in furthering unauthorized access.

Check:
If the database version is 10.2 or later, this check is NA.

From SQL*Plus:
select grantee||': '||privilege from dba_tab_privs
where grantee <> 'DELETE_CATALOG_ROLE'
and table_name='LINK$'
and grantee not in
(select grantee from dba_role_privs where granted_role='DBA');

If any records are returned, this is a Finding.

Fix:
There are no workarounds to protect against this potential vulnerability but
it is possible to reduce the potential impact by performing the steps below:

1. Drop the database link and create a link without specifying an account and
password. To drop and recreate a database link without hard coding the
password, execute the commands:

From SQL*Plus:
drop database link [link name];
create database link [link name] using [connection string];

2. Revoke permissions from accounts and roles:

From SQL*Plus:
revoke select on SYS.LINK$ from [account or role];

VKEY: V0002587 Severity: CAT 1 Policy: All MAC/CONF: 1-

IA Control: ECAN
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Database STIG 3.3.1
(DG0123: CAT II) The DBA will ensure all access to sensitive
application data stored inside the database, and in external host files,
is granted only to database accounts and OS accounts in accordance
with user functions as specified by the Information Owner.

4-34 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.27 DO3689: Oracle object permission assignment to PUBLIC

Description: Permissions on objects may be granted to the user group PUBLIC. Because
every database user is a member of the PUBLIC group, granting object permissions to
PUBLIC gives all users in the database access to that object. In a secure environment,
granting object permissions to PUBLIC should be restricted to those objects that all users
are allowed to access. The policy does not require object permissions assigned to
PUBLIC by the installation of Oracle Database server components be revoked (with
exception of the packages listed in DO3475).

Check:
From SQL*Plus:
select owner||'.'||table_name||': '||privilege from dba_tab_privs
where grantee='PUBLIC'
and owner not in
('SYS','CTXSYS','MDSYS','ODM','OLAPSYS','MTSSYS','ORDPLUGINS',
'ORDSYS','SYSTEM','WKSYS','WMSYS','XDB','LBACSYS','PERFSTAT',
'SYSMAN','DMSYS','EXFSYS');

If any records that are not Oracle product accounts are returned, this is a Finding.

NOTE: This check may return false positives where other Oracle product
accounts are not included in the exclusion list.

Fix:
Revoke any privileges granted to PUBLIC for objects that are not owned by
Oracle product accounts.

From SQL*Plus:
revoke [privilege name] from [user name] on [object name];

Assign permissions to custom application user roles based on job functions:

From SQL*Plus:
grant [privilege name] to [user role] on [object name];

VKEY: V0002589 Severity: CAT 2 Policy: All MAC/CONF: 1-

IA Control: DCFA
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Database STIG 3.1.4.2
(DG0105: CAT II) The DBA will ensure all database application user
roles and the privileges assigned to them are authorized by the
Information Owner in the AIS functional architecture documentation.

4-35 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.28 DO0170: Oracle predefined roles

Description: Default roles are maintained by Oracle and may be changed by Oracle
during product updates. Default roles other than DBA roles may be assigned privileges in
excess of those required for job functions as defined for the specific implementation. This
may lead to unauthorized access to the database configuration or database application
objects.

Check:
From SQL*Plus:
select grantee||': '||granted_role from dba_role_privs
where grantee not in
('ANONYMOUS','AURORA$JIS$UTILITY$',
'AURORA$ORB$UNAUTHENTICATED','CTXSYS','DBSNMP','DIP',
'DMSYS','DVF','DVSYS','EXFSYS','LBACSYS','MDDATA','MDSYS',
'MGMT_VIEW','ODM','ODM_MTR','OLAPSYS','ORDPLUGINS','ORDSYS',
'OSE$HTTP$ADMIN','OUTLN','PERFSTAT','REPADMIN','RMAN',
'SI_INFORMTN_SCHEMA','SYS','SYSMAN','SYSTEM','TRACESVR',
'TSMSYS','WK_TEST','WKPROXY','WKSYS','WKUSER','WMSYS','XDB')
and grantee not in (select role from dba_roles)
and grantee not in
(select grantee from dba_role_privs where granted_role='DBA')
and grantee not in (select distinct owner from dba_objects)
and granted_role in
('AQ_ADMINISTRATOR_ROLE','AQ_USER_ROLE',
'AUTHENTICATEDUSER','CONNECT','CTXAPP',
'DELETE_CATALOG_ROLE','EJBCLIENT','EXECUTE_CATALOG_ROLE',
'EXP_FULL_DATABASE','GATHER_SYSTEM_STATISTICS',
'GLOBAL_AQ_USER_ROLE','HS_ADMIN_ROLE',
'IMP_FULL_DATABASE','JAVADEBUGPRIV','JAVAIDPRIV',
'JAVASYSPRIV','JAVAUSERPRIV','JAVA_ADMIN','JAVA_DEPLOY',
'LOGSTDBY_ADMINISTRATOR','OEM_MONITOR','OLAP_DBA',
'RECOVERY_CATALOG_OWNER','RESOURCE',
'SALES_HISTORY_ROLE','SELECT_CATALOG_ROLE','WKUSER',
'WM_ADMIN_ROLE','XDBADMIN')
order by grantee;

If any records are returned, this is a Finding.

Fix:
Revoke predefined roles and use custom defined roles to assign privileges. Create
custom-defined roles for each discrete application user/administrator function
required for your database and assign the minimum privileges necessary to
perform the function.

VKEY: V0002514 Severity: CAT 2 Policy: All MAC/CONF: 1-

4-36 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Policies CSP;2-CSP;3-CSP
IA Control: ECLP Check Database Responsibility: Documentable: False
Type: Auto level: True IAO
Reference: Database STIG 3.3.11.2
STIG Requirement: (DG0116: CAT II) The IAO will ensure database privileged role
assignments are restricted to IAO-authorized accounts.

4-37 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.29 DO0320: Oracle PUBLIC role privileges

Description: Application roles have been granted to PUBLIC. Permissions granted to
PUBLIC are granted to all users of the database. Custom roles should be used to assign
application permissions to functional groups of application users. The installation of
Oracle does not assign role permissions to PUBLIC.

Check:
From SQL*Plus:
select granted_role from dba_role_privs where grantee='PUBLIC';

If any roles are listed, this is a Finding.

Fix:
Revoke role grants from PUBLIC. Do not assign role privileges to PUBLIC.

From SQL*Plus:
revoke [role name] from PUBLIC;

VKEY: V0003437 Severity: CAT 2 Policy: All MAC/CONF: 1-

IA Control: DCFA
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Database STIG 3.1.4.2
(DG0105: CAT II) The DBA will ensure all database application user
roles and the privileges assigned to them are authorized by the
Information Owner in the AIS functional architecture documentation.

4-38 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.30 DO3709: Oracle direct privilege assignment to accounts

Description: Granting permissions to accounts is error prone and repetitive. Using roles
allows for group management of privileges assigned by function and reduces the
likelihood of wrongfully assigned privileges. Assign permissions to roles and then grant
the roles to accounts.

Check:
From SQL*Plus:
select grantee||': '||privilege||': '||owner||'.'||table_name
from dba_tab_privs where grantee not in
(select role from dba_roles)
and grantee not in
('APEX_PUBLIC_USER','AURORA$JIS$UTILITY$','CTXSYS', 'DBSNMP',
'EXFSYS','FLOWS_030000','FLOWS_FILES','LBACSYS','MDSYS',
'MGMT_VIEW','ODM','OLAPSYS','ORACLE_OCM','ORDPLUGINS',
'ORDSYS','OSE$HTTP$ADMIN','OUTLN','OWBSYS','PERFSTAT',
'PUBLIC','REPADMIN','SYS','SYSMAN','SYSTEM','WKSYS','WMSYS',
'XDB')
and table_name<>'DBMS_REPCAT_INTERNAL_PACKAGE'
and table_name not like '%RP'
and grantee not in
(select grantee from dba_tab_privs
where table_name in ('DBMS_DEFER','DEFLOB'));

If any records are returned, this is a Finding.

NOTE: This check may report false positives where other ORACLE products
have been installed. Accounts installed with other Oracle products are exempt
from this requirement.

Fix:
Revoke privileges assigned directly to database accounts and assign them to roles
based on job functions. Assign users who are assigned responsibility for the job
function to the defined role.

From SQL*Plus:
revoke [privilege] on [object name] from [user name];
grant [privilege] on [object name] to [role name];

4-39 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

VKEY: V0002596 Severity: CAT 2 Policy: All MAC/CONF: 1-

IA Control: ECLP
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Database STIG 3.3.11.1
(DG0121: CAT II) The DBA will ensure database privileges are
assigned via roles and not directly assigned to database accounts.
Privileges may be assigned directly to application owner accounts
where the DBMS does not otherwise support access via roles.

4-40 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.31 DG0133: DBMS Account lock time

Description: When no limit is imposed on failed logon attempts and accounts are not
disabled after a set number of failed access attempts, then the DBMS account is
vulnerable to sustained attack. When access attempts continue unrestricted, the likelihood
of success is increased. A successful attempt results in unauthorized access to the
database.

Check:
From SQL*Plus:
select profile from dba_profiles
where resource_name='PASSWORD_LOCK_TIME'
and limit not in ('UNLIMITED',’DEFAULT’);

If any profiles are listed, this is a Finding.

A value of UNLIMITED means that the account is locked until it is manually

unlocked.

Fix:
Set the password_lock_time on all defined profiles to unlimited. This will require
the DBA to re-enable manually every account after the failed login limit has been
reached.

From SQL*Plus:
alter profile default limit password_lock_time unlimited;
alter profile [profile name] limit password_lock_time default;

Replace [profile name] with an existing, non-default profile name.

VKEY: V0015639 Severity: CAT 2 Policy: All MAC/CONF: 1-

IA Control: ECLO
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Database STIG 3.3.10
(DG0133: CAT II) The DBA will configure the DBMS to set the
duration of database account lockouts to an unlimited time that
requires the DBA to unlock manually the account.

4-41 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.32 DO0400: Oracle demo applications and accounts

Description: Demonstration accounts and objects should be removed from the database.
Database demonstration accounts and applications are not required for production
operation and contain documented vulnerabilities.

Check:
From SQL*Plus:
select username from dba_users
where username in
('SCOTT','HR','IX','OE','PM','SH','COMPANY','MFG','FINANCE',
'ANYDATA_USER','ANYDSET_USER','ANYTYPE_USER','AQJAVA',
'AQUSER','AQXMLUSER','GPFD','GPLD','MMO2','XMLGEN1','BLAKE',
'ADAMS','CLARK','JONES')
or username like 'QS%'
or username like 'USER%'
or username like '%DEMO%'
or username like 'SERVICECONSUMER%';

If any usernames are listed, this is a Finding.

NOTE: This check can report false positives. If the DBA reports that any account
names listed belong to individual users and are NOT a product of demonstration
software installation, then they can be removed from the findings list. See
MetaLink note 160861.1 for a list of Oracle database users and usages.

Fix:
For the sample applications and schemas with the Oracle database installation, use
the provided SQL scripts (if present) to remove the application objects and drop
the demo users and schemas:

From SQL*Plus:
-- Human Resources application:
@?/demo/schema/human_resources.hr_drop.sql
-- Order Entry application:
@?/demo/schema/order_entry/oe_drop.sql and oc_drop.sql
-- Product Media application:
@?/demo/schema/product_media/pm_drop.sql
-- Information Exchange application:
@?/demo/schema/information_exchange/ix_drop.sql
-- Sales History application:
@?/demo/schema/sales_history/sh_drop.sql

For other demo applications, deinstall using the SQL command:

drop user [demo username] cascade;

4-42 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Remove any application directories where sample applications are installed.

VKEY: V0003444 Severity: CAT 2 Policy: All MAC/CONF: 1-

IA Control: DCFA
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Database STIG 3.1.4.1
(DG0014: CAT II) The DBA will ensure database applications, user
accounts, and objects installed for demonstration of database features,
experimentation, or other non-production support purposes have been
removed from the database and host system.

4-43 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.33 DO3445: Oracle default account passwords

Description: Oracle databases have several well-known default username/password
combinations. Default passwords may provide unauthorized access to the server. Default
accounts should be locked and expired when they are not required for daily operations.

This finding is a Category I severity because the fully privileged Database Administrator
accounts SYS and SYSTEM have well known default passwords and these accounts
provide full access to the database.

Check:
From SQL*Plus:
select decode(type#,0,'ROLE',1,'USER') type, name,
decode(astatus,
0,'OPEN',
1,'EXPIRED',
2,'EXPIRED(GRACE)',
4,'LOCKED(TIMED)',
8,'LOCKED',
5,'EXPIRED and LOCKED(TIMED)',
6,'EXPIRED(GRACE) and LOCKED(TIMED)',
9,'EXPIRED and LOCKED',
10,'EXPIRED(GRACE) and LOCKED') account_status
from sys.user$
where password = decode(name,
'AASH','9B52488370BB3D77','ABA1','30FD307004F350DE','ABM','D0F2982F
121C7840','AD_MONITOR','54F0C83F51B03F49','ADAMS','72CDEF4A3483F
60D','ADS','D23F0F5D871EB69F','ADSEUL_US','4953B2EB6FCB4339','AHL','
7910AE63C9F7EEEE','AHM','33C2E27CF5E401A4','AK','8FCB78BBA8A5951
5','AL','384B2C568DE4C2B5','ALA1','90AAC5BD7981A3BA','ALLUSERS','42
F7CD03B7D2CA0F','ALR','BE89B24F9F8231A9','AMA1','585565C23AB68F71
','AMA2','37E458EE1688E463','AMA3','81A66D026DC5E2ED','AMA4','194CC
C94A481DCDE','AMF','EC9419F55CDC666B','AMS','BD821F59270E5F34','A
MS1','DB8573759A76394B','AMS2','EF611999C6AD1FD7','AMS3','41D1084F3
F966440','AMS4','5F5903367FFFB3A3','AMSYS','4C1EF14ECE13B5DE','AMV
','38BC87EB334A1AC4','AMW','0E123471AACA2A62','ANNE','1EEA3E6F588
599A6','ANONYMOUS','94C33111FD9C66F3','AOLDEMO','D04BBDD5E643
C436','AP','EED09A552944B6AD','APA1','D00197BF551B2A79','APA2','121C6
F5BD4674A33','APA3','5F843C0692560518','APA4','BF21227532D2794A','APP
LEAD','5331DB9C240E093B','APPLSYS','0F886772980B8C79','APPLSYS','E1
53FFF4DAE6C9F7','APPLSYSPUB','D2EEF40EE87221E','APPS','D728438E8A
5925E0','APS1','F65751C55EA079E6','APS2','5CACE7B928382C8B','APS3','C7
86695324D7FB3B','APS4','F86074C4F4F82D2C','AQDEMO','5140E342712061
DD','AQJAVA','8765D2543274B42E','AQUSER','4CF13BDAC1D7511C','AR','
BBBFE175688DED7E','ARA1','4B9F4E0667857EB8','ARA2','F4E52BFBED465
2CD','ARA3','E3D8D73AE399F7FE','ARA4','758FD31D826E9143','ARS1','4332
4-44 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

63ED08C7A4FD','ARS2','F3AF9F26D0213538','ARS3','F6755F08CC1E7831','A
RS4','452B5A381CABB241','ART','665168849666C4F3','ASF','B6FD427D0861
9EEE','ASG','1EF8D8BD87CF16BE','ASL','03B20D2C323D0BFE','ASN','1EE6
AEBD9A23D4E0','ASO','F712D80109E3C9D8','ASP','CF95D2C6C85FF513','A
ST','F13FF949563EAB3C','AUC_GUEST','8A59D349DAEC26F7','AURORA$O
RB$UNAUTHENTICATED','80C099F0EADF877E','AUTHORIA','CC78120E7
9B57093','AX','0A8303530E86FCDD','AZ','AAA18B5D51B0D5AC','B2B','CC3
87B24E013C616','BAM','031091A1D1A30061','BCA1','398A69209360BD9D','B
CA2','801D9C90EBC89371','BEN','9671866348E03616','BIC','E84CC95CBBAC
1B67','BIL','BF24BCE2409BE1F7','BIM','6026F9A8A54B9468','BIS'','7E990188
2E5F3565','BIV','2564B34BE50C2524','BIX','3DD36935EAEDE2E3','BLAKE','
9435F2E60569158E','BMEADOWS','2882BA3D3EE1F65A','BNE','080B5C7EE
819BF78','BOM','56DB3E89EAE5788E','BP01','612D669D2833FACD','BP02','F
CE0C089A3ECECEE','BP03','0723FFEEFBA61545','BP04','E5797698E0F8934E
','BP05','58FFC821F778D7E9','BP06','2F358909A4AA6059','BSC','EC481FD7D
CE6366A','BUYACCT','D6B388366ECF2F61','BUYAPPR1','CB0493169330922
8','BUYAPPR2','3F98A3ADC037F49C','BUYAPPR3','E65D8AD3ACC23DA3','
BUYER','547BDA4286A2ECAE','BUYMTCH','0DA5E3B504CC7497','CAMRO
N','4384E3F9C9C9B8F1','CANDICE','CF458B3230215199','CARL','99ECCC66
4FFDFEA2','CARLY','F7D90C099F9097F1','CARMEN','46E23E1FD86A4277','
CARRIECONYERS','9BA83B1E43A5885B','CATADMIN','AF9AB905347E004
F','CE','E7FDFE26A524FE39','CEASAR','E69833B8205D5DD7','CENTRA','63B
F5FFE5E3EA16D','CFD','667B018D4703C739','CHANDRA','184503FA7786C8
2D','CHARLEY','E500DAA705382E8D','CHRISBAKER','52AFB6B3BE485F81'
,'CHRISTIE','C08B79CCEC43E798','CINDY','3AB2C717D1BD0887','CLARK','
74DF527800B6D713','CLARK','7AAFE7D01511D73F','CLAUDE','C6082BCB
D0B69D20','CLINT','163FF8CCB7F11691','CLN','A18899D42066BFCA','CN','7
3F284637A54777D','CNCADMIN','C7C8933C678F7BF9','CONNIE','982F4C42
0DD38307','CONNOR','52875AEB74008D78','CORY','93CE4CCE632ADCD2','
CRM1','6966EA64B0DFC44E','CRM2','B041F3BEEDA87F72','CRP','F165BDE
5462AD557','CRPB733','2C9AB93FF2999125','CRPCTL','4C7A200FB33A531D
','CRPDTA','6665270166D613BC','CS','DB78866145D4E1C3','CSADMIN','9432
7195EF560924','CSAPPR1','47D841B5A01168FF','CSC','EDECA9762A8C79C
D','CSD','144441CEBAFC91CF','CSDUMMY','7A587C459B93ACE4','CSE','D8
CC61E8F42537DA','CSF','684E28B3C899D42C','CSI','71C2B12C28B79294','C
SL','C4D7FE062EFB85AB','CSM','94C24FC0BE22F77F','CSMIG','09B4BB013
FBD0D65','CSP','5746C5E077719DB4','CSR','0E0F7C1B1FE3FA32','CSS','3C6
B8C73DDC6B04F','CTXDEMO','CB6B5E9D9672FE89','CTXSYS','24ABAB8B
06281B4C','CTXSYS','71E687F036AD56E5','CTXTEST','064717C317B551B6','
CUA','CB7B2E6FFDD7976F','CUE','A219FE4CA25023AA','CUF','82959A9BD
2D51297','CUG','21FBCADAEAFCC489','CUI','AD7862E01FA80912','CUN','41
C2D31F3C85A79D','CUP','C03082CD3B13EC42','CUS','00A12CC6EBF8EDB8'
,'CZ','9B667E9C5A0D21A6','DAVIDMORGAN','B717BAB262B7A070','DBSN
MP','E066D214D5421CCC','DCM','45CCF86E1058D3A5','DD7333','44886308C
F32B5D4','DD7334','D7511E19D9BD0F90','DD810','0F9473D8D8105590','DD8
11','D8084AE609C9A2FD','DD812','AB71915CF21E849E','DD9','E81821D0307
4-45 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

0818C','DDB733','7D11619CEE99DE12','DDD','6CB03AF4F6DD133D','DEMO
8','0E7260738FDFD678','DES','ABFEC5AC2274E54D','DES2K','611E7A73EC4
B425A','DEV2000_DEMOS','18A0C8BD6B13BEE2','DEVB733','7500DF89DC
99C057','DEVUSER','C10B4A80D00CA7A5','DGRAY','5B76A1EB8F212B85','
DIP','CE4A36B8E06CA59C','DISCOVERER5','AF0EDB66D914B731','DKING',
'255C2B0E1F0912EA','DLD','4454B932A1E0E320','DMADMIN','E6681A8926
B40826','DMATS','8C692701A4531286','DMS','1351DC7ED400BD59','DMSYS
','BFBA5A553FD9E28A','DOM','51C9F2BECA78AE0E','DPOND','79D6A5296
0EEC216','DSGATEWAY','6869F3CFD027983A','DV7333','36AFA5CD674BA
841','DV7334','473B568021BDB428','DV810','52C38F48C99A0352','DV811','B6
DC5AAB55ECB66C','DV812','7359E6E060B945BA','DV9','07A1D03FD26E58
20','DVP1','0559A0D3DE0759A6','EAA','A410B2C5A0958CDF','EAM','CE8234
D92FCFB563','EC','6A066C462B62DD46','ECX','0A30645183812087','EDR','5F
EC29516474BB3A','EDWEUL_US','5922BA2E72C49787','EDWREP','79372B4
AB748501F','EGC1','D78E0F2BE306450D','EGD1','DA6D6F2089885BA6','EG
M1','FB949D5E4B5255C0','EGO','B9D919E5F5A9DA71','EGR1','BB636336AD
C5824A','END1','688499930C210B75','ENG','4553A3B443FB3207','ENI','05A92
C0958AFBCBC','ENM1','3BDABFD1246BFEA2','ENS1','F68A5D0D6D2BB25
B','ENTMGR_CUST','45812601EAA2B8BD','ENTMGR_PRO','2000268299147
0B3','ENTMGR_TRAIN','BE40A3BE306DD857','EOPP_PORTALADM','B6055
7FD8C45005A','EOPP_PORTALMGR','9BB3CF93F7DE25F1','EOPP_USER','1
3709991FC4800A1','EUL_US','28AEC22561414B29','EVM','137CEDC20DE69
F71','EXA1','091BCD95EE112EE3','EXA2','E4C0A21DBD06B890','EXA3','40D
C4FA801A73560','EXA4','953885D52BDF5C86','EXFSYS','66F4EF5650C2035
5','EXS1','C5572BAB195817F0','EXS2','8FAA3AC645793562','EXS3','E305017
4EE1844BA','EXS4','E963BFE157475F7D','FA','21A837D0AED8F8E5','FEM','
BD63D79ADF5262E7','FIA1','2EB76E07D3E094EC','FII','CF39DE29C08F71B9
','FLM','CEE2C4B59E7567A3','FNI1','308839029D04F80C','FNI2','05C69C8FE
AB4F0B9','FPA','9FD6074B9FD3754C','FPT','73E3EC9C0D1FAECF','FRM','9A
2A7E2EBE6E4F71','FTA1','65FF9AB3A49E8A13','FTE','2FB4D2C9BAE2CCC
A','FUN','8A7055CA462DB219','FV','907D70C0891A85B1','FVP1','6CC7825EA
DF994E8','GALLEN','F8E8ED9F15842428','GCA1','47DA9864E018539B','GCA
2','FD6E06F7DD50E868','GCA3','4A4B9C2E9624C410','GCA9','48A7205A4C5
2D6B5','GCMGR1','14A1C1A08EA915D6','GCMGR2','F4F11339A4221A4D','G
CMGR3','320F0D4258B9D190','GCS','7AE34CA7F597EBF7','GCS1','2AE8E84
D2400E61D','GCS2','C242D2B83162FF3D','GCS3','DCCB4B49C68D77E2','GE
ORGIAWINE','F05B1C50A1C926DE','GL','CD6E99DACE4EA3A6','GLA1','86
C88007729EB36F','GLA2','807622529F170C02','GLA3','863A20A4EFF7386B','
GLA4','DB882CF89A758377','GLS1','7485C6BD564E75D1','GLS2','319E08C55
B04C672','GLS3','A7699C43BB136229','GLS4','7C171E6980BE2DB9','GM_A
WDA','4A06A107E7A3BB10','GM_COPI','03929AE296BAAFF2','GM_DPHD','
0519252EDF68FA86','GM_MLCT','24E8B569E8D1E93E','GM_PLADMA','294
6218A27B554D8','GM_PLADMH','2F6EDE96313AF1B7','GM_PLCCA','7A992
44B545A038D','GM_PLCCH','770D9045741499E6','GM_PLCOMA','91524D7D
E2B789A8','GM_PLCOMH','FC1C6E0864BF0AF2','GM_PLCONA','1F531397
B19B1E05','GM_PLCONH','C5FE216EB8FCD023','GM_PLNSCA','DB9DD236
4-46 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

1D011A30','GM_PLNSCH','C80D557351110D51','GM_PLSCTA','3A778986229
BA20C','GM_PLSCTH','9E50865473B63347','GM_PLVET','674885FDB93D34
B9','GM_SPO','E57D4BD77DAF92F0','GM_STKH','C498A86BE2663899','GM
A','DC7948E807DFE242','GMD','E269165256F22F01','GME','B2F0E221F45A2
28F','GMF','A07F1956E3E468E1','GMI','82542940B0CF9C16','GML','5F1869A
D455BBA73','GMP','450793ACFCC7B58E','GMS','E654261035504804','GR','F5
AB0AA3197AEE42','GUEST','1C0A090E404CECD0','HCC','25A25A7FEFAC1
7B6','HHCFO','62DF37933FB35E9F','HR','4C6D73C3E8B0F0DA','HRI','49A3A
09B8FC291D0','HXC','4CEA0BF02214DA55','HXT','169018EB8E2C4A77','IA','
42C7EAFBCEEC09CC','IBA','0BD475D5BF449C63','IBC','9FB08604A30A495
1','IBE','9D41D2B3DD095227','IBP','840267B7BD30C82E','IBU','0AD9ABABC
74B3057','IBY','F483A48F6A8C51EC','ICX','7766E887AF4DCC46','IEB','A695
699F0F71C300','IEC','CA39F929AF0A2DEC','IEM','37EF7B2DD17279B5','IEO
','E93196E9196653F1','IES','30802533ADACFE14','IEU','5D0E790B9E882230','
IEX','6CC978F56D21258D','IGC','D33CEB8277F25346','IGF','1740079EFF46A
B81','IGI','8C69D50E9D92B9D0','IGS','DAF602231281B5AC','IGW','B39565F4
E3CF744B','IMC','C7D0B9CDE0B42C73','IMT','E4AAF998653C9A72','INS1','2
ADC32A0B154F897','INS2','EA372A684B790E2A','INTERNET_APPSERVER
_REGISTRY','A1F98A977FFD73CD','INV','ACEAB015589CF4BC','IP','D29012
C144B58A40','IPA','EB265A08759A15B4','IPD','066A2E3072C1F2F3','ISC','373
F527DC0CFAE98','ISTEWARD','8735CA4085DE3EEA','ITG','D90F98746B68E
6CA','JA','9AC2B58153C23F3D','JD7333','FB5B8A12AE623D52','JD7334','322
810FCE43285D9','JD9','9BFAEC92526D027B','JDE','7566DC952E73E869','JDE
DBA','B239DD5313303B1D','JE','FBB3209FD6280E69','JG','37A99698752A1C
F1','JL','489B61E488094A8D','JOHNINARI','B3AD4DA00F9120CE','JONES','B
9E99443032F059D','JTF','5C5F6FC2EBB94124','JTI','B8F03D3E72C96F7','JTM
','6D79A2259D5B4B5A','JTR','B4E2BE38B556048F','JTS','4087EE6EB7F9CD7
C','JUNK_PS','BBC38DB05D2D3A7A','JUSTOSHUM','53369CD63902FAAA','
KELLYJONES','DD4A3FF809D2A6CF','KEVINDONS','7C6D9540B45BBC39',
'KPN','DF0AED05DE318728','LADAMS','AE542B99505CDCD2','LBA','18E5E
15A436E7157','LBACSYS','AC9700FD3F1410EB','LDQUAL','1274872AB40D4
FCD','LHILL','E70CA2CA0ED555F5','LNS','F8D2BC61C10941B2','LQUINCY',
'13F9B9C1372A41B6','LSA','2D5E6036E3127B7E','MDDATA','DF02A496267
DEE66','MDSYS','72979A94BAD2AF80','MDSYS','9AAEB2214DCC9A31','ME
','E5436F7169B29E4D','MFG','FC1B0DD35E790847','MGR1','E013305AB0185
A97','MGR2','5ADE358F8ACE73E8','MGR3','05C365C883F1251A','MGR4','E2
29E942E8542565','MIKEIKEGAMI','AAF7A168C83D5C47','MJONES','EE7BB
3FEA50A21C5','MLAKE','7EC40274AC1609CA','MM1','4418294570E152E7','
MM2','C06B5B28222E1E62','MM3','A975B1BD0C093DA3','MM4','88256901E
B03A012','MM5','4CEA62CBE776DCEC','MMARTIN','D52F60115FE87AA4','
MOBILEADMIN','253922686A4A45CC','MRP','B45D4DF02D4E0C85','MSC','8
9A8C104725367B2','MSD','6A29482069E23675','MSO','3BAA3289DB35813C','
MSR','C9D53D00FE77D813','MST','A96D2408F62BE1BC','MWA','1E2F06BE2
A1D41A6','NEILKATSU','1F625BB9FEBC7617','OBJ7333','D7BDC9748AFED
B52','OBJ7334','EB6C5E9DB4643CAC','OBJB733','61737A9F7D54EF5F','OCA'
,'9BC450E4C6569492','ODM','C252E8FA117AF049','ODM_MTR','A7A32CD03
4-47 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

D3CE8D5','ODS','89804494ADFC71BC','ODSCOMMON','59BBED977430C1A
8','OE','D1A2DFC623FDA40A','OKB','A01A5F0698FC9E31','OKC','31C1DDF4
D5D63FE6','OKE','B7C1BB95646C16FE','OKI','991C817E5FD0F35A','OKL','D
E058868E3D2B966','OKO','6E204632EC7CA65D','OKR','BB0E28666845FCDC
','OKS','C2B4C76AB8257DF5','OKX','F9FDEB0DE52F5D6B','OL810','E2DA59
561CBD0296','OL811','B3E88767A01403F8','OL812','AE8C7989346785BA','O
L9','17EC83E44FB7DB5B','OLAPSYS','3FB8EF9DB538647C','ONT','9E3C815
74654100A','OPI','1BF23812A0AEEDA0','ORABAM','D0A4EA93EF21CE25','
ORABAMSAMPLES','507F11063496F222','ORABPEL','26EFDE0C9C051988','
ORAESB','CC7FCCB3A1719EDA','ORAOCA_PUBLIC','FA99021634DDC111'
,'ORASAGENT','234B6F4505AD8F25','ORASSO','F3701A008AA578CF','ORA
SSO_DS','17DC8E02BC75C141','ORASSO_PA','133F8D161296CB8F','ORASS
O_PS','63BB534256053305','ORASSO_PUBLIC','C6EED68A8F75F5D3','ORDP
LUGINS','88A2B2C183431F00','ORDSYS','7EFA02EC7EA6B86F','OSM','106A
E118841A5D8C','OTA','F5E498AC7009A217','OUTLN','4A3BA55E08595C81','
OWAPUB','6696361B64F9E0A9','OWF_MGR','3CBED37697EB01D1','OZF','97
0B962D942D0C75','OZP','B650B1BB35E86863','OZS','0DABFF67E0D33623','P
A','8CE2703752DB36D8','PABLO','5E309CB43FE2C2FF','PAIGE','02B6B704D
FDCE620','PAM','1383324A0068757C','PARRISH','79193FDACFCE46F6','PAR
SON','AE28B2BD64720CD7','PAT','DD20769D59F4F7BF','PATORILY','46B76
64BD15859F9','PATRICKSANCHEZ','47F74BD3AD4B5F0A','PATSY','4A63F
91FEC7980B7','PAUL','35EC0362643ADD3F','PAULA','BB0DC58A94C17805',
'PAXTON','4EB5D8FAD3434CCC','PCA1','8B2E303DEEEEA0C0','PCA2','7AD
6CE22462A5781','PCA3','B8194D12FD4F537D','PCA4','83AD05F1D0B0C603','
PCS1','2BE6DD3D1DEA4A16','PCS2','78117145145592B1','PCS3','F48449F028
A065B1','PCS4','E1385509C0B16BED','PD7333','5FFAD8604D9DC00F','PD733
4','CDCF262B5EE254E1','PD810','EB04A177A74C6BCB','PD811','3B3C0EFA4
F20AC37','PD812','E73A81DB32776026','PD9','CACEB3F9EA16B9B7','PDA1','
C7703B70B573D20F','PEARL','E0AFD95B9EBD0261','PEG','20577ED9A8DB8
D22','PENNY','BB6103E073D7B811','PEOPLE','613459773123B38A','PERCY','
EB9E8B33A2DDFD11','PERRY','D62B14B93EE176B6','PETE','4040619819A9
C76E','PEYTON','B7127140004677FC','PHIL','181446AE258EE2F6','PJI','5024
B1B412CD4AB9','PJM','021B05DBB892D11F','PMI','A7F7978B21A6F65E','PN
','D40D0FEF9C8DC624','PO','355CBEC355C10FEF','POA','2AB40F104D8517A
0','POLLY','ABC770C112D23DBE','POM','123CF56E05D4EF3C','PON','582090
FD3CC44DA3','PORTAL','A96255A27EC33614','PORTAL_APP','831A79AFB
0BD29EC','PORTAL_DEMO','A0A3A6A577A931A3','PORTAL_PUBLIC','70A
9169655669CE8','PORTAL30','969F9C3839672C6D','PORTAL30_DEMO','CFD
1302A7F832068','PORTAL30_PUBLIC','42068201613CA6E2','PORTAL30_SS
O','882B80B587FCDBC8','PORTAL30_SSO_PS','F2C3DC8003BC90F8','PORT
AL30_SSO_PUBLIC','98741BDA2AC7FFB2','POS','6F6675F272217CF7','PPM
1','AA4AE24987D0E84B','PPM2','4023F995FF78077C','PPM3','12F56FADDA8
7BBF9','PPM4''84E17CB7A3B0E769','PPM5','804C159C660F902C','PRISTB73
3','1D1BCF8E03151EF5','PRISTCTL','78562A983A2F78FB','PRISTDTA','3FCB
C379C8FE079C','PRODB733','9CCD49EB30CB80C4','PRODCTL','E5DE2F015
29AE93C','PRODDTA','2A97CD2281B256BA','PRODUSER','752E503EFBF2C
4-48 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

2CA','PROJMFG','34D61E5C9BC7147E','PRP','C1C4328F8862BC16','PS','0AE5
2ADF439D30BD','PS810','90C0BEC7CA10777E','PS810CTL','D32CCE5BDCD
8B9F9','PS810DTA','AC0B7353A58FC778','PS811','B5A174184403822F','PS81
1CTL','18EDE0C5CCAE4C5A','PS811DTA','7961547C7FB96920','PS812','39F0
304F007D92C8','PS812CTL','E39B1CE3456ECBE5','PS812DTA','3780281C933
FE164','PSA','FF4B266F9E61F911','PSB','28EE1E024FC55E66','PSBASS','F739
804B718D4406','PSEM','40ACD8C0F1466A57','PSFT','7B07F6F3EC08E30D','P
SFTDBA','E1ECD83073C4E134','PSP','4FE07360D435E2F0','PTADMIN','4C35
813E45705EBA','PTCNE','463AEFECBA55BEE8','PTDMO','251D71390034576
A','PTE','380FDDB696F0F266','PTESP','5553404C13601916','PTFRA','A360DA
D317F583E3','PTG','7AB0D62E485C9A3D','PTGER','C8D1296B4DF96518','PT
JPN','2159C2EAF20011BF','PTUKE,'D0EF510BCB2992A3','PTUPG','2C27080
C7CC57D06','PTWEB','8F7F509D4DC01DF6','PTWEBSERVER','3C805053600
3278B','PV','76224BCC80895D3D','PY7333','2A9C53FE066B852F','PY7334','F3
BBFAE0DDC5F7AC','PY810','95082D35E94B88C2','PY811','DC548D6438E4D
6B7','PY812','99C575A55E9FDA63','PY9','B8D4E503D0C4FCFD','QA','C7AEA
A2D59EB1EAE','QOT','B27D0E5BA4DC8DEA','QP','10A40A72991DCA15','Q
RM','098286E4200B22DE','QS','4603BCD2744BDE4F','QS_ADM','3990FB4181
62F2A0','QS_CB','870C36D8E6CD7CF5','QS_CBADM','20E788F9D4F1D92C','
QS_CS','2CA6D0FC25128CF3','QS_ES','9A5F2D9F5D1A9EF4','QS_OS','0EF59
97DC2638A61','QS_WS','0447F2F756B4F460','RENE','9AAD141AB0954CF0','
REPADMIN','915C93F34954F5F8','REPORTS','0D9D14FE6653CF69','REPOR
TS_USER','635074B4416CD3AC','RESTRICTED_US','E7E67B60CFAFBB2D','
RG','0FAA06DA0F42F21F','RHX','FFDF6A0C8C96E676','RLA','C1959B03F36
C9BB2','RLM','4B16ACDA351B557D','RM1','CD43500DAB99F447','RM2','2D
8EE7F8857D477E','RM3','1A95960A95AC2E1D','RM4','651BFD4E1DE4B040','
RM5','FDCC34D74A22517C','RMAN','E7B5D92911C831E1','ROB','94405F516
486CA24','RPARKER','CEBFE4C41BBCC306','RWA1','B07E53895E37DBBB','
SALLYH','21457C94616F5716','SAM','4B95138CB6A4DB94','SARAHMAND
Y','60BE21D8711EE7D9','SCM1','507306749131B393','SCM2','CBE8D6FAC78
21E85','SCM3','2B311B9CDC70F056','SCM4','1FDF372790D5A016','SCOTT','F
894844C34402B67','SDAVIS','A9A3B88C6A550559','SECDEMO','009BBE814
2502E10','SEDWARDS','00A2EDFD7835BC43','SELLCM','8318F67F72276445'
,'SELLER','B7F439E172D5C3D0','SELLTREAS','6EE7BA85E9F84560','SERVI
CES','B2BE254B514118A5','SETUP','9EA55682C163B9A3','SH','54B253CBBA
AA8C48','SI_INFORMTN_SCHEMA','84B8CBCA4D477FA3','SID','CFA11E6
EBA79D33E','SKAYE','ED671B63BDDB6B50','SKYTETSUKA','EB5DA777D
1F756EC','SLSAA','99064FC6A2E4BBE8','SLSMGR','0ED44093917BE294','SL
SREP','847B6AAB9471B0A5','SRABBITT','85F734E71E391DF5','SRALPHS','9
75601AA57CBD61A','SRAY','C233B26CFC5DC643','SRIVERS','95FE94ADC2
B39E08','SSA1','DEE6E1BEB962AA8B','SSA2','96CA278B20579E34','SSA3','C
3E8C3B002690CD4','SSC1','4F7AC652CC728980','SSC2','A1350B328E74AE87
','SSC3','EE3906EC2DA586D8','SSOSDK','7C48B6FF3D54D006','SSP','87470D
6CE203FB4D','SSS1','E78C515C31E83848','SUPPLIER','2B45928C2FE77279','
SVM7333','04B731B0EE953972','SVM7334','62E2A2E886945CC8','SVM810','0
A3DCD8CA3B6ABD9','SVM811','2B0CD57B1091C936','SVM812','778632974
4-49 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

E3947C9','SVM9','552A60D8F84441F1','SVMB733','DD2BFB14346146FE','SV
P1','F7BF1FFECE27A834','SY810','D56934CED7019318','SY811','2FDC83B40
1477628','SY812','812B8D7211E7DEF1','SY9','3991E64C4BC2EC5D','SYS','43
CA255A7916ECFE','SYS','5638228DAF52805F','SYS','D4C5016086B2DC6A','
SYS7333','D7CDB3124F91351E','SYS7334','06959F7C9850F1E3','SYSADMIN'
,'DC86E8DEAA619C1A','SYSB733','7A7F5C90BEC02F0E','SYSMAN','EB258
E708132DD2D','SYSTEM','4D27CA6E3E3066E6','SYSTEM','D4DF7931AB130
E37','TDEMARCO','CAB71A14FA426FAE','TDOS_ICSAP','7C0900F75172376
8','TESTCTL','205FA8DF03A1B0A6','TESTDTA','EEAF97B5F20A3FA3','TRA
1','BE8EDAE6464BA413','TRACESVR','F9DA8977092B7B81','TRBM1','B10E
D16CD76DBB60','TRCM1','530E1F53715105D0','TRDM1','FB1B8EF14CF3DE
E7','TRRM1','4F29D85290E62EBE','TWILLIAMS','6BF819CE663B8499','UDD
ISYS','BF5E56915C3E1C64','VEA','D38D161C22345902','VEH','72A90A786A
AE2914','VIDEO31','2FA72981199F9B97','VIDEO4','9E9B1524C454EEDE','VI
DEO5','748481CFF7BE98BB','VP1','3CE03CD65316DBC7','VP2','FCCEFD288
24DFEC5','VP3','DEA4D8290AA247B2','VP4','F4730B0FA4F701DC','VP5','7D
D67A696734AE29','VP6','45660DEE49534ADB','WAA1','CF013DC80A9CBEE
3','WAA2','6160E7A17091741A','WCRSYS','090263F40B744BD8','WEBDB','D
4C4DCDD41B05A5D','WEBSYS','54BA0A1CB5994D64','WENDYCHO','7E62
8CDDF051633A','WH','91792EFFCB2464F9','WIP','D326D25AE0A0355C','WI
RELESS','1495D279640E6C3A','WIRELESS','EB9615631433603E','WK_TEST'
,'29802572EB547DBF','WKPROXY','AA3CB2A4D9188DDB','WKSYS','545E1
3456B7DDEA0','WMS','D7837F182995E381','WMSYS','7C9BA362F8314299','
WPS','50D22B9D18547CF7','WSH','D4D76D217B02BD7A','WSM','750F2B109
F49CC13','XDB','88D8364765FCE6AF','XDO','E9DDE8ACFA7FE8E4','XDP','F
05E53C662835FA2','XLA','2A8ED59E27D86D41','XLE','CEEBE966CC6A3E39
','XNB','03935918FA35C993','XNC','BD8EA41168F6C664','XNI','F55561567EF
71890','XNM','92776EA17B8B5555','XNP','3D1FB783F96D1F5E','XNS','FABA
49C38150455E','XTR','A43EE9629FA90CAE','YCAMPOS','C3BBC657F099A1
0F','YSANCHEZ','E0C033C4C8CC9D84','ZFA','742E092A27DDFB77','ZPB','C
AF58375B6D06513','ZSA','AFD3BD3C7987CBB6','ZX','7B06550956254585','F
LOWS_030000','B5C7B17C2C983E8F','FLOWS_FILES','5CDD1E40E516FE6A
','PUBLIC','TSMSYS','3DF26A8B17D0F29F','ORACLE_OCM','6D17CF1EB16
11F94','OWBSYS','610A3C38F301776F','SPATIAL_CSW_ADMIN','093913703
800E437','SPATIAL_WFS_ADMIN','32FA36DC781579AA','SPATIAL_CSW_
ADMIN_USR','1B290858DD14107E','SPATIAL_WFS_ADMIN_USR','7117215
D6BEE6E82','GLOBL_USER','GLOBAL','MGMT_VIEW','17028530E6D346B4
','APEX_PUBLIC_USER','C8E264D926F001D8','XS$NULL’,’DC4FCC8CB69
A6733',name);

If any accounts listed show an account status of OPEN, this is a Finding. If all of
the accounts listed show an account status of LOCKED & EXPIRED or
LOCKED this is a Finding, but downgrade the severity Category Code to II.

Fix:

4-50 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Change passwords from the default. Ensure passwords meet complexity standards
outlined in STIG Requirement DG0079.

From SQL*Plus:
alter user [username] identified by [password];

Lock and expire any accounts not required for interactive access.

From SQL*Plus:
alter user [username] account lock;
alter user [username] password expire;

NOTE: Follow Oracle documentation for changing any default passwords. Some
accounts require coordinated actions in order to maintain operational status.

VKEY: V0002529 Severity: CAT 1 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: IAIA Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Reference: Database STIG 3.2.2.2
STIG Requirement: (DG0128: CAT I) The DBA will assign custom passwords to all
default database accounts whether created by the installation of the
database software or database components or by third-party
applications.

4-51 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.34 DO3487: Oracle password reuse restrictions

Description: The PASSWORD_REUSE_MAX value specifies the number of password
changes before a password can be reused. PASSWORD_REUSE_TIME specifies the
length of time before a password can be reused. Prior to version 9.2, only one of these
limits could be set to a value and the other had to be set to UNLIMITED. Version 9.2 and
later allows the setting of a value for both limits.

Check:
From SQL*Plus (must do first SQL statement first!):

-- Check for both reuse max and reuse time not set:
select profile from DBA_PROFILES
where (resource_name='PASSWORD_REUSE_MAX'
and limit in ('UNLIMITED','NULL'))
or profile in
(select profile from DBA_PROFILES
where resource_name='PASSWORD_REUSE_TIME')
and limit in ('UNLIMITED','NULL');

-- Check for reuse max with value that is less than allowed minimum
select profile from DBA_PROFILES
where resource_name='PASSWORD_REUSE_MAX'
and limit not in ('UNLIMITED','NULL')
and limit < '10';

-- Check for reuse time that is less than allowed minimum

select profile from DBA_PROFILES
where resource_name='PASSWORD_REUSE_TIME'
and limit not in ('UNLIMITED','NULL')
and limit < '365';

If any records are returned, this is a Finding.

NOTE: If the value DEFAULT is returned, then the profile limit is set to the
corresponding value in the DEFAULT profile. If the DEFAULT profile is in
violation for this limit, then so is the profile that references it.

Fix:
Modify profiles to meet reuse number and reuse time requirements.

From SQL*Plus:
alter profile default limit
password_reuse_time 365
password_reuse_max 10;

4-52 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

alter profile [profile name] limit

password_reuse_time default
password_reuse_max default;

Replace [profile name] with any existing, non-default profile names.

NOTE: Password and account requirements have changed for DoD since the
STIG requirement listed in the table for this check was published.

VKEY: V0002541 Severity: CAT 2 Policy: All MAC/CONF: 1-

IA Control: IAIA
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Database STIG 3.2.2.2
(DG0126: CAT II) The DBA will configure database account
passwords to be prevented from reuse for a minimum of five changes
or one year where supported by the DBMS.

4-53 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.35 DO3504: Oracle PASSWORD_VERIFY_FUNCTION profile parameter

Description: The PASSWORD_VERIFY_FUNCTION value specifies a PL/SQL
function to be used for password verification when users assigned this profile log in to a
database. This function can be used to validate password strength by requiring passwords
to pass a strength test written in PL/SQL. The function must be locally available for
execution on the database to which this profile applies. Oracle provides a default script
(utlpwdmg.sql), as a template to develop your own function. The password verification
function must be owned by SYS. The default setting for this profile parameter is NULL,
meaning no password verification is performed.

Check:
From SQL*Plus:
select profile, limit
from dba_profiles,
(select limit as def_pwd_verify_func
from dba_profiles
where resource_name='PASSWORD_VERIFY_FUNCTION'
and profile='DEFAULT')
where resource_name='PASSWORD_VERIFY_FUNCTION'
and replace(limit,'DEFAULT',def_pwd_verify_func) in
('UNLIMITED','NULL');

If any records are returned, this is a Finding.

Fix:
Create or uses a password verify function that enforces password complexity. See
a sample below that meets DoD requirements. Modify profiles to specify the
password verify function created.

From SQL*Plus:
Rem This script was modified from the Oracle utlpwdmg.sql default script.
Rem
-- This script sets the default password resource parameters.
-- This script needs to be run to enable the password features.
-- However, the default resource parameters can be changed based on the need.
-- A default password complexity function is also provided.
-- This function makes the minimum complexity checks like the minimum
-- length of the password, password not same as the username, etc. The user may
-- enhance this function according to the need.
-- This function must be created in SYS schema:
-- connect sys/<password> as sysdba before running the script

CREATE OR REPLACE FUNCTION verify_password_dod

(username varchar2,
password varchar2,
4-54 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

old_password varchar2)
RETURN boolean IS
n boolean;
m integer;
differ integer;
isdigit boolean;
numdigit integer;
ispunct boolean;
numpunct integer;
islowchar boolean;
numlowchar integer;
isupchar boolean;
numupchar integer;
digitarray varchar2(10);
punctarray varchar2(25);
lowchararray varchar2(26);
upchararray varchar2(26);
pw_change_time date;
BEGIN
digitarray:='0123456789';
lowchararray:='abcdefghijklmnopqrstuvwxyz';
upchararray:='ABCDEFGHIJKLMNOPQRSTUVWXYZ';
punctarray:='!"#$%&()``*+,-/:;<=>?_';

-- Check if the password is same as the username

if nls_lower(password)=nls_lower(username) then
raise_application_error(-20001, 'Password same as or similar to user');
end if;

-- Check for the minimum length of the password

if length(password) < 15 then
raise_application_error(-20002, 'Password length less than 15');
end if;

-- Check if the password is too simple. A dictionary of words may be maintained

-- and a check may be made so as not to allow the words that are too simple for
-- the password.
if nls_lower(password) in
('welcome','database','account','user','password','oracle','computer','abcdefgh',
'12345') then
raise_application_error(-20002, 'Password too simple');
end if;

-- Check if the password contains at least two each of the following:

-- uppercase characters, lowercase characters, digits and special characters.

4-55 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

-- 1. Check for the digits

isdigit:=FALSE;
numdigit:=0;
m:=length(password);
for i in 1..10 loop
for j in 1..m loop
if substr(password,j,1)=substr(digitarray,i,1) then
numdigit:=numdigit + 1;
end if;
if numdigit > 1 then
isdigit:=TRUE;
goto findlowchar;
end if;
end loop;
end loop;
if isdigit=FALSE then
raise_application_error(-20003, 'Password should contain at least two digits');
end if;

-- 2. Check for the lowercase characters

<<findlowchar>>

islowchar:=FALSE;
numlowchar:=0;
m:=length(password);
for i in 1..length(lowchararray) loop
for j in 1..m loop
if substr(password,j,1)=substr(lowchararray,i,1) then
numlowchar:=numlowchar + 1;
end if;
if numlowchar > 1 then
islowchar:=TRUE;
goto findupchar;
end if;
end loop;
end loop;
if islowchar=FALSE then
raise_application_error(-20003, 'Password should contain at least two lowercase
characters');
end if;

-- 3. Check for the UPPERCASE characters

<<findupchar>>
4-56 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

isupchar:=FALSE;
numupchar:=0;
m:=length(password);
for i in 1..length(upchararray) loop
for j in 1..m loop
if substr(password,j,1)=substr(upchararray,i,1) then
numupchar:=numupchar + 1;
end if;
if numupchar > 1 then
isupchar:=TRUE;
goto findpunct;
end if;
end loop;
end loop;
if isupchar=FALSE then
raise_application_error(-20003, 'Password should contain at least two lowercase
characters');
end if;

-- 4. Check for the punctuation

<<findpunct>>

ispunct:=FALSE;
numpunct:=0;
m:=length(password);
for i in 1..length(punctarray) loop
for j in 1..m loop
if substr(password,j,1)=substr(punctarray,i,1) then
numpunct:=numpunct + 1;
end if;
if numpunct > 1 then
ispunct:=TRUE;
goto endsearch;
end if;
end loop;
end loop;
if ispunct=FALSE then
raise_application_error(-20003, 'Password should contain at least two
punctuation characters');
end if;

-- Check if the password differs from the previous password

-- by more than 4 characters

4-57 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

<<endsearch>>

if old_password is not null then

differ:=length(old_password) - length(password);
if abs(differ) < 4 then
if length(password) < length(old_password) then
m:=length(password);
else
m:=length(old_password);
end if;
differ:=abs(differ);
for i in 1..m loop
if substr(password,i,1) != substr(old_password,i,1) then
differ:=differ + 1;
end if;
end loop;
if differ < 4 then
raise_application_error(-20004, 'Password should differ by more than 4
characters');
end if;
end if;
end if;

-- Check if the password has been changed within the last 24 hours

select ctime into pw_change_time from user$ where name = username;

if sysdate - pw_change_time < 1 then

raise_application_error(-20001, 'Password was changed too recently',FALSE);
end if;

-- Everything is fine. return TRUE

RETURN(TRUE);

EXCEPTION
WHEN OTHERS THEN
raise_application_error(-20000,'verify_password_dod: Unexpected error:
'||SQLERRM,TRUE);

END;
/

alter profile default limit

password_verify_function verify_password_dod;

4-58 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

VKEY: V0002543 Severity: CAT 2 Policy: All MAC/CONF: 1-

IA Control: IAIA
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Database STIG 3.2.2.2
(DG0079: CAT II) The DBA will ensure database password
complexity standards meet current minimum requirements for length
(9 characters or more for database application user accounts and 15
characters or more for privileged database accounts) and composition
(at least two uppercase characters, two lowercase characters, two
special characters, two digits ) where supported by the DBMS.

4-59 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.36 DO3537: Oracle FAILED_LOGIN_ATTEMPTS profile parameter

Description: The FAILED_LOGIN_ATTEMPTS value limits the number of failed
login attempts allowed before an account is locked. Setting this value limits the ability of
unauthorized users to guess passwords and alerts the DBA when password guessing has
occurred (accounts display as locked). For non-interactive accounts, the number of failed
logins should be set to one.

Check:
From SQL*Plus:
select profile||': '||limit from dba_profiles,
(select limit as def_login_attempts
from dba_profiles
where profile='DEFAULT'
and resource_name='FAILED_LOGIN_ATTEMPTS')
where resource_name='FAILED_LOGIN_ATTEMPTS'
and ((replace(limit,'DEFAULT',def_login_attempts) in
('UNLIMITED',NULL))
or (lpad(replace(limit,'DEFAULT',def_login_attempts),40,'0') >
lpad('3',40,'0')));

If any records are returned, this is a Finding.

Fix:
Modify profiles to meet the failed login attempt requirement limit.

From SQL*Plus:
alter profile default limit
failed_login_attempts 3;
alter profile [profile name] limit
failed_login_attempts default;

Replace [profile name] with any existing, non-default profile names.

4-60 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

VKEY: V0002553 Severity: CAT 2 Policy: All MAC/CONF: 1-

IA Control: ECLO
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Database STIG 3.3.10
(DG0073: CAT II) The DBA will configure the DBMS to lock
database accounts after three or an IAO-specified number of
consecutive unsuccessful connection attempts within a 60-minute
period. The counter may be reset to 0 if a third failed logon attempt
does not occur before reset. Where this requirement is not compatible
with the operation of a front-end application, the unsuccessful logon
count and time will be specified and the operational need documented
in the System Security Plan.

4-61 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.37 DO0270: Oracle redo log file availability

Description: The Oracle redo log files store the detailed information on changes made to
the database. This information is critical to database recovery in case of a database
failure.

Check:
From SQL*Plus:
select count(*) from V$LOG where members >1;

If the value of the count returned is less than 2, this is a Finding.

However, if a minimum of one log group with 2 or more members is stored on a

RAID 5 or RAID 1 disk array, this is not a Finding.

Fix:
To define additional redo log file groups:

From SQL*Plus:
alter database add logfile group 3
('diska:log3.log' ,
'diskb:log3.log') size 50K;

To add additional redo log file [members] to an existing redo log file group:

From SQL*Plus:
alter database add logfile member 'diskc:log3.log'
to group 3;

Replace diska, diskb, diskc with valid, different disk drive specifications. Replace
log#.log file with valid or custom names for the log files.

VKEY: V0002522 Severity: CAT 2 Policy: All MAC/CONF: 1-

IA Control: COBR
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Database STIG 3.5.1
(DG0114: CAT II) The DBA will ensure files critical to database
recovery are protected by employment of database and OS high-
availability options such as storage on RAID devices.

4-62 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.38 DO3610: Oracle minimum object auditing

Description: Database object definitions and configurations require similar oversight as
application libraries to detect unauthorized changes. Unauthorized changes may indicate
attempts to compromise data or application object integrity or confidentiality. Any access
to audit data objects stored in the database must be audited to detect any attempts to
compromise the audit trail. A compromise to audit data could jeopardize accountability
for unauthorized actions.

Check:
From SQL*Plus:
select count(*) from all_def_audit_opts where ren='A/A';

If the count of 0 is returned, this is a Finding.

Check for required auditing of the audit table as follows:

From SQL*Plus:
select upd, del, object_type from dba_obj_audit_opts
where object_name='AUD$' and owner='SYSTEM';

If the record returned is of object type TABLE and upd(ate) and del(ete) are not =
'A/A', this is a Finding.

If the record type VIEW is returned and upd and del are = ‘A/A’, this is NOT a
Finding.

Otherwise, if the record type VIEW is returned and upd and del are NOT = 'A/A',
then the underlying table must be checked for update and delete auditing as
follows:

From SQL*Plus:
set long 1000
set wrap on
select text from dba_views where view_name='AUD$';

Review the text returned and locate the “from table_owner.table_name”. This
should be located at the end of the text returned.

Replace table_owner and table_name in the select statement below with the
values returned above.

From SQL*Plus:
select upd, del from dba_obj_audit_opts
where owner='table_owner' and object_name = 'table_name';

4-63 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

If the value of upd(ate) and del(ete) returned above is NOT equal to 'A/A', this is a
Finding.

Fix:
The only application objects auditing required is for use of the RENAME
privilege on database objects. Configure auditing on RENAME privilege use by
default for newly created objects.

From SQL*Plus:
audit rename on default by access;

If application objects have already been created, then the audit rename on object
statement should be issued for all application objects.

From SQL*Plus:
audit rename on [application object name] by access;

Enable auditing of access and activity on audit trail data stored in the database.

From SQL*Plus:
audit update, delete on SYSTEM.AUD$ by access;

NOTE: The audit table is by default in the SYSTEM schema, but may have been
moved to another schema.

VKEY: V0002562 Severity: CAT 2 Policy: All MAC/CONF: 1-

IA Control: ECAR
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Database STIG 3.3.2
(DG0142: CAT II) The DBA will ensure privileged DBMS actions
and changes to security labels or sensitivity markings of data in the
DBMS are audited.

4-64 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

4.39 DO3692: Oracle audited events

Description: Configuring proper auditing is critical to recording any malicious events or
detecting when attacks on the database occur. Auditing can be turned on for any SQL
statement or any use of a system privilege. Auditing can be enabled for all users (system
wide) or for specific users. You may indicate whether one audit record for each access to
an object or one audit record for the entire session is generated. You can enable auditing
for commands that result in success, commands that result in failure, or both. Not all
audit options can be audited by session. Audit options set using the BY SESSION clause
for those actions that will not produce a session audit record will default to BY ACCESS.

Check:
From SQL*Plus:
select name from stmt_audit_option_map
where name not in (select audit_option from dba_stmt_audit_opts)
and name not in
('ANALYZE ANY DICTIONARY','DELETE TABLE',
'EXECUTE PROCEDURE','INSERT TABLE','LOCK TABLE','NETWORK',
'SELECT MINING MODEL','SELECT SEQUENCE',
'SELECT TABLE','UPDATE TABLE','USE EDITION');

If any audit options are returned, this is a Finding.

Fix:
There are three (3) types of auditable events: 1) Use of system privileges, 2) Use
of object privileges, and 3) Issuance of statements. Activating some auditing
options sometimes activates others. For example, the use of a system privilege
requires the issuance of a system command. Auditing for use of the privilege also
audits for the statement.

Configure auditing for Oracle as follows:

From SQL*Plus:
audit all by access;
audit all privileges by access;
audit alter java class by access;
audit alter java resource by access;
audit alter java source by access;
audit alter mining model by access; -- 11.1 only
audit alter sequence by access;
audit alter table by access;
audit comment mining model by access; -- 11.1 only
audit comment table by access;
audit create java class by access;
audit create java resource by access;
audit create java source by access;
4-65 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

audit debug procedure by access;

audit drop java class by access;
audit drop java resource by access;
audit drop java source by access;
audit exempt access policy by access;
audit exempt identity policy by access;
audit grant directory by access;
audit grant edition by access; --11.1 only
audit grant mining model by access; -- 11.1 only
audit grant procedure by access;
audit grant sequence by access;
audit grant table by access;
audit grant type by access;
audit sysdba by access;
audit sysoper by access;

The following SQL statements will disable audits set by the commands above that
are not required:

noaudit execute assembly; -- ignore errors

noaudit execute library; -- ignore errors
audit rename on default by access;

If application objects have already been created, then the audit rename on object
statement should be issued for all application objects.

From SQL*Plus:
audit rename on [application object name] by access;

VKEY: V0002592 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECAR Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Reference: Database STIG 3.3.2
STIG Requirement: (DG0141: CAT II) The DBA will ensure all database logons, account
locking events, blocking or disabling of a database account or logon
source location, or any attempt to circumvent access controls is
audited.

4-66 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

5. Oracle Database Interview Check Procedures

5.1 DG0030: DBMS audit data maintenance

Description: Without preservation, a complete discovery of an attack or suspicious
activity may not be determined. DBMS audit data also contributes to the complete
investigation of unauthorized activity and needs to be included in audit retention plans
and procedures.

Check:
Review and verify the implementation of an audit trail retention policy. Verify
that audit data is maintained for a minimum of one year.

If audit data is not maintained for a minimum of one year, this is a Finding.

Fix:
Develop and implement an audit retention policy and procedure. It is
recommended that the most recent thirty days of audit logs remain available
online. After thirty days, the audit logs may be maintained offline. Online
maintenance provides for a more timely capability and inclination to investigate
suspicious activity.

VKEY: V0002507 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECRR Check Database Responsibility: Documentable: False
Type: level: True DBA
Interview
Reference: Database STIG 3.3.18
STIG Requirement: (DG0030: CAT II) The DBA will ensure the DBMS audit trail data is
maintained for a minimum of one year.

5-67 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

5.2 DG0076: Sensitive data import to development DBMS

Description: Data export from production databases may include sensitive data.
Application developers do not have need-to-know to sensitive data. Any access to
production data would be considered unauthorized access and may subject sensitive data
to unlawful or unauthorized disclosure. See DoDD 8500.1 for a definition of Sensitive
Information.

Check:
If the database being reviewed is not a production database, this check is NA.

Review policy, procedures and restrictions for data imports of production data
containing sensitive information into development databases. If data imports of
production data are allowed, review procedures for protecting any sensitive data
included in production exports.

If sensitive data is included in the exports and no procedures are in place to

remove or modify the data to render it not sensitive prior to import into a
development database or policy and procedures are not in place to ensure
authorization of development personnel to access sensitive information contained
in production data, this is a Finding.

Fix:
Document policy, procedures and restrictions for production data import. Require
any users assigned privileges that allow the export of production data from the
database to acknowledge understanding of import policies, procedures and
restrictions. Restrict permissions of development personnel requiring use or
access to production data imported into development databases containing
sensitive information to authorized users. Implement policy and procedures to
modify or remove sensitive information in production exports prior to import into
development databases.

VKEY: V0003819 Severity: CAT 2 Gold: True MAC/CONF: 1-

CS;2-CS;3-CS
IA Control: ECAN Check Database Responsibility: Documentable: False
Type: level: True DBA
Interview
Reference: Database STIG 3.3.1
STIG Requirement: (DG0076: CAT II) The DBA will ensure sensitive application data
exported from the database for import to remote databases or
applications is not provided to personnel or applications not
authorized or approved by the Information Owner.

5-68 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

5.3 DG0080: Application user privilege assignment review

Description: Users granted privileges not required to perform their assigned functions
are able to make unauthorized modifications to the production data or database. Monthly
or more frequent periodic review of privilege assignments assures that organizational
and/or functional changes are reflected appropriately.

Check:
Review policy, procedures and implementation evidence to determine if periodic
reviews of user privileges by the IAO are being performed. Evidence may consist
of email or other correspondence that acknowledges receipt of periodic reports
and notification of review between the DBA and IAO or other auditors as
assigned.

If policy and procedures are incomplete or no evidence of implementation exists,

this is a Finding.

Fix:
Implement policy and procedures for periodic review of database user accounts
and privilege assignments. Include methods to provide evidence of review in the
procedures to verify reviews occur in accordance with the procedures.

VKEY: V0003821 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECLP Check Database Responsibility: Documentable: False
Type: level: True DBA
Interview
Reference: Database STIG 3.3.11.1
STIG Requirement: (DG0080: CAT II) The DBA will ensure privileges granted to
application user database accounts are restricted to those required to
perform the specific application functions.

5-69 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

5.4 DG0165: DBMS symmetric key management

Description: Symmetric keys used for encryption protect data from unauthorized access.
However, if not protected in accordance with acceptable standards, the keys themselves
may be compromised and used for unauthorized data access.

Check:
If the DBMS does not have Oracle Advanced Security installed or data encryption
is not required within the database, this check is NA.

If the symmetric key management procedures and configuration settings for the
DBMS are not specified in the System Security Plan, this is a Finding.

If the procedures are not followed with evidence for audit, this is a Finding.

NOTE: This check does not include a review of the key management procedures
for validity. Specific key management requirements may be covered under
separate checks.

Fix:
Symmetric and other encryption keys require the following:
- protection from unauthorized access in transit and in storage
- utilization of accepted algorithms
- generation in accordance with required standards for the key's use
- expiration date
- continuity - key backup and recovery
- key change
- archival key storage (as necessary)

Details for key management requirements are provided by FIPS key management
standards available from NIST. Oracle Advanced Security can be installed to
provide symmetric key management features if required.

VKEY: V0015654 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: IAKM Check Database Responsibility: Documentable: False
Type: level: True DBA
Interview
Reference: Database STIG 3.2.3
STIG Requirement: (DG0165: CAT II) The DBA will ensure symmetric keys used for
encryption of database user account passwords or other sensitive data
used by or for the DBMS are protected and managed in accordance
with NSA or NIST-approved key management technology and
processes.

5-70 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

5.5 DG0138: DBMS access to sensitive data

Description: Unauthorized access to sensitive data may compromise the confidentiality
of personnel privacy, threaten national security or compromise a variety of other sensitive
operations. Access controls are best managed by defining requirements based on distinct
job functions and assigning access based on the job function assigned to the individual
user.

Check:
If the database does not store or process sensitive data, this check is NA.

Review data access requirements for sensitive data as identified and assigned by
the Information Owner in the System Security Plan. Review the access controls
for sensitive data configured in the database.

If the configured access controls do not match those defined in the System
Security Plan, this is a Finding.

Fix:
Define, document and implement all sensitive data access controls based on job
function in the System Security Plan.

VKEY: V0015642 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CS;2-CS;3-CS
IA Control: ECAN Check Database Responsibility: Documentable: False
Type: level: True DBA
Interview
Reference: Database STIG 3.3.1
STIG Requirement: (DG0138: CAT II) The DBA will ensure all access to sensitive
application data stored or defined within database objects is granted
only to database application user roles and not directly to database
application user accounts.

5-71 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

5.6 DG0074: DBMS inactive accounts

Description: Unused or expired DBMS accounts provide a means for undetected,
unauthorized access to the database.

Check:
Review procedures and implementation for monitoring the DBMS for account
expiration and account inactivity. Verify implemented procedures are in place to
address expired/locked accounts not required for system/application operation are
authorized to remain and are documented.

Verify implemented procedures are in place to address accounts that are unlocked
and have been inactive in excess of 30 days are authorized to remain unlocked.

Verify implemented procedures are in place to address unauthorized, inactive

accounts after 30 days are expired and locked.

Verify implemented procedures are in place to address expired/locked accounts

that are not authorized to remain are dropped/removed/deleted.

A finding for this check would be based on insufficient documentation and

implemented procedures for monitoring DBMS accounts.

Fix:
Develop and implement procedures to monitor database accounts for inactivity
and account expiration. Investigate and re-authorize or delete [if appropriate] any
accounts that are expired or have been inactive for more than 30 days.

Where appropriate, protect authorized expired or inactive accounts by disabling

them or applying some other similar protection.

NOTE: Password and account requirements have changed for DoD since the
STIG requirement listed in the table for this check was published.

VKEY: V0015130 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CS;2-CS;3-CS
IA Control: IAAC Check Database Responsibility: Documentable: False
Type: level: TrueDBA
Interview
Reference: Database STIG 3.3.24
STIG Requirement: (DG0074: CAT II) The DBA will monitor database account expiration
and inactivity and remove expired accounts and accounts that are
inactive for 35 days or longer or the site maximum limit.

5-72 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

5.7 DO0140: Oracle default account access

Description: The Oracle SYS account has all database privileges assigned to it
(SYSDBA). This account is used to manage the database availability status (startup and
shutdown). The SYS account is used by any DBMS account that connects to the database
with SYSDBA privileges. Direct use of the SYS account does not provide a level of
individual accountability for actions taken during its use and does not provide individual
accountability. To preserve accountability, direct access to the SYS account should be
logged manually and its use monitored closely.

Check:
Review the policy and procedures for use of the Oracle default accounts including
direct use of the Oracle SYS and SYSTEM accounts.

If a policy does not exist for their use, this is a Finding.

If procedures, automated or manual, for logging default account use are not
defined or implemented, this is a Finding.

If monitoring use of default accounts does not exist or is not implemented, this is
a Finding.

Fix:
Design and implement policy and procedures for use, logging and monitoring of
Oracle default accounts. Document the policy and procedures in the System
Security Plan and ensure that all those granted access to the accounts is aware of
them.

VKEY: V0002511 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: IAGA Check Database Responsibility: Documentable: False
Type: level: True IAO
Interview
Reference: Database STIG 3.2.1
STIG Requirement: (DG0060: CAT II) The IAO/DBA will ensure actions by a single
database account that is accessed by multiple interactive users are
attributable to an individual identifier.

5-73 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

5.8 DG0031: DBMS audit of changes to data

Description: Unauthorized or malicious changes to data compromise the integrity and
usefulness of the data. Auditing changes to data supports accountability and non-
repudiation. Auditing changes to data may be provided by the application accessing the
DBMS or may depend upon the DBMS auditing functions. When DBMS auditing is
used, the DBA is responsible for ensuring the auditing configuration meets the
application design requirements.

Check:
Review the System Security Plan for requirements for configuration of auditing
changes to database data.

If the application supports its own auditing requirements and does not require
auditing using DBMS features, this check is NA.

If the application requires DBMS auditing for changes to data, review the
database audit configuration against the application requirement.

If the auditing does not comply with the requirement, this is a Finding.

Fix:
Configure database data auditing to comply with the requirements of the
application.

VKEY: V0015133 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-C
IA Control: ECCD Check Database Responsibility: Documentable: False
Type: level: True DBA
Interview
Reference: Database STIG 3.3.4
STIG Requirement: (DG0031: CAT II) The DBA will configure auditing of access or
changes to data in accordance with the application requirements
specified in the System Security Plan.

5-74 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

5.9 DG0135: DBMS connection alert

Description: Unauthorized access to DBMS accounts may go undetected if account
access is not monitored. Authorized users may serve as a reliable party to report
unauthorized use of their account.

Check:
If the database does not store or process classified data, or user accounts are
prohibited from accessing the database interactively, this check is NA.

NOTE: Per the STIG, The definition of an Interactive Database User can be
considered an end-user who accesses the database interactively using tools like
SQL*Plus, TOAD, etc. and not through a mid-tier application. Your DAA has the
option to consider administration accounts (SYSDBA, SYSOPER, SCHEMA
accounts and accounts assigned DBA privileges) as Interactive Database User
accounts for the purposes of this check. The definition of an Interactive Database
User should be documented in the System Security Plan.

Have the DBA perform an interactive logon test (via SQL*Plus) using a non-
privileged account (and a privileged account if privileged accounts meet this
requirement) to verify display of user access and account usage. If the last
successful and number of unsuccessful attempts since the last successful attempt
are not reported, this is a Finding.

Fix:
Implement an automated method to display at interactive logon the time and date
of the last successful login and the number of failed login attempts since the last
successful login for users that access the database interactively. This may require
a custom-developed logon trigger or procedure to accomplish.

NOTE: This may cause interaction/functionality problems with COTS

applications not designed for this kind of interaction.

VKEY: V0015641 Severity: CAT 2 Policy: All MAC/CONF: 1-C;2-

IA Control: ECLO
Reference:
STIG Requirement:
Policies C;3-C
Check Database Responsibility: Documentable: False
Type: level: True DBA
Interview
Database STIG 3.3.10
(DG0135: CAT II) For classified systems, the DBA will configure the
DBMS to report to the interactive database user upon successful
connection to the database the time and date of the last successful
connection and the number of unsuccessful attempts since the last
successful connection. Where not available in a DBMS configuration
setting, a custom logon trigger or similar function is required.

5-75 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

6. Oracle Database Manual Check Procedures

6.1 DG0060: DBMS shared account authorization

Description: Group authentication does not provide individual accountability for actions
taken on the DBMS or data. Whenever a single database account is used to connect to the
database, a secondary authentication method that provides individual accountability is
required. This scenario most frequently occurs when an externally hosted application
authenticates individual users to the application and the application uses a single account
to retrieve or update database information on behalf of the individual users.

Check:
From SQL*Plus:
select username from dba_users order by username;

Review the list of database account names to determine usage of all non-standard
account names or account names that do not appear to be assigned to individuals.
For example, accounts named BATCHJOB, FMAPP, FMAPP-ADMIN do not
have the appearance of assignment to an individual interactive user. An account
name like JDOE appears to be assigned to an individual. Review the list of
account names against those listed in the System Security Plan or authorized user
list. Consult the IAO or DBA to make a final determination on whether accounts
are shared accounts or not.

If shared accounts are not documented as such and are not approved, this is a
Finding.

Fix:
Use accounts assigned to individual users where feasible. Design applications to
provide individual accountability (audit logs) for actions performed under a single
database account. Implement other DBMS automated procedures that provide
individual accountability. Where appropriate, implement manual procedures to
use manual logs and monitor entries against account usage to ensure procedures
are followed.

VKEY: V0002424 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CS;2-CS;3-CS
IA Control: IAGA Check Database Responsibility: Documentable: False
Type: level: True DBA
Manual
Reference: Database STIG 3.2.1
STIG Requirement: (DG0060: CAT II) The IAO/DBA will ensure actions by a single
database account that is accessed by multiple interactive users are
attributable to an individual identifier.

6-76 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

6.2 DG0070: DBMS user account authorization

Description: Unauthorized user accounts provide unauthorized access to the database
and may allow access to database objects. Only authorized users should be granted
database accounts.

Check:
Review procedures for ensuring authorization of new or re-assigned DBMS user
accounts. Requests for user account access to the DBMS should include
documented approval by an authorized requestor. Procedures should also include
notification for a change in status, particularly cause for revocation of account
access, to any DBMS accounts.

Review the user accounts listed either in the script report or manually against the
authorized user list.

From SQL*Plus:
select username from dba_users order by username;

If procedures for DBMS user account authorization are incomplete or not

implemented, this is a Finding.

If any accounts listed are not clearly authorized, this is a Finding.

Fix:
Develop and implement procedures for authorizing creation, changes and
deletions of user accounts. Monitor user accounts to verify that they remain
authorized.

VKEY: V0002508 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: IAAC Check Database Responsibility: Documentable: False
Type: level: True DBA
Manual
Reference: Database STIG 3.3.24
STIG Requirement: (DG0070: CAT II) The DBA will ensure unauthorized database
accounts are removed or disabled.

6-77 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

6.3 DG0089: Developer DBMS privileges on production databases

Description: Developers play a unique role and represent a specific type of threat to the
security of the DBMS. Where restricted resources prevent the required separation of
production and development DBMS installations, developers granted elevated privileges
to create and manage new database objects must also be prevented from actions that can
threaten the production operation.

Check:
If this database is not a production database, this check is NA.

Review the privileges assigned to developer accounts. Identify login name of

developer DBMS accounts from the System Security Plan and/or DBA. For each
developer account, display the roles assigned to the account.

From SQL*Plus:
select granted_role from dba_role_privs where grantee=[developer account
name];

If privileges assigned to developer accounts are not restricted to development

objects and configurations, or authorizations to allow developer account access to
production objects and configurations does not exist in the System Security Plan,
this is a Finding.

Fix:
Revoke permissions and privileges that allow changes to the production system or
production objects from developer accounts or authorize permissions and
privileges for developer accounts in the System Security Plan.

VKEY: V0015114 Severity: CAT 3 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECPC Check Database Responsibility: Documentable: False
Type: level: True DBA
Manual
Reference: Database STIG 3.3.15
STIG Requirement: (DG0089: CAT III) The DBA will ensure application developer
database accounts are assigned limited privileges in order to protect
production application objects.

6-78 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

6.4 DG0100: Replication account privileges

Description: Replication accounts may be used to access databases defined for the
replication architecture. An exploit of a replication on one database could lead to the
compromise of any database participating in the replication that uses the same account
name and credentials. If the replication account is compromised and it has DBA
privileges, then the database is at additional risk to unauthorized or malicious action.

Check:
If the database is not configured for replication, this check is NA.

If any replication accounts are assigned DBA roles or roles with DBA privileges,
this is a Finding.

Fix:
Restrict privileges assigned to replication accounts to the fewest possible
privileges. Remove DBA roles from replication accounts. Create and use custom
replication accounts assigned least privileges for supporting replication
operations.

VKEY: V0015619 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DCFA Check Database Responsibility: Documentable: False
Type: level: True DBA
Manual
Reference: Database STIG 3.1.4.1
STIG Requirement: (DG0100: CAT II) The DBA will ensure database accounts used for
replication or distributed transactions are not granted DBA privileges.

6-79 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7. Oracle Database Verify Check Procedures

7.1 DG0166: Protection of DBMS asymmetric encryption keys

Description: Encryption is only effective if the encryption method is robust and the keys
used to provide the encryption are not easily discovered. Without effective encryption,
sensitive data is vulnerable to unauthorized access.

Check:
If the DBMS does not have Oracle Advanced Security installed or data encryption
is not required within the database, this check is NA.

For each asymmetric key identified as being used to encrypt sensitive data, verify
the key owner is an application object owner or other non-DBA account.

If the key owner listed is a DBA, this is a Finding.

If any key owner is not the application object owner account or an account
specific to the application as documented in the System Security Plan, this is a
Finding.

If any asymmetric keys whose private key is not encrypted exist in the database,
this is a Finding.

Review the access permissions to asymmetric keys. Verify that any permission
granted is authorized in the System Security Plan for access to the key.

Examine evidence that an audit record is created whenever the asymmetric key is
accessed by other than authorized users. In particular, view evidence that access
by a DBA or other system privileged account results in the generation of an audit
record. This is required because system privileges that allow access to encryption
keys may be used to access sensitive data where the privileged user does not have
a job function need-to-know the data.

If an audit record is not generated for unauthorized access to the asymmetric key,
this is a Finding.

Fix:
Use DoD code-signing certificates to create asymmetric keys stored in the
database that are used to encrypt sensitive data stored in the database. Assign the
application object owner account as the owner of asymmetric keys used by the
application.

Create audit events for access to the key by other than the application owner
account or approved application objects.

7-80 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Revoke any privileges assigned to the asymmetric key to other than the
application object owner account and authorized users.

Protect the private key by encrypting it with the database system master key
where available. Where available, store encryption keys and certificates on
hardware security modules (HSM).

VKEY: V0015142 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: IAKM Check Database Responsibility: Documentable: False
Type: level: True DBA
Verify
Reference: Database STIG 3.2.3
STIG Requirement: (DG0166: CAT II) The DBA will ensure asymmetric keys used for
encryption of sensitive data used by or for the DBMS use DoD PKI
certificates and will ensure the private keys are protected and stored in
accordance with NIST (unclassified data protection) or NSA
(classified data protection)-approved key management technology and
processes.

7-81 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.2 DO0233: Oracle DIAGNOSTIC_DEST parameter

Description: The DIAGNOSTIC_DEST is used to indicate the directory where trace,
alert, core and incident directories and files are located. The files may contain sensitive
data or information that could prove useful to potential attackers.

Check:
If the Oracle version is not 11.1 or later, this check is NA.

From SQL*Plus:
select value from v$parameter where name='diagnostic_dest';

On UNIX Systems:
ls -ld [pathname]

Substitute [pathname] with the directory path listed from the above SQL
command.

If permissions are granted for world access, this is a Finding.

If any groups that include members other than the Oracle process and software
owner accounts, DBAs, auditors, or backup accounts are listed, this is a Finding.

On Windows Systems (From Windows Explorer):

Browse to the directory specified. Select and right-click on the directory, select
Properties, select the Security tab.

If permissions are granted to everyone, this is a Finding. If any account other than
the Oracle process and software owner accounts, Administrators, DBAs, System
group or developers authorized to write and debug applications on this database
are listed, this is a Finding.

Fix:
Alter host system permissions to the DIAGNOSTIC_DEST directory to the
Oracle process and software owner accounts, DBAs, SAs (if required) and
developers or other users that may specifically require access for debugging or
other purposes.

Authorize and document user access requirements to the directory outside of the
Oracle, DBA and SA account list.

7-82 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

VKEY: V0015747 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DCPA Check Database Responsibility: Documentable: False
Type: level: True DBA
Verify
Reference: Database STIG 3.1.6
STIG Requirement: (DG0111: CAT II) The DBA will install and maintain database data
directories including transaction log and audit files in dedicated
directories or disk partitions separate from software or other
application files.

7-83 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.3 DO0234: Oracle AUDIT_FILE_DEST parameter

Description: The AUDIT_FILE_DEST parameter specifies the directory where the
database audit trail file is stored (when AUDIT_TRAIL parameter is set to ‘OS’, ‘xml’ or
‘xml, extended’ where supported by the DBMS). Unauthorized access or loss of integrity
of the audit trail could result in loss of accountability or the ability to detect suspicious
activity. This directory also contains the audit trail of the SYS and SYSTEM accounts
that captures privileged database events when the database is not running (when
AUDIT_SYS_OPERATIONS parameter is set to TRUE).

Check:
From SQL*Plus:
select value from v$parameter where name = 'audit_trail';
select value from v$parameter where name = 'audit_file_dest';

If audit_trail is NOT set to (per MetaLink Note 30690.1):

Oracle 8.1 = 'true', 'os' (true = os for backward compatibility)

Oracle 9.2 = 'true', 'os'
Oracle 10.1 = 'true', 'os'
Oracle 10.2 = 'true', 'os', 'xml', 'xml, extended'
Oracle 11.1 = 'true', 'os', 'xml', 'xml, extended'

This check is NA.

On UNIX Systems:
ls -ld [pathname]

Substitute [pathname] with the directory path listed from the above SQL
command for audit_file_dest.

If permissions are granted for world access, this is a Finding.

If any groups that include members other than the Oracle process and software
owner accounts, DBAs, auditors, or backup accounts are listed, this is a Finding.

On Windows Systems (From Windows Explorer):

Browse to the directory specified. Select and right-click on the directory, select
Properties, select the Security tab. On Windows hosts, records are also written to
the Windows application event log. The location of the application event log is
listed under Properties for the log under the Windows console. The default
location is C:\WINDOWS\system32\config\EventLogs\AppEvent.Evt.

If permissions are granted to everyone, this is a Finding. If any accounts other

than the Administrators, DBAs, System group, auditors or backup operators are
listed, this is a Finding.
7-84 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Fix:
Alter host system permissions to the AUDIT_FILE_DEST directory to the Oracle
process and software owner accounts, DBAs, backup accounts, SAs (if required)
and auditors.

Authorize and document user access requirements to the directory outside of the
Oracle, DBA and SA account list in the System Security Plan.

VKEY: V0003850 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECTP Check Database Responsibility: Documentable: False
Type: level: True DBA
Verify
Reference: Database STIG 3.3.22
STIG Requirement: (DG0032: CAT II) The DBA will ensure DBMS audit records are
protected from unauthorized access.

7-85 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.4 DO0235: Oracle USER_DUMP_DEST parameter

Description: The USER_DUMP_DEST parameter is used to indicate the directory
where files used for debugging applications will be stored. These files may contain
sensitive data or information that could prove useful to potential attackers.

Check:
If the Oracle version is 11.1 or later, this check is NA.

From SQL*Plus:
select value from v$parameter where name='user_dump_dest';

On UNIX systems:
ls -ld [pathname]

Substitute [pathname] with the directory path listed from the above SQL
command.

If permissions are granted for world access, this is a Finding.

On Windows Systems (From Windows Explorer):

Browse to the directory specified. Select and right-click on the directory, select
Properties, select the Security tab.

If permissions are granted to everyone, this is a Finding. If any account other than
the Oracle process and software owner accounts, Administrators, DBAs, System
group or developers authorized to write and debug applications on this database
are listed, this is a Finding.

Fix:
Alter host system permissions to the USER_DUMP_DEST directory to the Oracle
process and software owner accounts, DBAs, SAs if required, and developers or
other users that may specifically require access for debugging or other purposes.

Authorize and document user access requirements to the directory outside of the
Oracle, DBA and SA account list in the System Security Plan.

7-86 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

VKEY: V0003851 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DCPA Check Database Responsibility: Documentable: False
Type: level: True DBA
Verify
Reference: Database STIG 3.1.6
STIG Requirement: (DG0111: CAT II) The DBA will install and maintain database data
directories including transaction log and audit files in dedicated
directories or disk partitions separate from software or other
application files.

7-87 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.5 DO0236: Oracle BACKGROUND_DUMP_DEST parameter

Description: The BACKGROUND_DUMP_DEST is used to indicate the directory
where files used for storing alert files as well as debugging information from the Oracle
background processes. These files may contain sensitive data or information that could
prove useful to potential attackers.

Check:
If the Oracle version is 11.1 or later, this check is NA.

From SQL*Plus:
Select value from v$parameter where name='background_dump_dest';

On UNIX Systems:
ls -ld [pathname]

Substitute [pathname] with the directory path listed from the above SQL
command.

If permissions are granted for world access, this is a Finding.

On Windows Systems (From Windows Explorer):

Browse to the directory specified. Select and right-click on the directory, select
Properties, select the Security tab.

If permissions are granted to everyone, this is a Finding. If any account other than
the Oracle process and software owner accounts, Administrators, DBAs, System
group or developers authorized to write and debug applications on this database
are listed, this is a Finding.

Fix:
Alter host system permissions to the BACKGROUND_DUMP_DEST directory
to the Oracle process and software owner accounts DBAs, SAs if required, and
developers or other users that may specifically require access for debugging or
other purposes.

Authorize and document user access requirements to the directory outside of the
Oracle, DBA and SA account list.

7-88 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

VKEY: V0003852 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DCPA Check Database Responsibility: Documentable: False
Type: level: True DBA
Verify
Reference: Database STIG 3.1.6
STIG Requirement: (DG0111: CAT II) The DBA will install and maintain database data
directories including transaction log and audit files in dedicated
directories or disk partitions separate from software or other
application files.

7-89 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.6 DO0237: Oracle CORE_DUMP_DEST parameter

Description: The CORE_DUMP_DEST parameter indicates the directory for storing
database core dump data. A ‘core dump’ occurs during an Oracle abend or database
crash. These files may contain sensitive data or information that could prove useful to
potential attackers.

Check:
If the Oracle version is 11.1 or later, this check is NA.

From SQL*Plus:
select value from v$parameter where name='core_dump_dest';

If no value is listed, then Oracle defaults to the $ORACLE_HOME/dbs directory

(UNIX) or %ORACLE_HOME%\database directory (Windows) for storing core
dumps.

On UNIX Systems:
ls -ld [pathname]

Substitute [pathname] with the directory path listed from the above SQL
command.

If permissions are granted for world access, this is a Finding.

On Windows Systems (From Windows Explorer):

Browse to the directory specified. Select and right-click on the directory, select
Properties, select the Security tab.

If permissions are granted to everyone, this is a Finding. If any account other than
the Oracle process and software owner accounts, Administrators, DBAs, System
group or developers authorized to write and debug applications on this database
are listed, this is a Finding.

Fix:
Alter host system permissions to the CORE_DUMP_DEST directory to the
Oracle process and software owner accounts, DBAs, SAs (if required) and
developers or other users that may specifically require access for debugging or
other purposes.

Authorize and document user access requirements to the directory outside of the
Oracle, DBA and SA account list in the System Security Plan.

7-90 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

VKEY: V0003853 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DCPA Check Database Responsibility: Documentable: False
Type: level: True DBA
Verify
Reference: Database STIG 3.1.6
STIG Requirement: (DG0111: CAT II) The DBA will install and maintain database data
directories including transaction log and audit files in dedicated
directories or disk partitions separate from software or other
application files.

7-91 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.7 DO0238: Oracle LOG_ARCHIVE_DEST parameter

Description: The LOG_ARCHIVE_DEST parameter is used to specify the directory to
which Oracle archive logs are written. Where the DBMS availability and recovery to a
specific point in time is critical, the protection of archive log files is critical. Archive log
files may also contain unencrypted sensitive data. If written to an inadequately protected
or invalidated directory, the archive log files may be accessed by unauthorized persons or
processes.

Check:
From SQL*Plus:
select log_mode from v$database;
select value from v$parameter where name = 'log_archive_dest';
select value from v$parameter where name = 'log_archive_duplex_dest';

If the value returned in the first SQL statement is NOARCHIVELOG, this check
is NA.

On UNIX Systems:
ls -ld [pathname]

Substitute [pathname] with the directory paths listed from the above SQL
statements for log_archive_dest and log_archive_duplex_dest.

If permissions are granted for world access, this is a Finding.

On Windows Systems (From Windows Explorer):

Browse to the directory specified. Select and right-click on the directory, select
Properties, select the Security tab.

If permissions are granted to everyone, this is a Finding. If any account other than
the Oracle process and software owner accounts, Administrators, DBAs, System
group or developers authorized to write and debug applications on this database
are listed, this is a Finding.

Fix:
Specify a valid and protected directory for archive log files. Restrict access to the
Oracle process and software owner accounts, DBAs, and backup operator
accounts.

7-92 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

VKEY: V0003854 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DCPA Check Database Responsibility: Documentable: False
Type: level: True DBA
Verify
Reference: Database STIG 3.1.6
STIG Requirement: (DG0111: CAT II) The DBA will install and maintain database data
directories including transaction log and audit files in dedicated
directories or disk partitions separate from software or other
application files.

7-93 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.8 DG0112: DBMS data file protection

Description: In Oracle, DBMS data files have different access control requirements than
application data and log files. Granting file access to DBMS data files for purposes other
than system operations could lead to a compromise of the DBMS integrity or disclosure
of sensitive data.

Check:
From SQL*Plus:
select file_name from dba_data_files
where tablespace_name='SYSTEM';

NOTE: Data files for a given database instance may include data files (*.dbf),
REDO log files (redo*.log) and CONTROL files (*.ctl).

Review the files in the directory shown above. Allowable files are instance
database files (*.dbf), REDO log files (redo*.log) and CONTROL files (*.ctl). If
any files other than these exist in the directory, this is a Finding.

A good best practice (not consistently endorsed by the Oracle community) is on

database creation, using separate subdirectories for data, redo and control files
[under the instance name directory] instead of using a single directory to contain
all Oracle data, redo and control instance files.

Fix:
Create a dedicated directory or dedicated subdirectories to store database instance
files. Reconfigure the Oracle instance to point to the files in the new locations.

Where feasible, locate database instance files on a dedicated disk partition and/or
RAID device to provide additional protection.

VKEY: V0015623 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP
IA Control: DCPA Check Database Responsibility: Documentable: False
Type: level: True DBA
Verify
Reference: Database STIG 3.1.6
STIG Requirement: (DG0112: CAT II) The DBA will ensure DBMS data files that store
DBMS system tables and other system objects dedicated to support
the entire DBMS are not shared with data files used for storage of
third-party application database objects.

7-94 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.9 DO0275: Oracle critical file access

Description: The Oracle parameter file contains configuration settings that are applied
to the database at database and instance startup. Unauthorized changes to these
parameters could lead to a compromise of the database security posture. Oracle data and
redo log files contain the data and transaction information that support the database use.
Unauthorized access to these files bypasses access controls defined and enforced by the
DBMS itself and can lead to a loss of confidentiality and integrity.

Check:
Review file permissions defined for critical files.

Review the file permissions on the Binary initialization parameter file (the default
name is spfile[SID].ora). Binary initialization parameter files are by default
located in the $ORACLE_HOME/dbs directory (UNIX) or
%ORACLE_HOME%\database directory (Windows).

From SQL*Plus:
select value from v$parameter where name='spfile';
select member from v$logfile;
select name from v$datafile;
select name from v$controlfile;

Check directory and file permissions for the files returned by the SQL commands
above, for the files located in the $ORACLE_HOME/network/admin directory
(UNIX) or %ORACLE_HOME%\network\admin directory (Windows) and the
directory specified by the TNS_ADMIN environment variable, if defined.

On UNIX systems:

ls –ld [pathname]

If permissions are granted for world access, this is a Finding. If any groups that
include members other than the Oracle process and software owner accounts,
DBAs, auditors, or backup accounts are listed, this is a Finding.

On Windows Systems (From Windows Explorer):

Browse to the directory specified. Select and right-click on the directory, select
Properties, select the Security tab.

If permissions are granted to everyone, this is a Finding. If any accounts other

than the Oracle process and software owner accounts, Administrators, DBAs,
System groups, auditors, or backup accounts are listed, this is a Finding.

Fix:

7-95 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Set UNIX permissions on critical files to 640 or more restrictive. Check group
membership of the group assigned access permissions to the database software to
verify all members are authorized to have the assigned access.

Set Windows permissions to Full Control assigned to the Administrators, the

Oracle service account and DBAs.

VKEY: V0003858 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECAN Check Database Responsibility: Documentable: False
Type: level: True DBA
Verify
Reference: Database STIG 3.3.1
STIG Requirement: (DG0122: CAT II) The DBA will ensure all access to sensitive
administrative DBMS data stored inside the database and in external
host files is granted only to DBA and other authorized administrative
database and OS accounts.

7-96 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.10 DG0015: Data Definition Language use

Description: Application users by definition and job function require only the
permissions to manipulate data within database objects and execute procedures within the
database. The statements used to define objects in the database are referred to as Data
Definition Language (DDL) statements and include the CREATE, DROP, and ALTER
object statements. (DDL statements do not include CREATE USER, DROP USER or
ALTER USER actions.) This requirement is included here as a production system would
not support by definition changes to the data definitions. Where object creation is an
indirect result of DBMS operation or dynamic object structures are required by the
application function as is found in some object-oriented DBMS applications, this
restriction does not apply. Re-use of static data structures to recreate temporary data
objects are not exempted.

Check:
From SQL*Plus (SPOOL output to file before executing):
select owner,object_name,created from dba_objects where owner <>'SYS'
order by created,owner,object_name;

View the list of objects retuned. If any object-creation dates do not coincide with
the software maintenance and upgrade logs or are not objects documented as
supporting dynamic object creation functions, then investigate the circumstances
under which the object was created. If the object is created using static definitions
to store temporary data or indicates that the application uses unauthorized DDL
statements, this is a Finding.

Fix:
Coordinate with the application designer to modify the application to use static
objects with temporary data rather than using temporary objects. Document
known object creation that supports dynamic object

VKEY: V0003727 Severity: CAT 3 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECSD Check Database Responsibility: Documentable: False
Type: level: True IAO
Verify
Reference: Database STIG 3.3.20
STIG Requirement: (DG0015: CAT III) The IAO will ensure database applications do not
use DDL statements except where dynamic object structures are
required.

7-97 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.11 DO0157: Oracle storage use privileges

Description: Tablespace storage quotas allow limits on storage use to be assigned to
Oracle database users. Although this does not grant the user the privilege to create objects
within the database, it provides an additional method to restrict unauthorized object
creation and ownership.

Check:
From SQL*Plus:
select username,tablespace_name from dba_ts_quotas
where username not in (select distinct owner from dba_objects)
and username not in
(select grantee from dba_role_privs where granted_role='DBA');

Review the list of user names returned. If any belong to application users or
application administrators, this is a Finding.

Fix:
Assign tablespace quotas only to database accounts authorized to create and or
own objects in the database. Document authorized tablespace quotas for all
accounts authorized to own objects in the System Security Plan. Remove any
quotas assigned to application users, application administrators, or any other
unauthorized accounts.

From SQL*Plus:
alter user [username] quota 0 on [tablespace name];

Replace [username] with the named user and [tablespace name] with the
identified tablespace name.

VKEY: V0003847 Severity: CAT 3 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECLP Check Database Responsibility: Documentable: False
Type: level: True DBA
Verify
Reference: Database STIG 3.3.11.1
STIG Requirement: (DG0119: CAT II) The DBA will ensure database application user
roles are restricted to select, insert, update, delete and execute
privileges.

7-98 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.12 DO0350: Oracle system privilege assignment

Description: System privileges allow system-wide changes to the database or database
objects. Unauthorized use of system privileges may jeopardize production applications,
application data, or the database configuration and operation.

Check:
From SQL*Plus:
select grantee||': '||PRIVILEGE from dba_sys_privs
where privilege<>'CREATE SESSION'
and grantee not in
('PUBLIC','AQ_ADMINISTRATOR_ROLE','AQ_USER_ROLE','CTXSYS',
'DBA','DELETE_CATALOG_ROLE','EXECUTE_CATALOG_ROLE',
'EXP_FULL_DATABASE','GATHER_SYSTEM_STATISTICS',
'HS_ADMIN_ROLE','IMP_FULL_DATABASE',
'LOGSTDBY_ADMINISTRATOR','MDSYS','ODM','OEM_MONITOR',
'OLAPSYS','ORDSYS','OUTLN','MTSSYS',
'RECOVERY_CATALOG_OWNER','SELECT_CATALOG_ROLE',
'SNMPAGENT','SYSTEM','WKSYS','WKUSER','WMSYS',
'WM_ADMIN_ROLE','XDB','ANONYMOUS','CONNECT','DBSNMP',
'JAVADEBUGPRIV','ODM_MTR','OLAP_DBA','ORDPLUGINS',
'RESOURCE','RMAN','SYS','WKPROXY','AURORA$JIS$UTILITY$',
'AURORA$ORB$UNAUTHENTICATED','OSE$HTTP$ADMIN',
'TIMESERIES_DBA','TIMESERIES_DEVELOPER','OLAP_USER')
and grantee not in
(select grantee from dba_role_privs where granted_role='DBA')
and grantee not in
(select username from dba_users where upper(account_status) like
'%LOCKED%');

If any records are returned, perform the following instructions for this check to
determine the finding status.

Review the list of active non-DBA accounts and roles granted system privileges.
Any accounts listed as authorized for checks DO0340 (Oracle application
administration roles enablement), DO0150 (Oracle object ownership) are not a
Finding.

On a production database, confirm that any accounts listed with create user, alter
user, drop user belong to authorized application administration roles. On a
development system, ensure that system privileges assigned to developers are
justified and authorized by the IAO.

If any unauthorized, unjustified or undocumented application user roles or

accounts are listed, this is a Finding.

7-99 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Fix:
Document and justify system privileges assigned to users/roles in the System
Security Plan and authorize with the IAO. Remove unauthorized or unjustified
system privileges from user accounts or roles.

From SQL*Plus:
revoke [privilege] from [user or role name];

Replace [privilege] with the named privilege and [user or role name] with the
identified user or role.

VKEY: V0003439 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECLP Check Database Responsibility: Documentable: False
Type: level: True IAO
Verify
Reference: Database STIG 3.3.11.2
STIG Requirement: (DG0116: CAT II) The IAO will ensure database privileged role
assignments are restricted to IAO-authorized accounts.

7-100 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.13 DO3622: Oracle roles granted WITH ADMIN OPTION

Description: The WITH ADMIN OPTION allows the grantee to grant a role to another
database account. Best security practice restricts the privilege of assigning privileges to
authorized personnel. Authorized personnel include DBA's, object owners, and, where
designed and included in the application's functions, application administrators.
Restricting privilege-granting functions to authorized accounts can help decrease
mismanagement of privileges and wrongful assignments to unauthorized accounts.

Check:
From SQL*Plus:
select grantee||': '||granted_role from dba_role_privs
where grantee not in
('DBA','SYS','SYSTEM','WKSYS','LBACSYS','WMSYS',
'OWBSYS','CTXSYS','SPATIAL_CSW_ADMIN_USR',
'SPATIAL_WFS_ADMIN_USR','FLOWS_030000')
and admin_option='YES'
and grantee not in (select distinct owner from dba_objects)
and grantee not in
(select grantee from dba_role_privs where granted_role='DBA')
order by grantee;

Review the System Security Plan to confirm any grantees listed are IAO-
authorized DBA accounts or application administration roles.

If any grantees listed are not authorized and documented, this is a Finding.

Fix:
Revoke assignment of roles with the WITH ADMIN OPTION from unauthorized
grantees and re-grant them without the option if required. Restrict use of the
WITH ADMIN OPTION to authorized administrators. Document authorized role
assignments with the WITH ADMIN OPTION in the System Security Plan.

From SQL*Plus:
revoke [role name] from [grantee];
grant [role name] to [grantee];

VKEY: V0002574 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECLP Check Database Responsibility: Documentable: False
Type: level: True DBA
Verify
Reference: Database STIG 3.3.11.1
STIG Requirement: (DG0080: CAT II) The DBA will ensure privileges granted to
application user database accounts are restricted to those required to
perform the specific application functions.
7-101 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.14 DG0077: Production data protection on a shared system

Description: Developers granted elevated database, operating system privileges on
systems that support both development, and production databases can affect the operation
and/or security of the production database system. Operating system and database
privileges assigned to developers on shared development and production systems should
be restricted.

Check:
Review the list of instances and databases installed on the host system with the
DBA. Ask which databases are production databases and which are for
development.

For UNIX systems, use the ps -ef|grep pmon command to see the list of
databases; For Windows systems, review the list of services beginning with the
name OracleService to see the list of databases. Ask which databases are
production databases and which are for development. If only development or only
production databases exist on this host, this check is NA.

Otherwise, ask the DBA to confirm that policy and procedures are in place for the
IAO to review database and operating system privileges on the system to ensure
developer accounts do not have access to production DBMS systems. If none is in
place, this is a Finding.

Ask the DBA/SA if developer host accounts have been granted privileges to
production database directories, files or resources. If they have been, this is a
Finding.

From SQL*Plus:
select grantee||': '||privilege from dba_sys_privs
where (privilege like 'CREATE%' or privilege like 'ALTER%'
or privilege like 'DROP%')
and privilege<>'CREATE SESSION'
and grantee not in
('ANONYMOUS','AURORA$JIS$UTILITY$',
'AURORA$ORB$UNAUTHENTICATED','CTXSYS','DBSNMP','DIP',
'DVF','DVSYS','EXFSYS','LBACSYS','MDDATA','MDSYS','MGMT_VIEW',
'ODM','ODM_MTR','OLAPSYS','ORDPLUGINS','ORDSYS',
'OSE$HTTP$ADMIN','OUTLN','PERFSTAT','PUBLIC','REPADMIN',
'RMAN','SI_INFORMTN_SCHEMA','SYS','SYSMAN','SYSTEM',
'TRACESVR','TSMSYSWK_TEST','WKPROXY','WKSYS','WKUSER',
'WMSYS','XDB')
order by grantee;

If any accounts are listed that are not on the list of IAO approved production
DBAs, this is a Finding.
7-102 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Fix:
Establish and implement procedures to review and maintain privileges granted to
developers on shared production and development host systems and databases.

VKEY: V0003820 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECLP Check Database Responsibility: Documentable: False
Type: level: True DBA
Verify
Reference: Database STIG 3.3.11.1
STIG Requirement: (DG0077: CAT II) The DBA will ensure developers are not granted
system privileges within a production database.

7-103 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.15 DO0150: Oracle object ownership

Description: Database object ownership implies full privileges to the owned object
including the privilege to assign access to the owned objects to other subjects.
Unmanaged or uncontrolled ownership of objects can lead to unauthorized object grants
and alterations.

Check:
From SQL*Plus (NOTE: The owner list below is a short list of all possible default
Oracle accounts):
select distinct owner from dba_objects
where owner not in
('ANONYMOUS','AURORA$JIS$UTILITY$',
'AURORA$ORB$UNAUTHENTICATED',
'CTXSYS','DBSNMP','DIP','DVF','DVSYS',
'EXFSYS','LBACSYS','MDDATA',
'MDSYS','MGMT_VIEW','ODM','ODM_MTR',
'OLAPSYS','ORDPLUGINS', 'ORDSYS',
'OSE$HTTP$ADMIN','OUTLN','PERFSTAT',
'PUBLIC','REPADMIN','RMAN','SI_INFORMTN_SCHEMA',
'SYS','SYSMAN','SYSTEM','TRACESVR',
'TSMSYSWK_TEST','WKPROXY','WKSYS',
'WKUSER','WMSYS','XDB')
and owner not in
(select grantee from dba_role_privs where granted_role='DBA');

If any records are returned, then confirm that any database object owner accounts
listed are application owner accounts authorized by the IAO. If any are not, this is
a Finding.

NOTE: Confirmed default Oracle accounts returned by the SQL statement above
should be considered a false positive. See Oracle MetaLink Note 160861.1 for a
current list of default accounts.

NOTE: Some applications may be designed to require users to create temporary

tables during application execution. This design is not considered good security
practice and results in a Finding for unauthorized application object owners as
application user accounts are not allowed to have system privileges assigned
(CREATE TABLE, etc.) nor allowed to own objects in the database. One possible
suggestion for resolving this issue is to have the application object owner create a
static table for user temporary data storage. All users would share the same table.

Fix:
Document all authorized application object owner accounts. Use only authorized
application object owner accounts to install and maintain application database

7-104 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

objects. Revoke privileges to create, drop, replace or alter application objects

from unauthorized application object owners.

VKEY: V0002512 Severity: CAT 2 Policy: MAC/CONF: 1-

Platinum CSP;2-CSP;3-CSP
IA Control: ECLP Check Database Responsibility: Documentable: False
Type: level: True DBA
Verify
Reference: Database STIG 3.3.11.1
STIG Requirement: (DG0008: CAT II) The DBA will ensure database application objects
are owned by an authorized application object owner account.

7-105 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.16 DO0190: Oracle audit table ownership

Description: Audit data is frequently targeted by malicious users as it can provide a
means to detect their activity. The protection of the audit trail data is of special concern
and requires restrictions to allow only the auditor and DBMS backup, recovery, and
maintenance users access to it.

Check:
From SQL*Plus:
select owner from dba_tables where table_name='AUD$';

If the owner account returned is not SYS or SYSTEM, this is a Finding. If the
AUD$ tables does not exist, this is a Finding.

Fix:
Recreate the audit table while logged in as SYS or SYSTEM.

VKEY: V0002515 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECTP Check Database Responsibility: Documentable: False
Type: Auto level: True DBA
Reference: Database STIG 3.3.22
STIG Requirement: (DG0032: CAT II) The DBA will ensure DBMS audit records are
protected from unauthorized access.

7-106 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.17 DO0231: Oracle application object owner tablespaces

Description: Separation of tablespaces by application helps to protect the application
from resource contention and unauthorized access that could result from storage space
reuses or host system access controls. Application data should be stored separately from
system and custom user-defined objects to facilitate administration and management of
its data storage. The SYSTEM tablespace should never be used for application data
storage in order to prevent resource contention and performance degradation.

Check:
From SQL*Plus:
select distinct owner,tablespace_name
from dba_tables
where owner not in
('SYS','SYSTEM','OUTLN','OLAPSYS','CTXSYS','WKSYS','ODM',
'ODM_MTR','MDSYS','ORDSYS','WMSYS','RMAN','XDB')
and tablespace_name is not NULL
and (owner, table_name) not in
(select owner, table_name from dba_external_tables)
order by tablespace_name;

Review the list of returned table owners with the tablespace used. If any of the
owners listed are not default Oracle accounts and use the SYSTEM or any other
tablespace not dedicated for the application’s use, this is a Finding.

Look for multiple applications that may share a tablespace. If no records were
returned, ask the DBA if any applications use this database. If no applications use
the database, this is not a Finding.

If there are applications that do use the database and if the application uses the
SYS or other default account and SYSTEM tablespace to store its objects, this is a
Finding.

Fix:
Create and assign dedicated tablespaces for the storage of data by each application
using the CREATE TABLESPACE command.

VKEY: V0003849 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DCPA Check Database Responsibility: Documentable: False
Type: level: True DBA
Verify
Reference: Database STIG 3.1.6
STIG Requirement: (DG0113: CAT II) The DBA will ensure database data files used by
third-party applications are defined and dedicated for each application.

7-107 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.18 DO0310: Oracle system data and table access

Description: System tables and DBA views contain information such as user, system
and data that could lead to unauthorized access. Revoke any privileges granted to non-
DBA accounts that provide direct access to objects owned by SYS or access to DBA
views (DBA_%).

Check:
From SQL*Plus:
select grantee,privilege,owner,table_name from dba_tab_privs
where (owner='SYS' or table_name like 'DBA_%')
and privilege <> 'EXECUTE'
and grantee not in
('PUBLIC','AQ_ADMINISTRATOR_ROLE','AQ_USER_ROLE',
'AURORA$JIS$UTILITY$','OSE$HTTP$ADMIN','TRACESVR',
'CTXSYS','DBA','DELETE_CATALOG_ROLE',
'EXECUTE_CATALOG_ROLE','EXP_FULL_DATABASE',
'GATHER_SYSTEM_STATISTICS','HS_ADMIN_ROLE',
'IMP_FULL_DATABASE','LOGSTDBY_ADMINISTRATOR','MDSYS',
'ODM','OEM_MONITOR','OLAPSYS','ORDSYS','OUTLN',
'RECOVERY_CATALOG_OWNER','SELECT_CATALOG_ROLE',
'SNMPAGENT','SYSTEM','WKSYS','WKUSER','WMSYS',
'WM_ADMIN_ROLE','XDB','LBACSYS','PERFSTAT','XDBADMIN')
and grantee not in
(select grantee from dba_role_privs where granted_role='DBA')
order by grantee;

If no accounts or roles are listed, this is not a Finding.

Verify that accounts/roles listed have been authorized by the IAO.

NOTE: Any accounts created and assigned privileges by Oracle product

installations do not require authorization by the IAO. The exclusion list provided
in this check is subject to changes or additions made by updates to Oracle
products. Non-Oracle products should not be assigned access to Oracle system
data and tables, however, if required, document requirement in the System
Security Plan and ensure authorization by the IAO.

Fix:
Revoke unauthorized access to system tables and data.

From SQL*Plus:
revoke [object privilege] on [system object name] from [account name or role];

7-108 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

VKEY: V0003436 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECAN Check Database Responsibility: Documentable: False
Type: level: True DBA
Verify
Reference: Database STIG 3.3.1
STIG Requirement: (DG0123: CAT II) The DBA will ensure all access to sensitive
application data stored inside the database, and in external host files,
is granted only to database accounts and OS accounts in accordance
with user functions as specified by the Information Owner.

7-109 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.19 DO3446: Oracle audit record access

Description: Audit data may contain confidential information such as usernames and
passwords. Unauthorized changes or deletion of audit data could compromise its
usefulness. To help maintain the integrity of audit data and the confidentiality of its
contents, access to it should be restricted to authorized security/security maintenance
personnel.

Check:
From SQL*Plus:
select value from v$parameter where name='audit_trail';

If one of the following values is displayed:

Oracle 8.1.6 – 11.1 = 'db'

Oracle 10.1 & 11.1 = 'db_extended'
Oracle 10.2 = 'db, extended'

Review access granted to the AUD$ table.

From SQL*Plus:
select grantee from dba_tab_privs
where table_name='AUD$'
and grantee not in ('DELETE_CATALOG_ROLE')
and grantee not in
(select grantee from dba_role_privs where granted_role='DBA')
order by grantee;

View access granted to the AUD$ table against those authorized in the System
Security Plan. If any are not authorized, this is a Finding.

Fix:
Document and authorize accounts granted access to the AUD$ table in the System
Security Plan. Revoke access permissions granted to the AUD$ table from
unauthorized users.

VKEY: V0002530 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECTP Check Database Responsibility: Documentable: False
Type: level: True DBA
Verify
Reference: Database STIG 3.3.22
STIG Requirement: (DG0032: CAT II) The DBA will ensure DBMS audit records are
protected from unauthorized access.

7-110 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.20 DO0340: Oracle application administration roles enablement

Description: Application administration roles, which are assigned system or elevated
application object privileges, should be protected from default activation. Application
administration roles are determined by system privilege assignment (create / alter / drop
user) and application user role ADMIN OPTION privileges.

Check:
From SQL*Plus:
select grantee,granted_role from dba_role_privs
where default_role='YES'
and granted_role in
(select grantee from dba_sys_privs where upper(privilege) like '%USER%')
and grantee not in
('DBA','SYS','SYSTEM','CTXSYS','DBA','IMP_FULL_DATABASE',
'MDSYS','SYS','WKSYS')
and grantee not in (select distinct owner from dba_tables)
and grantee not in
(select distinct username from dba_users where upper(account_status) like
'%LOCKED%');

Review the list of accounts reported for this check and ensures that they are
authorized application administration roles. If any are not authorized application
administration roles, this is a Finding.

Fix:
For each role assignment returned, issue:
alter user [username] default role all except [role];

If the user has more than one application administration role assigned, then you
will have to remove assigned roles from default assignment and assign
individually the appropriate default roles.

VKEY: V0003438 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DCFA Check Database Responsibility: Documentable: False
Type: level: True DBA
Verify
Reference: Database STIG 3.1.4.2
STIG Requirement: (DG0105: CAT II) The DBA will ensure all database application user
roles and the privileges assigned to them are authorized by the
Information Owner in the AIS functional architecture documentation.

7-111 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.21 DO3440: Oracle DBA role assignment

Description: The DBA role is very powerful and access to it should be restricted. Verify
that any database account granted the DBA role is explicitly authorized by the IAO. In
addition to full access to database objects, access to the DBA role by unauthorized
accounts may provide full access to the server. Verify that individual DBA accounts are
created for each DBA and that the DBA accounts are used only for DBA functions.

Check:
From SQL*Plus:
select grantee from dba_role_privs
where granted_role='DBA'
and grantee not in
('SYS','SYSTEM','SYSMAN');

If any accounts are listed, review against the list of DBA accounts authorized by
the IAO in the System Security Plan.

If any accounts are assigned the DBA role and are not authorized by the IAO, this
is a Finding.

If any DBA roles are assigned to developer accounts and this is a production
database, this is a Finding.

If DBAs do not have individually assigned DBA accounts, this is a Finding.

Fix:
Authorize and document all DBA role authorizations in the System Security Plan.
Revoke DBA role membership from unauthorized accounts. Revoke DBA role
membership from any accounts assigned to a developer job function on a shared
production/development database.

VKEY: V0002527 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECLP Check Database Responsibility: Documentable: False
Type: level: True IAO
Verify
Reference: Database STIG 3.3.11.2
STIG Requirement: (DG0116: CAT II) The IAO will ensure database privileged role
assignments are restricted to IAO-authorized accounts.

7-112 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.22 DG0071: Password change variance

Description: Changing passwords frequently can thwart password-guessing attempts or
re-establish protection of a compromised DBMS account. Minor changes to passwords
may not accomplish this as password guessing may be able to continue to build on
previous guesses or the new password may be easily guessed using the old password.

Check:
If no DBMS accounts authenticate using passwords, this check is NA.

Confirm that database profiles specify a password verify function.

From SQL*Plus:
select distinct limit from dba_profiles
where resource_name='PASSWORD_VERIFY_FUNCTION'
order by limit;

Review the code for the password verify function or have the DBA demonstrate a
password change to ensure that the function requires new passwords to differ
from old passwords by more than 4 characters.

If reviewing code, logic similar to the following should be discovered:

-- Check if the password differs from the previous password

-- by more than 4 characters

<<endsearch>>
if old_password is not null then
differ:=length(old_password) - length(password);

if abs(differ) < 4 then

if length(password) < length(old_password) then
m:=length(password);
else
m:=length(old_password);
end if;

differ:=abs(differ);
for i in 1..m loop
if substr(password,i,1) != substr(old_password,i,1) then
differ:=differ + 1;
end if;
end loop;

if differ < 4 then

7-113 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

raise_application_error(-20004, 'Password should differ by more than 4

characters');
end if;
end if;
end if;

If any password_verify_function routines do not check for a difference of more

than 4 characters, this is a Finding.

Fix:
Define and apply a password_verify_function for all profiles where passwords are
used to authenticate accounts. See Fix information for DO3504 to create a
password_verify_function that meets STIG requirements.

VKEY: V0003815 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: IAIA Check Database Responsibility: Documentable: False
Type: level: True DBA
Verify
Reference: Database STIG 3.2.2.2
STIG Requirement: (DG0071: CAT II) The DBA will ensure database passwords differ
from previous values by more than 4 characters when changed where
supported by the DBMS.

7-114 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.23 DG0072: DBMS password change time limit

Description: Frequent password changes may indicate suspicious activity or attempts to
bypass password controls based on password histories. Limiting the frequency of
password changes helps to enforce password change rules and can lead to the discovery
of compromised accounts.

Check:
If no DBMS accounts authenticate using passwords, this check is NA.

Confirm that database profiles specify a password verify function.

From SQL*Plus:
select distinct limit from dba_profiles
where resource_name='PASSWORD_VERIFY_FUNCTION'
order by limit;

Review the code for the password verify function or have the DBA demonstrate a
password change to ensure that the function prevents users from changing their
passwords within 24 hours of the last password change.

If reviewing code, logic similar to the following should be discovered:

-- Check if the password has been changed within the last 24 hours

select ctime into pw_change_time from user$

where name = username;

if sysdate - pw_change_time < 1 then

raise_application_error(-20001, 'Password was changed too recently',FALSE);
end if;

If any password_verify_function routines do not check for password changes

within 24 hours of the last password change, this is a Finding.

Fix:
Define and apply a password_verify_function for all profiles where passwords are
used to authenticate accounts. See Fix information for DO3504 to create a
password_verify_function that meets STIG requirements.

7-115 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

VKEY: V0015612 Severity: CAT 2 Policy: All MAC/CONF: 1-

IA Control: IAIA
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: level: True DBA
Verify
Database STIG 3.2.2.2
(DG0072: CAT II) The DBA will ensure users are not allowed to
change their database account passwords more than once every 24
hours without IAO approval where supported by the DBMS. (This
requirement does not apply to password changes after password reset
actions initiated by the DBA or application administrator).

7-116 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.24 DG0127: DBMS account password easily guessed

Description: DBMS account passwords set to easily guessed common dictionary words
or values render accounts vulnerable to password guessing attacks and unauthorized
access.

Check:
If no DBMS accounts authenticate using passwords (rare), this check is NA.

Confirm that database profiles specify a password verify function.

From SQL*Plus:
select distinct limit from dba_profiles
where resource_name= 'PASSWORD_VERIFY_FUNCTION'
order by limit;

Review the code for the password verify function or have the DBA demonstrate a
password change to ensure that the function does not accept passwords that are
the same as the username, the name of the database or instance name.

If reviewing code, logic similar to the following should be discovered:

-- Check if the password is too simple. A dictionary of words may be

-- maintained and a check may be made so as not to allow the words
-- that are too simple for the password.
if nls_lower(password) in
('welcome','database','account','user','password','oracle','computer','abcdefgh',
'12345') then
raise_application_error(-20002, 'Password too simple');
end if;

If any password_verify_function routines do not check for simple passwords, this

is a Finding.

Check also to ensure all password-authenticated accounts specify a

password_verify_function.

From SQL*Plus:
select distinct profile from dba_profiles
where resource_name='PASSWORD_VERIFY_FUNCTION'
and (limit is NULL or limit = NULL);

If any profiles are returned that are used by password-authenticated accounts, this
is a Finding.

To view the names of password-authenticated accounts.

7-117 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

From SQL*Plus:
select name from user$ where password is not NULL;

Fix:
Define and apply a password_verify_function for all profiles where passwords are
used to authenticate accounts. See Fix information for DO3504 to create a
password_verify_function that meets STIG requirements.

VKEY: V0015634 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: IAIA Check Database Responsibility: Documentable: False
Type: level: True DBA
Verify
Reference: Database STIG 3.2.2.2
STIG Requirement: (DG0127: CAT II) The DBA will configure or test database account
passwords to prevent use of easily guessed or discovered values.

7-118 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.25 DO0160: Oracle application object owner accounts

Description: Object owners are implicitly granted full permissions and privileges to the
objects they own. These accounts are also granted elevated privileges within the database
to permit them to create and manage their objects. These accounts should be protected
from daily use by disabling them. After application installation, these accounts should be
used only for software update and maintenance.

Check:
From SQL*Plus (NOTE: The owner list below is a short list of all possible default
Oracle accounts):
select distinct owner from dba_objects, dba_users
where owner not in
('ANONYMOUS','AURORA$JIS$UTILITY$',
'AURORA$ORB$UNAUTHENTICATED','CTXSYS','DBSNMP','DIP','DVF',
'DVSYS','EXFSYS','LBACSYS','MDDATA','MDSYS','MGMT_VIEW','ODM',
'ODM_MTR','OLAPSYS','ORDPLUGINS','ORDSYS','OSE$HTTP$ADMIN',
'OUTLN','PERFSTAT','PUBLIC','REPADMIN','RMAN',
'SI_INFORMTN_SCHEMA','SYS','SYSMAN','SYSTEM','TRACESVR',
'TSMSYSWK_TEST','WKPROXY','WKSYS','WKUSER','WMSYS','XDB')
and owner = username
and upper(account_status) not like '%LOCKED%';

To obtain a list of users assigned DBA privileges.

From SQL*Plus:
select grantee from dba_role_privs where granted_role=’DBA’;

If any records are returned, then verify the account is an authorized application
object owner account or a default account installed to support an Oracle product.

Verify that any objects owned by custom DBA accounts are for the personal use
of that DBA. If any objects are used to support applications or any functions other
than DBA functions, this is a Finding.

Any unauthorized object owner accounts are not a finding under this check as
they are noted as findings under check DO0150.

Any other accounts listed are a Finding.

Fix:
Disable any application object owner accounts.

From SQL*Plus:
alter user [username] account lock;

7-119 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Enable application object owner accounts only for installation and maintenance.
DBA are special purpose accounts and do not require disabling although they may
own objects. For application objects that require routine maintenance, e.g. index
objects, to maintain performance, consider allowing a special purpose account to
own the index or enable the application owner account for the duration of the
routine maintenance function only.

VKEY: V0002513 Severity: CAT 2 Policy: MAC/CONF: 1-

Platinum CSP;2-CSP;3-CSP
IA Control: ECLP Check Database Responsibility: Documentable: False
Type: level: True DBA
Verify
Reference: Database STIG 3.3.11.3
STIG Requirement: (DG0004: CAT II) The DBA will ensure custom application owner
accounts are disabled or locked when not in use.

7-120 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.26 DO0210: Oracle shared replication account access

Description: Replication database accounts are used for database connections between
databases. Replication requires the configuration of these accounts using the same
username and password on all databases participating in the replication. Replication
connections use fixed user database links. This means that access to the replication
account on one server provides access to the other servers participating in the replication.
Granting unauthorized access to the replication account provides unauthorized and
privileged access to all databases participating in the replication group.

Check:
From SQL*Plus:
select 'The number of replication objects defined is: '||
count(*) from all_tables
where table_name like 'REPCAT%';

If the count returned is 0, then Oracle Replication is not installed and this check is
NA. Otherwise:

From SQL*Plus:
select count(*) from sys.dba_repcatlog;

If the count returned is 0, then Oracle Replication is not in use and this check is
NA. If any results are returned, ask the DBA if the replication account (the default
is REPADMIN, but may be customized) is restricted to IAO-authorized personnel
only. If it is not, this is a Finding.

If there are multiple replication accounts, confirm that all are justified and
documented with the IAO. If they are not, this is a Finding.

Fix:
Change the password for default and custom replication accounts and provide the
password to IAO-authorized users only.

VKEY: V0002516 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: IAGA Check Database Responsibility: Documentable: False
Type: level: True IAO
Verify
Reference: Database STIG 3.2.1
STIG Requirement: (DG0060: CAT II) The IAO/DBA will ensure actions by a single
database account that is accessed by multiple interactive users are
attributable to an individual identifier.

7-121 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.27 DO3485: Oracle PASSWORD_LIFE_TIME profile parameter

Description: The PASSWORD_LIFE_TIME value specifies the length of time the same
password may be used to authenticate to a database account. After the time period
specified has passed for the assigned password, the user is required to change their
password or else forfeit access to the database. Frequent password changes help to
decrease the likelihood or duration of a password compromise that would result in
unauthorized access.

Check:
NOTE: The DEFAULT profile is required to have a password lifetime set not to
exceed 60 days, which is the current password lifetime limit per DoD policy.
Custom profiles for non-interactive accounts (accounts used by applications or
other systems) may have a password lifetime set to a time greater than 60 days,
but must still have a limit assigned. Limits of one year or less for non-interactive
accounts do not require IAO authorization and should be set to a lifetime as low
as administration and operation of the application will support.

From SQL*Plus:
select profile,limit
from dba_profiles,
(select limit as def_pwd_life_tm
from dba_profiles
where profile='DEFAULT'
and resource_name='PASSWORD_LIFE_TIME')
where resource_name='PASSWORD_LIFE_TIME'
and ((replace(limit,'DEFAULT',def_pwd_life_tm) in
('UNLIMITED',NULL))
or (lpad(replace(limit,'DEFAULT',def_pwd_life_tm),40,'0') >
lpad('60',40,'0')));

If the DEFAULT profile has a value greater than 60 days, this is a Finding.

If any non-default profiles have password lifetimes greater than 60 days and are
assigned to interactive accounts, this is a Finding.

If any non-default profiles have password lifetimes greater than 365 days (1 year)
and are assigned to any accounts, this is a Finding.

If any profiles have password lifetimes set to UNLIMITED, NULL or no value,

this is a Finding.

Verify in the System Security Plan that all accounts assigned to profiles with a
password lifetime greater than 60 days belong to non-interactive accounts.

Fix:
7-122 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Assign a password lifetime of 60 days or less to the default database profile.

Assign a password lifetime of 60 days or less to non-default profiles assigned to
interactive database accounts. Assign as password lifetime of 365 days or less to
non-default profiles assigned to non-interactive database accounts that do not
support frequent password changes. Include a list of all database accounts and
their profile assignments in the System Security Plan.

Modify profiles to assign a password lifetime.

From SQL*Plus:
alter profile default limit password_life_time 60;
alter profile [profile name] limit password_life_time [60 to 365];

Replace [profile name] with any existing, non-default profile name and [60 to
365] with a value between 60 and 365 (days) inclusive.

VKEY: V0002609 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: IAIA Check Database Responsibility: Documentable: False
Type: level: True DBA
Verify
Reference: Database STIG 3.2.2.2
STIG Requirement: (DG0125: CAT II) The DBA will set expiration times for interactive
database user account passwords to 60 days or less where supported
by the DBMS.

7-123 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.28 DO3536: Oracle IDLE_TIME profile parameter

Description: The Idle Time Resource Usage setting limits the maximum idle time
allowed in a session. Idle time is a continuous inactive time period during a session,
expressed in minutes. Long-running queries and other operations are not subject to this
limit. Setting an Idle Time Resource Usage limit helps prevent users from leaving
applications open when they are away from their desks.

Check:
From SQL*Plus:
select limit from DBA_PROFILES where profile=’DEFAULT’
and resource_name=’IDLE_TIME’;

select profile||': '||limit

from dba_profiles,
(select limit as def_idl_tm
from dba_profiles
where profile = 'DEFAULT'
and resource_name = 'IDLE_TIME')
where resource_name='IDLE_TIME'
and ((replace(limit,'DEFAULT',def_idl_tm) in ('UNLIMITED', NULL))
or (lpad(replace(limit,'DEFAULT',def_idl_tm),40,'0') >
lpad('15',40,'0')));

If the idle time on the DEFAULT profile is greater than 15 minutes, this is a
Finding.

If any non-default profiles have an idle time setting greater than 60 minutes or are
set to an UNLIMITED value and not documented in the System Security Plan or
not authorized by the IAO, this is a Finding.

If any profiles have an idle time setting of NULL or no value, this is a Finding.

Fix:
Modify profiles to meet the idle time requirement.

From SQL*Plus:
alter profile default limit idle_time 15;
alter profile [profile name] limit idle_time [IAO-approved value];

Authorize and document any profiles that require idle times greater than 15
minutes in the System Security Plan.

7-124 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

VKEY: V0002552 Severity: CAT 2 Policy: All MAC/CONF: 1-

IA Control: ECLO
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: level: True DBA
Verify
Database STIG 3.3.10
(DG0134: CAT II) The DBA will configure where supported by the
DBMS a limit of concurrent connections by a single database account
to the limit specified in the System Security Plan, a number
determined by testing or review of logs to be appropriate for the
application. The limit will not be set to unlimited except where
operationally required and documented in the System Security Plan.

7-125 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.29 DO0380: Oracle SYSDBA password file users

Description: Oracle SYSDBA privileges include privileges to administer the database
outside of database controls (when the database is shut down or open in restricted mode)
in addition to all privileges controlled under database operation. Assignment of SYSDBA
privileges in the Oracle password file to unauthorized persons can compromise all DBMS
activities.

Check:
From SQL*Plus:
select username from v$pwfile_users
where username not in
(select grantee from dba_role_privs where granted_role='DBA')
and username<>'INTERNAL'
and (sysdba = 'TRUE' or sysoper='TRUE');

If any accounts are listed and are not authorized by the IAO in the System
Security Plan, this is a Finding.

Fix:
If a REMOTE_LOGIN_PASSWORDFILE is in use (='EXCLUSIVE'), then list
database accounts assigned SYSDBA and SYSOPER database privileges and
review for appropriate authorization. Document authorized SYSDBA and
SYSOPER users in the System Security Plan.

From SQL*Plus:
select * from v$pwfile_users;

To revoke SYSDBA or SYSOPER from accounts:

From SQL*Plus:
revoke sysdba from [username];
revoke sysoper from [username];

VKEY: V0003442 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECLP Check Database Responsibility: Documentable: False
Type: level: True DBA
Verify
Reference: Database STIG 3.3.11.1
STIG Requirement: (DG0085: CAT II) The DBA will ensure the minimum database
administrative privileges are assigned to database administrative roles
to perform the administrative job function.

7-126 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.30 DG0075: DBMS links to external databases

Description: DBMS links provide a communication and data transfer path definition
between two databases that may be used by malicious users to discover and obtain
unauthorized access to remote systems. Database links between production and
development DBMSs provide a means for developers to access production data not
authorized for their access or to introduce untested or unauthorized applications to the
production database. Only protected, controlled, and authorized downloads of any
production data to use for development should be allowed. Only applications that have
completed the configuration management process should be introduced by the application
object owner account to the production system.

Check:
From SQL*Plus:
select db_link||': '||host from dba_db_links;

If no links are returned, this check is NA.

Review documentation for definitions of authorized database links to external

interfaces. The documentation should include:

- Any remote access to the database

- The purpose or function of the remote connection
- Any access to data or procedures stored externally to the local DBMS
- Any network ports or protocols used by remote connections, whether the
remote connection is to a production, test, or development system
- Any security accounts used by DBMS to access remote resources or objects

If any unauthorized database links are defined or the definitions do not match the
documentation, this is a Finding.

NOTE: Findings for production-development links under this check are assigned
to the production database only.

If any database links are defined between the production database and any test or
development databases, this is a Finding.

If remote interface documentation does not exist or is incomplete, this is a

Finding.

Fix:
Document all remote or external interfaces used by the DBMS to connect to or
allow connections from remote or external sources. Include with the
documentation as appropriate, any network ports or protocols, security accounts,
and the sensitivity of any data exchanged. Do not define or configure database
links between production databases and test or development databases.
7-127 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

VKEY: V0003818 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DCFA Check Database Responsibility: Documentable: False
Type: level: True DBA
Verify
Reference: Database STIG 3.1.4.1
STIG Requirement: (DG0075: CAT II) The DBA will ensure database connections to
remote databases or remote or external applications and services are
disabled and/or not defined unless database replication is in use or the
remote connection is mission and/or operationally required and
documented in the AIS functional architecture documentation.

7-128 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.31 DG0087: DBMS sensitive data labeling

Description: The sensitivity marking or labeling of data items promotes the correct
handling and protection of the data. Without such notification, the user may unwittingly
disclose sensitive data to unauthorized users.

Check:
If Oracle Label Security is not installed or database does not contain sensitive
data, this check is NA.

From SQL*Plus:
select * from DBA_SA_USERS;

Compare results to the requirements for labeling as specified in the System

Security Plan. If label security is not configured as specified in the System
Security Plan, this is a Finding.

Fix:
Document label security requirements in the System Security Plan. Configure
label security in accordance with the System Security Plan. Monitor and audit
changes to the label security configuration.

VKEY: V0015616 Severity: CAT 3 Policy: All MAC/CONF: 1-

Policies CS;2-CS;3-CS
IA Control: ECML Check Database Responsibility: Documentable: False
Type: level: True DBA
Verify
Reference: Database STIG 3.3.12
STIG Requirement: (DG0087: CAT III) The DBA will configure DBMS marking and
labeling of non-public data where required in accordance with the
System Security Plan.

7-129 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.32 DG0091: DBMS source code encoding or encryption

Description: Source code may include information on data relationships, locations of
sensitive data that are otherwise obscured, or other processing information that could aid
a malicious user. Encoding or encryption of the custom source code objects within the
database helps protect against this type of disclosure.

Check:
If this is not a production database, this check is NA.

From SQL*Plus:
select owner||'.'||name from dba_source
where line=1
and owner not in
('SYS', 'CTXSYS', 'MDSYS', 'ODM', 'OE', 'OLAPSYS','ORDPLUGINS',
'ORDSYS', 'OUTLN', 'PM', 'QS_ADM','RMAN', 'SYSTEM','WKSYS',
'WMSYS','XDB')
and owner not like 'OEM%'
and text not like '%wrapped%'
and type in ('PACKAGE BODY','FUNCTION','PROCEDURE');

Review the list of results with the DBA. If any results are custom or GOTS
application code, this is a Finding. If all returned results are default DBMS or
COTS application code, this is not a Finding.

Fix:
Use the Oracle WRAP utility to encode application source code stored in
application database objects (stored procedures, functions, packages).

The following may be used as an example process:

1) export the application object source and store in an external file.

From SQL*Plus:
set show off
set heading off
set verify off
set echo off
set term off
set pagesize 0
set feedback off
set serveroutput on size 1000000
set wrap on
set trimspool on
set linesize 512
spool [output file name = proc.sql]
7-130 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

select text from dba_source

where object_name='[object name]';
spool off

2) From system command line, invoke the wrap utility.

wrap iname=proc.sql oname=proc.plb

This will result in the file name proc.plb

3) re-create the object with the encoded source code.

From SQL*Plus:
@proc.plb

VKEY: V0003823 Severity: CAT 3 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DCSL Check Database Responsibility: Documentable: False
Type: level: True DBA
Verify
Reference: Database STIG 3.1.10
STIG Requirement: (DG0091: CAT III) The DBA will ensure custom application and
Government-Off-The-Shelf (GOTS) source code objects are encoded
or encrypted within the production database where supported by the
DBMS.

7-131 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.33 DG0172: DBMS classification level audit

Description: Some DBMS systems provide the feature to assign security labels to data
elements. The confidentiality and integrity of the data depends upon the security label
assignment where this feature is in use. Changes to security label assignment may
indicate suspicious activity.

Check:
If the DBMS does not have Oracle Label Security installed or no sensitive data is
stored or processed in the database, this check is NA.

From SQL*Plus:
select * from dba_sa_audit_options;

If no records are returned or if output from the SQL statement above does not
show classification labels being audited as required in the System Security Plan,
this is a Finding..

Fix:
Define the policy for auditing changes to security labels defined for the data.
Document the audit requirements in the System Security Plan and configure
database auditing in accordance with the policy.

VKEY: V0015657 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CS;2-CS;3-CS
IA Control: ECLC Check Database Responsibility: Documentable: False
Type: level: True DBA
Verify
Reference: Database STIG 3.3.9
STIG Requirement: (DG0172: CAT II) The DBA will enable auditing of any changes to
the classification or sensitivity level assigned to classified data in the
DBMS where available and required by the Information Owner.

7-132 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.34 DO0220: Oracle instance names

Description: Service names may be discovered by unauthenticated users. If the service
name includes version numbers or other database product information, then a malicious
user may use that information to develop a targeted attack.

Check:
From SQL*Plus:
select instance_name from v$instance;
select version from v$instance;

If the instance name returned references the Oracle release number, this is a
Finding.

Numbers used that include version numbers by coincidence are not a Finding.

The DBA should be able to relate the significance of the presence of a digit in the
SID.

Fix:
Follow the instructions in Oracle MetaLink Note 15390.1 (and related documents)
to change the SID for the database without re-creating the database to a value that
does not identify the Oracle version.

VKEY: V0002517 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CS;2-CS;3-CS
IA Control: ECAN Check Database Responsibility: Documentable: False
Type: level: True DBA
Verify
Reference: Database STIG 3.3.1
STIG Requirement: (DG0123: CAT II) The DBA will ensure all access to sensitive
application data stored inside the database, and in external host files,
is granted only to database accounts and OS accounts in accordance
with user functions as specified by the Information Owner.

7-133 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.35 DO0221: Oracle default SID name

Description: Use of the default Oracle System Identifier (SID) leaves the database
vulnerable to attacks that target Oracle installations running under default SID. Using a
custom name helps protect the database against this kind of targeted attack.

Check:
From SQL*Plus:
select instance_name from v$instance;

Review the instance name with the DBA. Ask the DBA if the instance name was
chosen by the installer to conform to local naming conventions, etc. or if it was
determined by the installation software. If it was named by the installation
software, this is a Finding.

Fix:
Follow the instructions in Oracle MetaLink Note 15390.1 (and related documents)
to change the SID for the database without re-creating the database to a value
other than the application default.

VKEY: V0003848 Severity: CAT 3 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECAN Check Database Responsibility: Documentable: False
Type: level: True DBA
Verify
Reference: Database STIG 3.3.1
STIG Requirement: (DG0123: CAT II) The DBA will ensure all access to sensitive
application data stored inside the database, and in external host files,
is granted only to database accounts and OS accounts in accordance
with user functions as specified by the Information Owner.

7-134 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.36 DO0250: Oracle database link usage

Description: Database links define connections that may be used by the local database
to access remote Oracle databases. These links provide a means for a compromise to the
local database to spread to remote databases in the distributed database environment.
Limiting or eliminating use of database links where they are not required to support the
operational system can help isolate compromises to the local or a limited number of
databases.

Check:
From SQL*Plus:
select owner||': '||db_link from dba_db_links;
select count(*) from sys.dba_repcatlog;

If no records are returned from the first SQL statement, this check is NA. If the
value of the count returned is 0 for the second SQL statement, none of the
database links listed above, if any, is used for replication. Confirm that the public
and fixed user database links listed are documented in the System Security Plan,
are authorized by the IAO and used for replication or operational system
requirements. If any are not, this is a Finding.

Fix:
Document all authorized connections from the database to remote databases in the
System Security Plan. Remove all unauthorized remote database connection
definitions from the database.

From SQL*Plus:
drop database link [link name]; OR
drop public database link [link name];

Review remote database connection definitions periodically and confirm their use
is still required and authorized.

VKEY: V0002520 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DCFA Check Database Responsibility: Documentable: False
Type: level: True DBA
Verify
Reference: Database STIG 3.1.4.1
STIG Requirement: (DG0075: CAT II) The DBA will ensure database connections to
remote databases or remote or external applications and services are
disabled and/or not defined unless database replication is in use or the
remote connection is mission and/or operationally required and
documented in the AIS functional architecture documentation.

7-135 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.37 DO0260: Oracle control file availability

Description: Oracle control files are used to store information critical to Oracle database
integrity. Oracle uses these files to maintain time synchronization of database files as
well as at system startup to verify the validity of system data and log files. Loss of access
to the control files can affect database availability, integrity and recovery.

Check:
From SQL*Plus:
select name from v$controlfile;

Oracle Best Practices recommends a minimum of two distinct control files each
located on separate storage devices or on separate, archived partitions within a
RAID device. If this minimum listed above is not met, this is a Finding.

Consult with the SA or DBA to determine that the mount points or partitions
referenced in the file paths indicate separate physical or RAID disks.

Fix:
To prevent loss of service during disk failure, multiple copies of Oracle control
files should be maintained on separate disks in archived directories.

Adding or moving a control file requires careful planning and execution. Please
consult and follow the instructions for creating control files in the Oracle
Database Administrator's Guide, under Steps for Creating New Control Files.

VKEY: V0002521 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: COBR Check Database Responsibility: Documentable: False
Type: level: True DBA
Verify
Reference: Database STIG 3.5.1
STIG Requirement: (DG0114: CAT II) The DBA will ensure files critical to database
recovery are protected by employment of database and OS high-
availability options such as storage on RAID devices.

7-136 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

7.38 DO0420: Oracle XML DB

Description: The XML DB supports storage and retrieval of XML data objects in the
Oracle Database. It requires the configuration of an Oracle shared-server dispatcher that
is activated / used by the Oracle listener to pass http XML requests. If this service is not
required, it should be disabled.

Check:
From SQL*Plus:
select count(*) from dba_users where username='XDB';
select count(*) from v$parameter where name='dispatchers'
and value like '%XDB%';

If a value of 0 is returned for either the first or the second SQL statement above,
this is not a Finding.

If a value of 1 (or more) is returned for the second SQL statement, review the
System Security Plan to verify existence of all XML DB dispatchers is
authorized. If it is not, this is a Finding.

Fix:
If the database is authorized to support web services using XML over HTTP, then
include documentation and authorization in the System Security Plan.

If none is authorized, uninstall XML DB per Oracle MetaLink Note 243554.1 for
Oracle versions 9.2, 10.1 and 10.2 and Oracle MetaLink Note 742014.1 for
Oracle version 11.1.

VKEY: V0003865 Severity: CAT 3 Policy: All MAC/CONF: 1-

IA Control: DCFA
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: level: True DBA
Verify
Database STIG 3.1.4.1
(DG0016: CAT III) The DBA will ensure unused optional database
components or features, applications, and objects are removed from
the database and host system. If the optional component cannot be
uninstalled or removed, then the DBA will ensure the unused
component or feature is disabled.

7-137 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

8. Oracle Home Automated Check Procedures

8.1 DG0003: DBMS patchset/CPU security patch level

Description: Maintaining the currency of the software version protects the database
from known vulnerabilities.

Check:
Oracle provides patches in patchsets, Critical Patch Updates (CPU) as well as
providing patch set exceptions for installed DBMS products.

A patchset is an 'amended code set', consisting of a number of bug fixes, which is

subjected to a rigorous QA and certification process. Oracle patch sets update the
Oracle version number (e.g. 10.2.0.3 to 10.2.0.4) and are usually bundled together
to support a product family (for example, Oracle DBMS includes Enterprise,
Standard, Personal and Client Editions).

Oracle security patches are published quarterly in January, April, July and
October as Critical Patch Updates (CPU). CPUs may be viewed at
http://www.oracle.com/technology/deploy/security/alerts.htm. Most Oracle CPU
patches are also listed in DoD IAVM alerts.

Patch set exceptions are fixes per a particular DBMS product based on reported
bugs and do not undergo the rigorous QA and certification process that patchsets
do. These are installed as needed to correct reported or observed bugs in the
Oracle DBMS products.

This check applies to the application of the patchsets and the CPU patches.

For Oracle patchsets:

From SQL*Plus:
select version from v$instance;

If the Oracle DBMS version is not at the listed patchset level for your
supported platform (see table below), this is a Finding.

1 - Oracle Database Patch Sets (as of March 2009)

Platform Oracle 11g Rel 1 Oracle 10g Rel 1 Oracle 10g Rel 1 Oracle 9i Rel 2
Latest Release Latest Release Latest Release Latest Release
Patchset Date Patchset Date Patchset Date Patchset Date
Apple MAC OS - - 10.1.0.5 Jan 08, 07 - -
(PPC)
HP Tru64 Unix - - 10.2.0.3 Oct 15, 07 10.1.0.5 Oct 18 , 06 9.2.0.8 Mar 05, 07
HP OpenVMS - - 10.2.0.2 Dec 05, 06 10.1.0.5 Feb 15, 08 9.2.0.8 May 04, 07
Alpha
HP-UX PA-RISC - - - - - - - -
(32-bit)

8-138 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

HP-UX PA-RISC 11.1.0.7 Nov 11, 08 10.2.0.4 June 02, 08 10.1.0.5 Feb 05, 06 9.2.0.8 Aug 22, 06
(64-bit)
HP-UX Itanium 11.1.0.7 Oct 06, 08 10.2.0.4 May 02 , 08 10.1.0.5 Jun 07, 06 9.2.0.8 Oct 04 , 06
IBM RS/600(32- - - - - - - - -
bit)
IBM RS/600(64- - - - - - - 9.2.0.5 Apr 08, 04
bit)
IBM AIX Based 11.1.0.7 Oct 06, 08 10.2.0.4 May 15 , 08 10.1.0.5 Feb 05, 06 9.2.0.8 Aug 22, 06
System(5L)
IBM NUMA-Q - - - - - - - -
DYNX/ptx
IBM z/OS - - 10.2.0.3 Dec 30, 06 10.1.0.5 Mar 05, 06 9.2.0.8 Aug 22, 06
(OS/390)
IBM zSeries - - 10.2.0.3 Jun 15, 07 10.1.0.5 Aug 26, 06 9.2.0.8 Feb 26 , 08
Based Linux
IBM Power Based - - 10.2.0.3 Mar 14, 07 - - - -
Linux
Linux x86 11.1.0.7 Sep 18, 08 10.2.0.4 Feb 15 , 08 10.1.0.5 Jan 30, 06 9.2.0.8 Aug 25, 06
Linux x86-64 11.1.0.7 Sep 18, 08 10.2.0.4 Mar 18, 08 10.1.0.5 Feb 24, 06 9.2.0.8 Aug 22, 06
(AMD64/EM64T)
Linux Itanium - - 10.2.0.3 Dec 30, 06 10.1.0.5 May 01, 06 9.2.0.8 Aug 22, 06
Microsoft 11.1.0.7 Oct 09, 08 10.2.0.4 Mar 18, 08 10.1.0.5 Feb 13, 06 9.2.0.8 Aug 21, 06
Windows (32-bit)
Microsoft - 10.2.0.3 Dec 29, 06 10.1.0.5 Jan 30, 06 9.2.0.8 Aug 22, 06
Windows Itanium
(64-bit)
Microsoft 11.1.0.7 Nov 13, 08 10.2.0.4 May 16 , 08 - - - -
Windows x86-64
(AMD64/EM64T)
Microsoft - - - - - - - -
Windows 2008
Server (32-bit)
Microsoft - - - - - - - -
Windows Server
2008 (x64)
Microsoft - - - - - - - -
Windows Vista
Microsoft - - - - - - - -
Windows Vista
(x64)
Solaris Operating - - - - - - 9.2.0.8 Aug 24, 06
Env
(SPARC 32-bit)
Solaris Operating 11.1.0.7 Oct 06, 08 10.2.0.4 May 02, 08 10.1.0.5 Feb 05, 06 9.2.0.8 Aug 24, 06
Env
(SPARC 64-bit)
Solaris Operating - - 10.2.0.2 Sep 13, 06 10.1.0.5 Jun 19, 06 - -
Env (x86)
Solaris Operating - - 10.2.0.3 Aug 10, 07
Env (x86 64-bit)

Note: The table above was modified from the original found at
http://www.oracle.com/technology/support/patches.htm to include the recent
Oracle 11g patchset and remove references to Oracle 8i.

For Oracle Critical Patch Updates (CPU):

Go to the website
http://www.oracle.com/technology/deploy/security/alerts.htm. Click on the
latest Critical Patch Update link. Click on the [Database] link in the Supported
Products and Components Affected section. Enter your Oracle MetaLink

8-139 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

credentials. Locate the Critical Patch Update Availability table. Identify your
OS Platform and Oracle version to see if there is a CPU update release. If there
is none, this is not a Finding. If there is one, note the patch number for the steps
below.

View the installed patch numbers for the database using the Oracle opatch
utility.

On UNIX systems:
$ORACLE_HOME/OPatch/opatch lsinventory –detail | grep [PATCHNUM]

On Windows systems (From Windows Command Prompt):

%ORACLE_HOME%\OPatch\opatch lsinventory –detail | findstr
[PATCHNUM]

Replace [PATCHNUM] with the Patch number noted above. If the output
shows the installed patch is present, this is not a Finding. No output indicates
that the patch has not been applied and is a Finding.

Fix:
Apply all Oracle version patchsets and Critical Patch updates to the database
software where available. Follow vendor-provided patch installation instructions.

VKEY: V0005659 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: VIVM Check Database Responsibility: Documentable: False
Type: Auto level: False DBA
Reference: Database STIG 3.6.1
STIG Requirement: (DG0003: CAT II) The DBA will ensure all applicable vendor-
provided security patches are installed.

8-140 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

8.2 DO0100: Oracle version support

Description: Unsupported software versions are not patched by vendors to address
newly discovered security versions. An unpatched version is vulnerable to attack.

Check:
From SQL*Plus:
select banner from v$version where banner like 'Oracle%';

Currently supported versions as of 3/2009 are:

11.1
10.2
10.1 (extended support only)
9.2 (extended support only)
9.2DV (extended support only).

If the Oracle version is not in the list above or does not have extended support
where specified, this is a Finding.

Fix:
Upgrade to a supported Oracle version. Install latest patchset available. Apply all
available security patches. Use the opatch utility to confirm installed patches.

9.2 / Jul 2007 (Extended support provided through Jul 2010)

Terminal Patch Set: 9.2.0.8
(Premier Support for 9.2 ended on 31 July 2007)

10.1 / Jan 2009 (Extended support provided through Jan 2012)

Terminal Patch Set: 10.1.0.5
(Premier Support for 10.1 ended on 31 January 2009)

10.2 / Jul 2010 (Extended support provided through Jul 2013)

Current Patch Set: 10.2.0.4 (as of June 2008 for most platforms)

11.1 / Aug 2012 (Extended support provided through Aug 2015)

Current Patch Set: 11.1.0.7 (as of September 2008 for most platforms)

See http://www.oracle.com/technology/support/patches.htm for a definitive list of

version patch sets for Oracle DBMS software.

8-141 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

VKEY: V0002509 Severity: CAT 1 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: VIVM Check Database Responsibility: Documentable: False
Type: Auto level: False IAO
Reference: Database STIG 3.6.1
STIG Requirement: (DG0001: CAT I) The IAO will ensure unsupported DBMS software
is removed or upgraded prior to a vendor dropping support.

8-142 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

9. Oracle Home Interview Check Procedures

9.1 DG0010: DBMS software monitoring

Description: Changes to files in the DBMS software directory on the host system
including executable, configuration, script or batch files can indicate malicious
compromise of the software files. Monitoring of changes to these files can assist in a
timely discovery of an attack on the database. Changes to non-executable files, such as
log files and data files, do not usually reflect unauthorized changes but are modified by
the DBMS as part of normal operation. These modifications can be ignored.

Check:
Ask the DBA to describe/demonstrate any software modification detection
procedures in place and request documents of these procedures for review. Verify
by reviewing reports for inclusion of the DBMS executable and configuration
files. If documented procedures and proof of implementation does not exist that
includes review of the database software directories and database application
directories, this is a Finding.

Fix:
Document and implement procedures to monitor changes made to the DBMS
software. Identify all database files and directories to be included in the host
system or database backups and provide these to the person responsible for
backups.

For Windows systems, you can use the dir /s > filename.txt run weekly to store
and compare file modification/creation dates and file sizes using the DOS fc
command. For UNIX systems, you can use the ls –as >filename.txt command to
store and compare (diff command) file statistics for comparison. These are not as
comprehensive as some tools available, but may be enhanced by including checks
for checksums or file hashes.

VKEY: V0002420 Severity: CAT 3 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DCSL Check Database Responsibility: Documentable: False
Type: level: False IAO
Interview
Reference: Database STIG 3.1.10
STIG Requirement: (DG0010: CAT III) The IAO will ensure DBMS software is
monitored on a regular basis no less frequently than weekly to detect
unauthorized modifications.

9-143 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

9.2 DG0011: DBMS Configuration Management

Description: Uncontrolled, untested or unmanaged changes to database software result in
an unreliable security posture. Any change to database software libraries may interrupt
operations or produce unexpected behavior. CM can reduce the possibility of unexpected
results by providing oversight and control for proposed changes. Address supporting
custom and third party applications in the management of database software libraries
although the responsibilities may be assigned to more than one organization or group.
Related database application libraries may include third-party DBMS management tools,
DBMS stored procedures, or other end-user applications.

Check:
If this is not a production system, this check is NA.

Review documentation and implementation evidence of CM procedures designed

to prevent untested and uncontrolled software modifications to the production
system. If none is defined and implemented, this is a Finding.

Fix:
Develop and implement CM procedures. Include all configurable DBMS features
or options. Include upgrades and patch management. Assign responsibilities for
oversight and approval for all changes to the database software and configuration.

VKEY: V0003726 Severity: CAT 3 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DCPR Check Database Responsibility: Documentable: False
Type: level: False IAO
Interview
Reference: Database STIG 3.1.8
STIG Requirement: (DG0011: CAT III) The IAO will ensure CM procedures are
documented and implemented for changes to the DBMS
configuration, software libraries, and other related application
software libraries

9-144 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

9.3 DG0013: Database backup procedures

Description: Database backups provide the required means to restore databases after
compromise or loss. Backups help reduce the vulnerability to unauthorized access or
hardware loss.

Check:
Review the database backup procedures and implementation evidence. Evidence
of implementation includes records of backup events and physical review of
backup media. Evidence should match the backup plan as documented in the
System Security Plan.

If backup procedures do not exist or are not implemented in accordance with the
procedures, this is a Finding.

If backups are not performed weekly or more often for MAC III systems, this is a
Finding.

If backups are not performed daily or more often for MAC II systems, this is a
Finding.

If backup data for MAC II systems is not secured and stored offline at an alternate
site, this is a Finding.

If backups for MAC I systems do not include a redundant secondary system

maintained at a separate physical site that can be activated without interruption or
loss of data if the primary system fails, this is a Finding.

Fix:
Design, document and implement database backup procedures.

Include daily backup procedures and offline backup data storage at an alternate
site for MAC II systems.

Include a secondary server installed at a separate location that can be brought

online to prevent any disruption to availability or loss of data for MAC I systems.

9-145 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

VKEY: V0015126 Severity: CAT 2 Policy: All MAC/CONF: 1-

IA Control: CODB
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: level: False DBA
Interview
Database STIG 3.5.2
(DG0013: CAT II) The DBA/SA will ensure backups of database
data, configuration, and other files critical to database operation have
been performed at intervals consistent with the database's assigned
criticality level.

9-146 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

9.4 DG0020: DBMS backup and recovery testing

Description: Problems with backup procedures or backup media may not be discovered
until after a recovery is needed. Testing and verification of procedures provide the
opportunity to discover oversights, conflicts, or other issues in the backup procedures or
use of media.

Check:
Review documented backup testing and recovery verification procedures noted or
documented in the System Security Plan.

Review evidence of implementation of testing and verification procedures by

reviewing logs from backup and recovery implementation. Logs may be in
electronic or hardcopy and may include email or other notification.

If backup testing and recovery verification are not documented or noted in the
System Security Plan, this is a Finding.

If evidence of backup testing and recovery verification does not exist, this is a
Finding.

Fix:
Design, document and implement backup testing and recovery verification
procedures for the DBMS host and all individual database instances and either
include or note the name, location, version and current revision date of any
external documentation in the System Security Plan.

Include any requirements for documenting database backup and recovery testing
and verification activities in the procedures.

VKEY: V0015129 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: CODP Check Database Responsibility: Documentable: False
Type: level: False DBA
Interview
Reference: Database STIG 3.5.3
STIG Requirement: (DG0020: CAT II) The DBA will ensure the DBMS backup and
recovery strategy is documented, implemented and tested at least
semi-annually.

9-147 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

9.5 DG0050: DBMS software and configuration file monitoring

Description: Unmanaged changes that occur to the database software libraries or
configuration can lead to unauthorized or compromised installations.

Check:
Review documented software and configuration monitoring procedures and
implementation evidence to verify that monitoring of changes to database
software libraries, related applications and configuration files is being performed
weekly or more often. Verify that a list of files, directories and database
application objects (procedures, functions and triggers) being monitored is
complete.

If monitoring is not being performed weekly or more often, this is a Finding.

If implementation evidence is not complete, this is a Finding.

Fix:
Develop, document and implement procedures to monitor for unauthorized
changes to DBMS software libraries, related software application libraries and
configuration files.

If a third-party automated tool is not employed, an automated job that reports file
information on the directories and files of interest and compares them to the
baseline report for the same will meet the requirement. File hashes or checksums
should be used for comparisons as file dates may be manipulated by malicious
users.

Sample method for establishing a baseline of Oracle database objects for

monitoring:

NOTE: Before running the procedure, consider spooling the results to a text file
on the host. Output may also be directed to a database table with modification to
the procedure.

From SQL*Plus:
create or replace function compute_md5 (proc_name_in in varchar2)
return varchar2
is
all_text varchar2(32767);
cur_md5 varchar2(32767);
begin
for x in (select text from user_source where name=PROC_NAME_IN) loop
cur_md5:=dbms_obfuscation_toolkit.md5(input =>
utl_raw.cast_to_raw(x.text));
all_text:=dbms_obfuscation_toolkit.md5(input => (cur_md5 || all_text));
9-148 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

end loop;
return all_text;
end;
/
show errors;
set serveroutput on size 1000000;
declare
begin
for x in (select distinct name from user_source) loop
dbms_output.put_line(chr(10));
dbms_output.put_line('Procedure: ' || x.name) ;
dbms_output.put_line('MD5: ' || compute_md5(x.name));
end loop;
end;
/

VKEY: V0002423 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DCSL Check Database Responsibility: Documentable: False
Type: level: False DBA
Interview
Reference: Database STIG 3.1.10
STIG Requirement: (DG0050: CAT II) The DBA will ensure database application
software is monitored to detect unauthorized modification every week
or more often.

9-149 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

9.6 DG0053: DBMS client connection definition file

Description: Many sites distribute a single database connection configuration file to all
site database users/clients that contains network access information for all databases on
the site. Such a file provides information to access databases not required by all users that
may assist in unauthorized access attempts.

Check:
Review documented and implemented procedures contained or noted in the
System Security Plan for providing database client connection information to
users and user workstations. Oracle client connection information is stored in the
file:

$ORACLE_HOME/network/admin/tnsnames.ora (UNIX)
%ORACLE_HOME%\network\admin\tnsnames.ora (Windows)

If procedures do not indicate and implement restrictions in distribution of

connection definitions to personnel/machines authorized to connect to the
database, this is a Finding.

Fix:
Develop, document and implement procedures to distribute client connection
definitions or definition files that contain only connection definitions authorized
for that user or user workstation. Include or note these procedures in the System
Security Plan.

VKEY: V0003809 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CS;2-CS;3-CS
IA Control: ECAN Check Database Responsibility: Documentable: False
Type: level: False IAO
Interview
Reference: Database STIG 3.3.1
STIG Requirement: (DG0053: CAT II) The IAO will ensure database client software
includes only database identification parameters of databases to which
that user is authorized access.

9-150 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

9.7 DG0066: Temporary password procedures

Description: New accounts authenticated by passwords that are created without a
password or with an easily guessed password are vulnerable to unauthorized access.
Procedures for creating new accounts with passwords should include the required
assignment of a temporary password to be modified by the user upon first use.

Check:
If all database accounts are configured to authenticate using certificates or other
credentials besides passwords, this check is NA.

Review documented procedures and evidence of implementation for assignment

of temporary passwords for password-authenticated accounts. Confirm temporary
passwords meet DoD password requirements. Review documented procedures for
distribution of temporary passwords to users. Have the DBA demonstrate that the
DBMS or applications accessing the database are configured to require a change
of password by the user upon first use.

If documented procedures and evidence do not exist or are not complete,

temporary passwords do not meet DoD password requirements, or the DBMS or
applications accessing the database are not configured to require a change of
password by the user upon first use, this is a Finding.

Fix:
Develop, document and implement procedures for assigning, distributing and
changing of temporary passwords for new database user accounts. Procedures
should include instruction that meet current DoD password length and complexity
requirements and provide a secure method to relay the temporary password to the
user. Temporary passwords should also be short-lived and require immediate
update by the user upon first use. Consider using account authentication using
certificates or other credentials in place of password authentication.

VKEY: V0003811 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: IAIA Check Database Responsibility: Documentable: False
Type: level: FalseDBA
Interview
Reference: Database STIG 3.2.2.2
STIG Requirement: (DG0066: CAT II) The DBA will assign a database account password
at database account creation.

9-151 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

9.8 DG0067: DBMS account password external storage

Description: Passwords stored in clear text for access by host applications and/or batch
jobs are vulnerable to unauthorized disclosure. Passwords should always be encrypted
when stored in host system files.

Check:
NOTE: This check applies specifically to the Oracle DBMS installation and its
associated files, scripts and environments.

Review with the DBA the list of DBMS configuration files, scripts and
applications not defined within the database that access the database included or
noted in the System Security Plan. The list should also include files or settings
used to configure the operational environment for the DBMS and for interactive
DBMS user accounts.

Determine if any DBMS configuration files, scripts, applications or DBMS/user

environment files/settings contain database passwords. If any do, confirm that the
passwords, files and settings are encoded or encrypted.

If any passwords are stored in clear text, this is a Finding. If a list of DBMS
configuration files, scripts, applications and environment files/settings not defined
within the database that access the database does not exist, this is a Finding.

Fix:
Develop, document and maintain a list of DBMS configuration files, scripts,
applications and environment files/settings not defined within the database that
access the database. Record whether they do or do not contain database
passwords. If passwords are stored, ensure they are encoded or encrypted and
protected by host system security. Also, consider the use of Oracle Database
Vault or making the database account authenticate externally.

VKEY: V0003812 Severity: CAT 1 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: IAIA Check Database Responsibility: Documentable: False
Type: level: FalseDBA
Interview
Reference: Database STIG 3.2.2.1
STIG Requirement: (DG0067: CAT I) The DBA will ensure database account passwords
are stored in encrypted format whether stored in database objects,
external host files, environment variables or any other storage
location.

9-152 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

9.9 DG0068: DBMS application password display

Description: Database applications may allow for entry of the account name and
password as a visible parameter of the application execution command. This practice
should be prohibited and disabled, if possible, by the application. If it cannot be disabled,
then users should be strictly instructed not to use this feature. Typically, the application
will prompt for this information and accept it without echoing it on the users computer
screen.

Check:
Review policy and instructions included or noted in the System Security Plan
used to inform users and administrators not to enter database passwords at the
command line. Review documented and implemented procedures used to monitor
the DBMS system for such activity.

If policy or instructions do not exist, proof of users and administrators being

briefed does not exist or monitoring for compliance is not being performed to
dissuade the practice of entering database passwords on the command line, this is
a Finding.

Fix:
Develop, document and implement policy and instructions to train users not to
enter database passwords on the command line. Develop, document and
implement monitoring for compliance. Alter command-line utilities to prevent or
report when a password has been entered on a command line or disable its use.

VKEY: V0003813 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECCR Check Database Responsibility: Documentable: False
Type: level: False DBA
Interview
Reference: Database STIG 3.3.5
STIG Requirement: (DG0068: CAT II) The DBA will ensure applications that access the
database are not used with options that display the database account
password on the command line.

9-153 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

9.10 DG0069: Production data import to development DBMS

Description: Data export from production databases may include sensitive data.
Application developers may not be cleared for or have need-to-know to sensitive data.
Any access they may have to production data would be considered unauthorized access
and subject the sensitive data to unlawful or unauthorized disclosure.

Check:
If the database being reviewed is not a production database or does not contain
sensitive data, this check is NA.

Review documented policy, procedures and proof of implementation for

restrictions placed on data exports from the production database. Policy and
procedures should include that only authorized users have access to DBMS export
utilities and that export data is properly sanitized prior to import to a development
database. Policy and procedures may also include that developers be granted the
necessary clearance and need-to-know prior to import of production data.

If documented policy, procedures and proof of implementation are not present or

complete, this is a Finding. If methods to sanitize sensitive data are required and
not documented or followed, this is a Finding.

Fix:
Develop, document and implement policy and procedures that provide restrictions
for production data export. Require users and administrators assigned privileges
that allow the export of production data from a production database to
acknowledge understanding of export restrictions. Restrict permissions allowing
use or access to database export procedures or functions to authorized users.
Ensure sensitive data from production is sanitized prior to import to a
development database (See check DG0076). Grant access and need-to-know to
developers where allowed by policy.

VKEY: V0015140 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CS;2-CS;3-CS
IA Control: ECAN Check Database Responsibility: Documentable: False
Type: level: False DBA
Interview
Reference: Database STIG 3.3.1
STIG Requirement: (DG0069: CAT II) The DBA will ensure production data is not
exported for import to development databases except in accordance
with processes and procedures approved by the Information Owner.

9-154 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

9.11 DG0083: Audit record report automation

Description: Audit record collection may quickly overwhelm storage resources and an
auditor's ability to review it in a productive manner. Automated tools can provide the
means to manage the audit data collected as well as present it to an auditor in an efficient
way.

Check:
If the database being reviewed is not a production database, this check is NA.

Interview the auditor or IAO to determine if an automated tool or procedure is

used to report audit trail data. If an automated tool or procedure is not used, this is
a Finding.

Fix:
Develop database or host system procedures to report audit trail data in a form
usable to detect unauthorized access to or usage of DBMS privileges, procedures
or data. You may also want to consider procuring a third-party auditing tool like
Oracle Audit Vault with support for Oracle, SQL Server, DB2 and Sybase.

NOTE: Audit data may contain sensitive information. The use of a single
repository for Audit data should be protected at the highest level based on the
sensitivity of the databases being audited.

VKEY: V0015102 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECRG Check Database Responsibility: Documentable: False
Type: level: False IAO
Interview
Reference: Database STIG 3.3.17
STIG Requirement: (DG0083: CAT II) The IAO will ensure automated tools are available
and implemented for review and reporting of DBMS audit records.

9-155 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

9.12 DG0086: DBA role privilege monitoring

Description: Excess privilege assignment can lead to intentional or unintentional
unauthorized actions. Such actions may compromise the operation or integrity of the
DBMS and its data. Monitoring assigned privileges assists in the detection of
unauthorized privilege assignment. The DBA role is assigned privileges that allow DBAs
to modify privileges assigned to them. Ensure that the DBA Role is monitored for any
unauthorized changes.

Check:
Review documented procedures and implementation evidence of DBA role
privilege monitoring.

If procedures are not documented or noted in the System Security Plan or are not
complete, this is a Finding. If evidence of implementation for monitoring does not
exist, this is a Finding. If monitoring does not occur monthly (~30 days) or more
often, this is a Finding.

Fix:
Design, document and implement procedures for monitoring DBA role privilege
assignments. Grant the DBA role the minimum privileges required to perform
administrative functions. Establish monitoring of DBA role privileges monthly or
more often.

VKEY: V0015106 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECLP Check Database Responsibility: Documentable: False
Type: level: False IAO
Interview
Reference: Database STIG 3.3.11.1
STIG Requirement: (DG0086: CAT II) The IAO will review monthly or more frequently,
the database privileges assigned to database administrative roles to
ensure they are limited to the minimum required.

9-156 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

9.13 DG0088: DBMS vulnerability mgmt and IA compliance testing

Description: The DBMS security configuration may be altered either intentionally or
unintentionally over time. The DBMS may also be the subject of published
vulnerabilities that require the installation of a security patch or a reconfiguration to
mitigate the vulnerability. If the DBMS is not monitored for required or unintentional
changes that render it not compliant with requirements, then it can be vulnerable to attack
or compromise.

Check:
Review procedures and evidence of implementation for monitoring and testing
DBMS IA and vulnerability management compliance.

If monitoring/testing procedures are not documented or noted in the System

Security Plan, this is a Finding. If evidence of periodic monitoring and testing for
continued compliance does not exist, this is a Finding.

Fix:
Develop, document and implement procedures for periodic monitoring and testing
of the DBMS against current vulnerability management and IA configuration
requirements compliance. Perform periodic monitoring/testing to ensure
continued compliance.

VKEY: V0015112 Severity: CAT 3 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECMT Check Database Responsibility: Documentable: False
Type: level: False
IAO
Interview
Reference: Database STIG 3.3.13
STIG Requirement: (DG0088: CAT III) The IAO will ensure the DBMS is included in the
periodic testing of conformance with vulnerability management and
IA configuration requirements.

9-157 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

9.14 DG0095: DBMS audit trail data review

Description: Review of audit trail data provides a means for detection of unauthorized
access or attempted access. Frequent and regularly scheduled reviews ensure that such
access is discovered in a timely manner.

Check:
If the database being reviewed is not a production database, this check is NA.

Review policy and procedures documented or noted in the System Security plan
as well as evidence of implementation for daily audit trail monitoring.

If policy and procedures are not documented or evidence of implementation is not

available, this is a Finding.

Fix:
Develop, document and implement policy and procedures to monitor audit trail
data daily.

VKEY: V0003827 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECAT Check Database Responsibility: Documentable: False
Type: level: False IAO
Interview
Reference: Database STIG 3.3.3
STIG Requirement: (DG0095: CAT II) The IAO will ensure the database audit data is
reviewed daily to discover suspicious or unusual activity.

9-158 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

9.15 DG0096: DBMS IA policy and procedure review

Description: A regular review of current database security policies and procedures is
necessary to maintain the desired security posture of the DBMS. Policies and procedures
should be measured against current DoD policy, STIG guidance, vendor-specific
guidance and recommendations, and site-specific or other security policies.

Check:
Review documented policy and procedures included or noted in the System
Security Plan as well as evidence of implementation for annual reviews of DBMS
IA policy and procedures.

If policy and procedures do not exist, are incomplete, or are not implemented and
followed annually or more frequently, this is a Finding.

Fix:
Develop, document and implement procedures to review DBMS IA policies and
procedures.

VKEY: V0015138 Severity: CAT 3 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DCAR Check Database Responsibility: Documentable: False
Type: level: False IAO
Interview
Reference: Database STIG 3.1.1
STIG Requirement: (DG0096: CAT III) The IAO will ensure database IA policies and
procedures are reviewed at least annually and are current and
consistent with all IA requirements.

9-159 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

9.16 DG0097: DBMS Testing Plans and Procedures

Description: Updates and patches to existing software have the intention of improving
the security or enhancing or adding features to the product. However, it is unfortunately
common that updates or patches can render production systems inoperable or even
introduce serious vulnerabilities. Some updates also set security configurations back to
unacceptable settings that do not meet security requirements. For these reasons, it is a
good practice to test updates and patches offline before introducing them in a production
environment.

Check:
Review policy and procedures documented or noted in the System Security Plan
and evidence of implementation for testing DBMS installations, upgrades and
patches prior to production deployment.

If policy and procedures do not exist or evidence of implementation does not

exist, this is a Finding.

Fix:
Develop, document and implement procedures for testing DBMS installations,
upgrades and patches prior to deployment on production systems.

VKEY: V0015139 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DCCT Check Database Responsibility: Documentable: False
Type: level: False IAO
Interview
Reference: Database STIG 3.1.3
STIG Requirement: (DG0097: CAT II) The IAO will ensure comprehensive testing plans
and procedures for database installations, updates, and patches are
defined and implemented before being deployed in a production
environment.

9-160 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

9.17 DG0107: Sensitive data identification in the DBMS

Description: A DBMS that does not have the correct confidentiality level identified or
any confidentiality level assigned is not being secured at a level appropriate to the risk it
poses.

Check:
If no sensitive or classified data is stored in the database, listed in the System
Security Plan and listed in the AIS Functional Architecture documentation, this
check is NA.

Review AIS Functional Architecture documentation for the DBMS and note any
sensitive data that is identified.

Review database table column data or descriptions that indicate sensitive data. For
example, a data column labeled "SSN" could indicate social security numbers are
stored in the column. Question the IAO or DBA where any questions arise.
General categories of sensitive data requiring identification include any personal
data (health, financial, social security number and date of birth), proprietary or
financially sensitive business data or data that might be classified.

If any data is considered sensitive and is not documented in the AISFA, this is a
Finding.

Fix:
Include identification of any sensitive data in the AIS Functional Architecture and
the System Security Plan. Include data that appear to be sensitive with a
discussion as to why it is not marked as such.

VKEY: V0015144 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DCFA Check Database Responsibility: Documentable: False
Type: level: False IAO
Interview
Reference: Database STIG 3.1.4.4
STIG Requirement: (DG0107: CAT II) The IAO will ensure all categories of sensitive
data stored or processed by the database are identified in the AIS
functional architecture documentation.

9-161 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

9.18 DG0108: DBMS restoration priority

Description: When DBMS service is disrupted, the impact it has on the overall mission
of the organization can be severe. Without proper assignment of the priority placed on
restoration of the DBMS and its subsystems, restoration of DBMS services may not meet
mission requirements.

Check:
Review the System Security Plan to discover the restoration priority assigned to
the DBMS. If a restoration priority is not assigned, this is a Finding.

Fix:
Review the mission criticality of the DBMS in relation to the overall mission of
the organization and assign it a restoration priority.

VKEY: V0015145 Severity: CAT 3 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DCFA Check Database Responsibility: Documentable: False
Type: level: False IAO
Interview
Reference: Database STIG 3.1.4.5
STIG Requirement: (DG0108: CAT III) The IAO will ensure the restoration priority of the
database and its supporting subsystems are identified in the System
Security Plan.

9-162 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

9.19 DG0110: DBMS host shared with a security service

Description: The Security Support Structure is a security control function or service
provided by an external system or application. An example of this would be a Windows
domain controller that provides identification and authentication that can be used by other
systems to control access. The associated risk of a DBMS installed on a system that
provides security support is significantly higher than when installed on separate systems.
In cases where the DBMS is dedicated to local support of a security support function (e.g.
a directory service), separation may not be possible.

Check:
Review the services and processes active on the DBMS host system.

If the host system is a Windows domain controller, this is a Finding.

If the host system is supporting any other security or directory services that do not
use the DBMS to store information, this is a Finding.

NOTE: This does not include client security applications like firewall and
antivirus software.

Fix:
Install the DBMS software on a dedicated host.

VKEY: V0015179 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP
IA Control: DCSP Check Database Responsibility: Documentable: False
Type: level: False IAO
Interview
Reference: Database STIG 3.1.11
STIG Requirement: (DG0110: CAT II) The IAO will ensure the DBMS is not installed on
a host system that provides directory services or other security
services except when serving as a required component of the security
service.

9-163 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

9.20 DG0154: DBMS System Security Plan

Description: A System Security Plan identifies security control applicability and
configuration for the DBMS. It also contains security control documentation
requirements. Security controls applicable to the DBMS may not be documented, tracked
or followed if not identified in the System Security Plan. Any omission of security
control consideration could lead to an exploit of DBMS vulnerabilities.

Check:
Review the System Security Plan for the DBMS.

Review coverage of the following in the System Security Plan:

- Technical, administrative and procedural IA program and policies that govern
the DBMS
- Identification of all IA personnel (IAM, IAO, DBA, SA) assigned
responsibility to the DBMS
- Specific IA requirements and objectives (e.g., requirements for data handling
or dissemination (to include identification of sensitive data stored in the database,
database application user job functions/roles and privileges), system redundancy
and backup, or emergency response)

If a System Security Plan does not exist or does not identify or reference all
relevant security controls, this is a Finding.

Fix:
Develop, document and implement a System Security Plan for the DBMS.
Include IA documentation related to the DBMS in the System Security Plan for
the system that the DBMS supports.

VKEY: V0015150 Severity: CAT 3 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DCSD Check Database Responsibility: Documentable: False
Type: level: FalseIAO
Interview
Reference: Database STIG 3.1.9
STIG Requirement: (DG0154: CAT III) The IAO will ensure the DBMS is included in or
has defined for it a System Security Plan.

9-164 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

9.21 DG0159: Review of DBMS remote administrative access

Description: Remote administrative access to systems provides a path for access to and
exploit of DBA privileges. Where the risk has been accepted to allow remote
administrative access, it is imperative to implement increased monitoring of this access to
detect any abuse or compromise.

Check:
If remote administrative access to the database is prohibited and is disabled (See
Check DG0093), this check is NA.

Review policy, procedure and evidence of implementation for monitoring of

remote administrative access to the database.

If monitoring procedures for remote administrative access are not documented or

implemented, this is a Finding.

Fix:
Develop, document and implement policy and procedures to monitor remote
administrative access to the DBMS. The automated generation of a log report
with automatic dissemination to the IAO/IAM may be used. Require and store an
acknowledgement of receipt and confirmation of review for the log report.

VKEY: V0015118 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CS;2-CS;3-CS
IA Control: EBRP Check Database Responsibility: Documentable: False
Type: level: False IAO
Interview
Reference: Database STIG 3.4.2
STIG Requirement: (DG0159: CAT II) The IAO or IAM will review daily audit trails of
remote administrative sessions to discover any unauthorized access or
actions.

9-165 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

9.22 DG0161: DBMS audit tool

Description: Audit logs only capture information on suspicious events. Without an
automated monitoring and alerting tool, malicious activity may go undetected and
without response until compromise of the database or data is severe.

Check:
Review evidence or operation of audit tool monitoring and alerts.

If a monitoring tool that provides alerts is not implemented, this is a Finding.

Fix:
Implement an automated tool that monitors audit logs and generates automated
alerts. Compliance may be accomplished using existing database features.

VKEY: V0015103 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-C
IA Control: ECAT Check Database Responsibility: Documentable: False
Type: level: False
IAO
Interview
Reference: Database STIG 3.3.3
STIG Requirement: (DG0161: CAT II) The IAO will ensure an automated monitoring
tool or capability is employed to review DBMS audit data and
immediately report suspicious or unauthorized activity.

9-166 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

9.23 DG0186: DBMS network perimeter protection

Description: Databases often store critical and/or sensitive information used by the
organization. For this reason, databases are targeted for attacks by malicious users.
Additional protections provided by network defenses that limit accessibility help protect
the database and its data from unnecessary exposure and risk.

Check:
Review the System Security Plan to determine if the DBMS serves data to users
or applications outside the local enclave.

If the DBMS is not accessed outside of the local enclave, this is not a Finding.

If the DBMS serves applications available from a public network (e.g. the
Internet), then confirm that it is located in a DMZ.

If the DBMS is located inside the local enclave and is directly accessible to public
users, this is a Finding.

If the DBMS serves public-facing applications and is not protected by location in

a DMZ, this is a Finding.

Fix:
Do not allow direct connections from users originating from the Internet or other
public network to the DBMS.

Locate the DBMS in a DMZ if it serves data to public-facing applications. Do not

locate a DBMS that serves public-facing applications inside the local enclave.

Include in the System Security Plan for the system whether the DBMS serves
public-facing applications or applications serving users from other untrusted
networks.

VKEY: V0015122 Severity: CAT 2 Policy: All MAC/CONF: 1-SP;2-

Policies SP;3-SP
IA Control: EBBD Check Database Responsibility: Documentable: False
Type: level: False
IAO
Interview
Reference: Database STIG 3.4.1
STIG Requirement: (DG0186: CAT II) The IAO will ensure the DBMS is protected from
direct client connections from public or unauthorized networks.

9-167 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

9.24 DG0187: DBMS software file backups

Description: The DBMS application depends upon the availability and integrity of its
software libraries. Without backups, compromise or loss of the software libraries can
prevent a successful recovery of DBMS operations.

Check:
Review evidence of Oracle database and dependent application files and
directories.

For UNIX Systems:

These files are found in the directories $ORACLE_BASE and
$ORACLE_HOME.

For Windows Systems:

The Oracle software directory is specified on a Windows host in the registry
value
HKLM\SOFTWARE\Oracle\KEY_[ORACLE_HOME_NAME]\ORACLE_
HOME.
Other Oracle software including, but not limited to Oracle tools and utilities, are
found on Windows platforms in the C:\Program Files\Oracle directory and
subdirectories.

Third-party applications may be located in other directory structures.

Review the System Security Plan for a list of all DBMS application software
libraries to be included in software library backups.

If any software library files are not included in regular backups, this is a Finding.

Fix:
Configure backups to include all ORACLE home directories and subdirectories
and any other Oracle application and third-party database application software
libraries.

VKEY: V0015121 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: COSW Check Database Responsibility: Documentable: False
Type: level: FalseDBA
Interview
Reference: Database STIG 3.5.4
STIG Requirement: (DG0187: CAT II) The DBA will ensure critical database software
directories are backed up.

9-168 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

9.25 DG0194: DBMS developer privilege monitoring on shared DBMS

Description: The developer role does not include need-to-know or administrative
privileges to production databases. Assigning excess privileges can lead to unauthorized
access to sensitive data or compromise of database operations.

Check:
If the DBMS or DBMS host is not shared by production and development
activities, this check is NA.

Review policy and procedures documented or noted in the System Security Plan
and evidence of monitoring of developer privileges on shared development and
production DBMS and DBMS host systems.

If developer privileges are not monitored every three months or more frequently,
this is a Finding.

Fix:
Develop, document and implement procedures to monitor DBMS and DBMS host
privileges assigned to developers on shared production and development systems
to detect unauthorized assignments every three months or more often.

VKEY: V0015108 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECPC Check Database Responsibility: Documentable: False
Type: level: False IAO
Interview
Reference: Database STIG 3.3.15
STIG Requirement: (DG0194: CAT II) The IAO will review privileges granted to
developers on shared production/development database systems that
allow modification of application code or application objects every
three months or more frequently.

9-169 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

9.26 DG0064: DBMS backup and restoration file protection

Description: Lost or compromised DBMS backup and restoration files may lead to not
only the loss of data, but also the unauthorized access to sensitive data. Backup files need
the same protections against unauthorized access when stored on backup media as when
online and actively in use by the database system. In addition, the backup media needs to
be protected against physical loss. Most DBMSs maintain online copies of critical control
files to provide transparent or easy recovery from hard disk loss or other interruptions to
database operation.

Check:
Review documented backup and restoration procedures to determine ownership
and access during all phases of backup and recovery. Review file protections
assigned to online backup and restoration files and tools. Review access, physical
security protections and documented procedures for offline backup and
restoration files and tools.

If implementation evidence indicates that backup or restoration files are subject to

corruption, unauthorized access or physical loss, this is a Finding.

Fix:
Develop, document and implement protection for backup and restoration files.
Document personnel and the level of access authorized for each to backup and
restoration files and tools. In addition to physical and host system protections,
consider other methods including password protection of the files.

VKEY: V0015120 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: COBR Check Database Responsibility: Documentable: False
Type: level: False DBA
Interview
Reference: Database STIG 3.5.1
STIG Requirement: (DG0064: CAT II) The DBA will ensure access to database backup
and recovery files are restricted to the database and/or OS backup and
recovery processes, DBAs, and database backup/recovery operators.

9-170 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

9.27 DG0118: IAM review of change in DBA assignments

Description: Unauthorized assignment of DBA privileges can lead to a compromise of
DBMS integrity. Providing oversight to the authorization and assignment of privileges
provides the separation of duty to support sufficient oversight.

Check:
Review policy and procedures documented or noted in the System Security Plan
as well as evidence of implementation for monitoring changes to DBA role
assignments and procedures for notifying the IAM of the changes for review.

If policy, procedures or implementation evidence do not exist, this is a Finding.

Fix:
Develop, document and implement procedures to monitor changes to DBA role
assignments.

Develop, document and implement procedures to notify the IAM of changes to

DBA role assignments. Include in the procedures methods that provide evidence
of monitoring and notification.

VKEY: V0015127 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECPA Check Database Responsibility: Documentable: False
Type: level: False IAM
Interview
Reference: Database STIG 3.3.14
STIG Requirement: (DG0118: CAT II) The IAM will review DBA role assignments
whenever changes to the assignments occur.

9-171 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

9.28 DG0040: DBMS software owner account access

Description: DBA and other privileged administrative or application owner accounts are
granted privileges that allow actions that can have a greater impact on database security
and operation. It is especially important to grant access to privileged accounts to only
those persons who are qualified and authorized to use them.

Check:
Review documented and implemented procedures for controlling and granting
access of the Oracle DBMS software installation account.

If access or use of this account is not restricted to the minimum number of

personnel required or unauthorized access to the account has been granted, this is
a Finding.

On UNIX systems:
If the account is not disabled when not in use, this is a Finding.

On Windows systems:
The Oracle DBMS software is installed using an account with administrator
privileges. Ownership is assigned to the account used to install the DBMS
software. Change of ownership can be performed, but is not necessary and any
check results are not a Finding.

Fix:
Develop, document and implement procedures to restrict use of the Oracle DBMS
software installation account.

Ensure that the Oracle DBMS software installation account is locked when not in
use.

VKEY: V0002422 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECLP Check Database Responsibility: Documentable: False
Type: level: False IAO
Interview
Reference: Database STIG 3.3.11.2
STIG Requirement: (DG0040: CAT II) The IAO will ensure access to the DBMS software
installation account is restricted to IAO-authorized personnel only.

9-172 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

9.29 DG0041: DBMS installation account use logging

Description: The DBMS installation account may be used by any authorized user to
perform DBMS installation or maintenance. Without logging, accountability for actions
attributed to the account is lost.

Check:
Review documented and implemented procedures for monitoring the use of the
DBMS software installation account in the System Security Plan.

If use of this account is not monitored or procedures for monitoring its use do not
exist or are incomplete, this is a Finding.

On Windows systems:
The Oracle DBMS software is installed using an account with administrator
privileges. Ownership is assigned to the account used to install the DBMS
software. If monitoring does not include all accounts with administrator
privileges on the DBMS host, this is a Finding.

Fix:
Develop, document and implement a logging procedure for use of the DBMS
software installation account that provides accountability to individuals for any
actions taken by the account.

Host system audit logs should be included in the DBMS account usage log along
with an indication of the person who accessed the account and an explanation for
the access. Ensure all accounts with administrator privileges are monitored for
DBMS host on Windows OS platforms.

VKEY: V0015110 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECLP Check Database Responsibility: Documentable: False
Type: level: False IAO
Interview
Reference: Database STIG 3.3.11.12
STIG Requirement: (DG0041: CAT II) The IAO will ensure use of the DBMS software
installation account is logged and/or audited to indicate the identity of
the person who accessed the account.

9-173 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

9.30 DG0042: DBMS software installation account use

Description: The DBMS software installation account is granted privileges not required
for DBA or other functions. Use of accounts configured with excess privileges may result
in unauthorized or unintentional compromise of the DBMS.

Check:
Review the DBMS account usage log for use of the Oracle DBMS software
installation account. Interview personnel authorized to access the DBMS software
installation account to ask how the account is used.

If any usage of the account is to support daily operations or general DBA

responsibilities, this is a Finding.

On Windows systems:
The Oracle DBMS software is installed using an account with administrator
privileges. Ownership is assigned to the account used to install the DBMS
software. Except where a change in ownership is made to a dedicated account,
any check results are not a Finding.

Fix:
Develop, document, implement procedures, and train authorized users to restrict
usage of the DBMS software installation account for DBMS software installation,
upgrade and maintenance only.

VKEY: V0015111 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECLP Check Database Responsibility: Documentable: False
Type: level: False
IAO
Interview
Reference: Database STIG 3.3.11.3
STIG Requirement: (DG0042: CAT II) The IAO will ensure the DBMS software
installation account is only used when performing software
installation and upgrades or other DBMS maintenance. The IAO will
ensure the DBMS software installation account is not used for DBA
activities not related to DBMS file permission and ownership
maintenance.

9-174 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10. Oracle Home Manual Check Procedures

10.1 DG0017: DBMS shared production/development use

Description: On shared production and development DBMS systems access identifiers
that do not clearly indicate whether the DBMS or DBMS object being accessed is part of
the production or development objects can lead to unintentional modification of
production objects.

Check:
If the DBMS host is not a shared production/development host, this check is NA.

NOTE: Though shared production/development DBMS systems may be allowed

under current database STIG guidance, doing so may place it in violation of OS,
Application, Network or Enclave STIG guidance. Ensure that any shared
production/development DBMS systems meet STIG guidance requirements at all
levels or mitigate any conflicts in STIG guidance with your DAA.

Review all environment variables or other identifiers configured on the host

system used by production DBAs, other users and developers to access the
production and development DBMSs.

If the names or values of any identifiers do not clearly distinguish the

development from the production applications, databases or database objects, this
is a Finding.

An example of poor identifier naming would be MYDBAPP1 for production and

MYDBAPP2 for development. Acceptable identifiers would be MYDBAPP-
PROD and MYDBAPP-DEV or completely different names such as FREDSAPP
and SALLYSAPP where the related SALLYSAPP identifiers are known only to
DBAs and Developers.

Check Windows service names and UNIX process names to review identifiers as
well as environment variables used by DBAs and developers. Have the DBA
display any other system level or local environment variables that reference the
database installation directories or instances.

Fix:
Rename identifiers or configuration parameters to distinguish production
applications, databases and objects from development.

Ensure the DBMS host complies with all applicable STIG guidelines where
shared production/development usage is noted or mitigate and document any
conflicts with the DAA.

10-175 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

VKEY: V0003803 Severity: CAT 2 Policy: All MAC/CONF: 1-

IA Control: ECSD
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: level: False DBA
Manual
Database STIG 3.3.20
(DG0017: CAT II) The DBA will ensure software development on a
production system is separated through the use of separate and
uniquely identified data and application file storage partitions and
processes/services.

10-176 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.2 DG0021: DBMS software and configuration baseline

Description: Without maintenance of a baseline of current DBMS application software,
monitoring for changes cannot be complete and unauthorized changes to the software can
go undetected. Changes to the DBMS executables could be the result of intentional or
unintentional actions.

Check:
Review DBMS software baseline procedures and implementation evidence.

Review the list of files, directories and details included in the current baseline for
completeness.

If DBMS software configuration baseline procedures do not exist, evidence of

implementation does not exist, or baseline is not documented and current, this is a
Finding.

Fix:
Develop, document and implement DBMS software baseline procedures that
include all DBMS software files and directories under the ORACLE_BASE and
ORACLE_HOME environment variables and any custom and platform-specific
directories. Generate a list of files, directories and details for the DBMS software
configuration baseline. Update the configuration baseline after new installations,
upgrades/updates or maintenance activities that include changes to the baseline
software.

VKEY: V0003806 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DCSW Check Database Responsibility: Documentable: False
Type: level: False DBA
Manual
Reference: Database STIG 3.1.13
STIG Requirement: (DG0021: CAT II) The DBA will ensure a baseline of database
application software and DBMS application objects is maintained for
comparison.

10-177 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.3 DG0052: DBMS software access audit

Description: Protections and privileges are designed within the database to correspond
to access via authorized software. Use of unauthorized software to access the database
could indicate an attempt to bypass established permissions. Reviewing the use of
application software to the database can lead to discovery of unauthorized access
attempts.

Check:
On UNIX Systems:
ps –ef | grep tnslsnr | grep –v grep

On Windows Systems:
Launch the Services snap-in, locate the Oracle processes and look for any
TNSListener processes with STATUS = Started.

If a listener is not running on the local database host server, this check is NA.

Review the listener.ora file for each listener that accepts remote database
connections. For each of these listeners, confirm the listener configuration file
does not include the parameter and value (where the word LISTENER listed
below is replaced by the actual alias of your listener):

LOGGING_LISTENER = OFF

If it does, listener logging of connection data is not enabled. Confirm that

disabling of listener logging is authorized by the IAO and that database access is
audited by another method. If it is disabled and is not authorized, this is a Finding.

Fix:
Configure the listener to log connection data by including or modifying the
following parameter definition in the listener.ora file (where the word LISTENER
listed below is replaced by the actual alias of your listener) or removing the line
entirely (Oracle Listener default is to log connection data):

LOGGING_LISTENER = ON

VKEY: V0003807 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECAT Check Database Responsibility: Documentable: False
Type: level: False DBA
Manual
Reference: Database STIG 3.3.3
STIG Requirement: (DG0052: CAT II) The DBA will include the name of the application
used to connect to the database in the audit trail where available.

10-178 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.4 DG0054: DBMS software access audit review

Description: Regular and timely reviews of audit records increases the likelihood of
early discovery of suspicious activity. Discovery of suspicious behavior can in turn
trigger protection responses to minimize or eliminate a negative impact from malicious
activity. Use of unauthorized application to access the DBMS may indicate an attempt to
bypass security controls.

Check:
If application access audit data is not available due to the lack of a local listener
process or alternate method of auditing database access, this check is NA (see
check DG0052).

Review the list of applications authorized to connect to the Oracle database as

listed or noted in the System Security Plan. If no list exists, this is a Finding.

Review evidence of audit log monitoring to detect use of unauthorized

applications to access the database. If no evidence exists or is incomplete, this is a
Finding.

Fix:
Document applications authorized to access the DBMS in the System Security
Plan. Design, document and implement a process to review the listener log file or
the results from any alternate methods used to support database access auditing to
detect connections from unauthorized applications. Include in this process a
method to generate and provide evidence of monitoring. This may include
automated or manual processes acknowledged by the auditor or IAO.

VKEY: V0015611 Severity: CAT 3 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECAT Check Database Responsibility: Documentable: False
Type: level: False IAO
Manual
Reference: Database STIG 3.3.3
STIG Requirement: (DG0054: CAT III) The IAO or Database Auditor will regularly
review the audit trail to discover access by unauthorized application
software.

10-179 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.5 DG0109: DBMS Dedicated Host

Description: In the same way that added security layers can provide a cumulative
positive effect on security posture, multiple applications can provide a cumulative
negative effect. A vulnerability and subsequent exploit to one application can lead to an
exploit of other applications sharing the same security context. For example, an exploit to
a web server process that leads to unauthorized administrative access to the host system
can most likely lead to a compromise of all applications hosted by the same system. A
DBMS not installed on a dedicated host is threatened by other hosted applications.
Applications that share a single DBMS may also create risk to one another. Access
controls defined for one application by default may provide access to the other
application's database objects or directories. Any method that provides any level of
separation of security context assists in the protection between applications.

Check:
Review a list of Windows service or UNIX processes running on the DBMS host.
For Windows, review the Services snap-in. Investigate with the DBA/SA any
unknown services. For UNIX, issue the ps -ef command. Investigate with the
DBA/SA any unknown processes.

If web, application, ftp, domain, print or other non-DBMS services or processes

are identified as supporting other optional applications or functions not authorized
in the System Security Plan, this is a Finding.

NOTE: Only applications that are technically required to share the same host
system may be authorized to do so. Applications that share the same host for
administrative, financial or other non-technical reasons may not be authorized and
are a Finding.

Fix:
A dedicated host system in this case refers to an instance of the operating system
at a minimum. The operating system may reside on a virtual host machine.

Remove any unauthorized processes or services and install on a separate host

system. Where separation is not supported, update the System Security Plan to
provide the technical requirement for having the application share a host with the
DBMS.

10-180 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

VKEY: V0015146 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP
IA Control: DCPA Check Database Responsibility: Documentable: False
Type: level: False IAO
Manual
Reference: Database STIG 3.1.6
STIG Requirement: (DG0109: CAT II) The IAO will ensure the DBMS host is dedicated
to support of the DBMS and is not shared with other application
services including web, application, file, print, or other services unless
mission or operationally required and documented in the System
Security Plan.

10-181 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.6 DG0175: DBMS host and component STIG compliancy

Description: The security of the data stored in the DBMS is also vulnerable to attacks
against the host platform, calling applications, and other application or optional
components.

Check:
If the DBMS host being reviewed is not a production DBMS host, this check is
NA.

Review evidence of security hardening and auditing of the DBMS host platform,
the application(s) that store data in the database, and any other separately
configured components that access the database including web servers,
application servers, report servers, etc.

If any have not been hardened and received a security audit, this is a Finding.

Fix:
Configure all related application components and the DBMS host platform in
accordance with the applicable DoD STIG. Regularly audit the security
configuration of related applications and the host platform to confirm continued
compliance with security requirements.

VKEY: V0015116 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECSC Check Database Responsibility: Documentable: False
Type: level: False IAO
Manual
Reference: Database STIG 3.3.19
STIG Requirement: (DG0175: CAT II) The IAO will ensure the DBMS host and related
applications and components comply with all applicable DoD STIGs.

10-182 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.7 DG0176: DBMS audit log backups

Description: DBMS audit logs are essential to the investigation and prosecution of
unauthorized access to the DBMS data. Unless audit logs are available for review, the
extent of data compromise may not be determined and the vulnerability exploited may
not be discovered. Undiscovered vulnerabilities could lead to additional or prolonged
compromise of the data.

Check:
Oracle audit events are logged to error logs, trace files, host system logs and may
be stored in database tables. For each Oracle database on the host, determine the
location of the database audit trail.

From SQL*Plus:
select value from v$parameter where name='audit_trail';

If the audit trail is directed to database tables (DB*), ensure the audit table data is
included in the database backups. Backups of host system log files are covered in
host system security reviews and are not covered here.

Other Oracle log files include:

- Listener trace file (specified in the listener.ora file)
- SQLNet trace file (specified in the sqlnet.ora file)
- Oracle database alert and trace files (specified in Oracle parameters):
-- audit_file_dest
-- db_recovery_file_dest
-- diagnostic_dest – 11.1 and higher
-- log_archive_dest
-- log_archive_dest_n

If evidence of inclusion of all audit log files in regular DBMS or host backups
does not exist, this is a Finding.

Fix:
Document and implement locations of trace, log and alert locations in the System
Security Plan. Include all trace, log and alert files in regular backups.

VKEY: V0015117 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-C
IA Control: ECTB Check Database Responsibility: Documentable: False
Type: level: False DBA
Manual
Reference: Database STIG 3.3.21
STIG Requirement: (DG0176: CAT II) The DBA will ensure the DBMS audit logs are
included in DBMS backup procedures.

10-183 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.8 DG0012: DBMS software storage location

Description: A DBMS not installed on a dedicated host is threatened by other hosted
applications. Any method that provides a level of separation of security context assists in
the protection between applications.

Check:
For UNIX Systems:
ls $ORACLE_BASE
ls $ORACLE_HOME

If the ORACLE_BASE directory contains subdirectories other than

ORACLE_HOME directories, a flash_recovery_area directory and an admin
directory, verify they are used by the DBMS. If they are not part of the Oracle
DBMS software product, this is a Finding.

NOTE: Oracle DBMS data file storage may be placed on a separate, dedicated
disk partition and linked to ORACLE_BASE. Refer to check DG0112.

For Windows Systems:

echo %ORACLE_BASE%
echo %ORACLE_HOME%

ORACLE_BASE, if defined, is usually set to C:\Program Files\Oracle.

For Both:
If ORACLE_HOME is not on a dedicated drive or partition from the OS
software and other applications, this is a Finding.

Fix:
Install DBMS applications on partitions or directories separate from the OS
software and other applications. Recommend DBMS server software be installed
on a dedicated DBMS server host.

VKEY: V0004754 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP
IA Control: DCPA Check Database Responsibility: Documentable: False
Type: level: False DBA
Manual
Reference: Database STIG 3.1.6
STIG Requirement: (DG0012: CAT II) The DBA will install and maintain database
software directories including DBMS configuration files in dedicated
directories or disk partitions separate from the host OS and other
applications.

10-184 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.9 DG0019: DBMS software ownership

Description: File and directory ownership imparts full privileges to the owner. These
privileges should be restricted to a single, dedicated account to preserve proper chains of
ownership and privilege assignment management.

Check:
Ask the DBA/SA to demonstrate file ownership of the Oracle DBMS software
and files/directories.

On Windows systems:
The Oracle DBMS software is installed using an account with administrator
privileges. Ownership is assigned to the account used to install the DBMS
software. Change of ownership can be performed, but is not necessary and any
check results are not a Finding.

On UNIX systems:
cd $ORACLE_BASE;ls -lR>orafiles.txt;more orafiles.txt

Review the resulting text file and note the owner/group ownership. Also Review
Oracle DBMS files/directories outside of $ORACLE_BASE (e.g. /etc,
/var/opt/oracle, /usr/local/bin) and ensure file and group ownership is assigned to
the dedicated host OS account. If any files or directories belonging to the DBMS
software are not owned by a designated host OS account, this is a Finding.

The ownership and permissions for the following files (if present) should not be
changed:
extjob
nmb
nmo
oradism
externaljob.ora

Fix:
Assign DBMS file and directory ownership to a dedicated host OS software
installation and maintenance account. Use the software owner account to install
and maintain the DBMS software libraries and configuration files where
applicable. Document locations of Oracle DBMS files and directories in the
System Security Plan.

10-185 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

VKEY: V0003805 Severity: CAT 3 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DCSL Check Database Responsibility: Documentable: False
Type: level: False DBA
Manual
Reference: Database STIG 3.1.10
STIG Requirement: (DG0019: CAT III) The DBA will ensure database application
software is owned by the authorized application owner account.

10-186 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.10 DG0092: DBMS data file encryption

Description: Where system and DBMS access controls do not provide complete
protection of sensitive or classified information, the Information Owner may require
encryption to provide additional protection. Encryption of sensitive data helps protect
disclosure to privileged users who do not have a need-to-know requirement to the data,
but may be able to access DBMS data files using OS file tools.

NOTE: The decision to encrypt data is the responsibility of the Information Owner and
should be based on other access controls employed to protect the data.

Check:
Review the System Security Plan to determine if sensitive or classified data
identified by the Information Owner requires encryption.

If no data is identified as being sensitive or classified in the System Security Plan

or if no sensitive or classified data is identified as requiring encryption by the
Information Owner in the System Security Plan, this check is NA.

Consider which data files store sensitive or classified data. Not all DBMS data
files require encryption.

Review encryption applied to the DBMS host data file. If no encryption is

applied, this is a Finding.

Fix:
Use native DBMS or native OS encryption to encrypt DBMS data files that store
sensitive or classified data as required by the Information Owner. To reduce the
impact on system performance, separate sensitive data where file encryption is
required into dedicated data files.

VKEY: V0015132 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CS;2-CS;3-CS
IA Control: ECCR Check Database Responsibility: Documentable: False
Type: level: False DBA
Manual
Reference: Database STIG 3.3.5
STIG Requirement: (DG0092: CAT II) The DBA will ensure database data files are
encrypted where encryption of sensitive data within the DBMS is not
available.

10-187 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.11 DG0195: DBMS host file privileges assigned to developers

Description: Developer roles should not be assigned DBMS administrative privileges to
production DBMS application and data directories. The separation of production DBA
and developer roles helps protect the production system from unauthorized, malicious or
unintentional interruption due to development activities.

Check:
If the DBMS or DBMS host is not shared by production and development
activities, this check is NA.

Review OS DBA group membership.

If any developer accounts as identified in the System Security Plan have been
assigned DBA privileges, this is a Finding.

Fix:
Create separate DBMS host OS groups for developer and production DBAs. Do
not assign or remove production DBA OS group membership from accounts used
for development.

VKEY: V0015109 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECPC Check Database Responsibility: Documentable: False
Type: level: False DBA
Manual
Reference: Database STIG 3.3.15
STIG Requirement: (DG0195: CAT II) The SA/DBA will ensure developer accounts on a
shared production/development host system are not granted operating
system privileges to production files, directories or database
components.

10-188 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.12 DO0133: Oracle connection credential protection

Description: Access to database connection credential stores provides easy access to the
database. Without access controls in place to prevent unauthorized access to the
credentials, unauthorized access to the database can result.

Check:
Review the System Security Plan to discover any external storage of passwords
used by applications, batch jobs or users to connect to the database.

If no database passwords or credentials are stored outside of the database

including use of Oracle Wallets and the Oracle password file (pwd*.ora or
orapwd*.ora), this check is NA.

View the sqlnet.ora file to determine if Oracle Wallets are used for authentication.
If the "WALLET_LOCATION" entry exists in the file, then view permissions on
the directory and contents. If access to this directory and these files is not
restricted to the Oracle database and listener services, DBA's, and other
authorized system and administrative accounts this is a Finding.

From SQL*Plus:
select value from v$parameter where name='remote_login_passwordfile';

If the command returns the value NONE, this is not a Finding. If it returns the
value SHARED, this is a Finding. If it returns the value EXCLUSIVE, view
access permissions to the Oracle password file. The default name for Windows is
pwd[SID].ora and is located in the ORACLE_HOME\database directory. On
UNIX hosts, the file is named orapw[SID] and stored in the
$ORACLE_HOME/dbs directory. If access to this file is not restricted to the
Oracle database, DBA's, and other authorized system and administrative accounts,
this is a Finding.

For other password or credential stores, interview the DBA to ask what
restrictions to the storage location of passwords have been assigned. If accounts
other than those that require access to the storage location have been granted
permissions, this is a Finding.

Fix:
Consider alternate methods for database connections to avoid custom storage of
local connection credentials.

Develop and document use of locally stored credentials and their authorized use
and access in the System Security Plan. Restrict access and use of the credentials
to authorized users using host file permissions and any other available method to
restrict access.

10-189 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

VKEY: V0003844 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DCFA Check Database Responsibility: Documentable: False
Type: level: False DBA
Manual
Reference: Database STIG 3.1.4.1
STIG Requirement: (DG0191: CAT II) The DBA will ensure credentials stored in or used
by the DBMS that are used to access remote databases or other
applications are protected by encryption and access controls.

10-190 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.13 DO3847: Oracle spoolmain.log file (Oracle 9i)

Description: The spoolmain.log file is generated by the Database Configuration
Assistant (DBCA) database management tool. This file may contain login passwords in
clear text. Disclosure of this file to unauthorized persons provides login credentials to the
privileged DBA account.

Check:
If the Oracle version is 10.1 and later, this check is NA.

View the ORACLE_HOME/assistants/dbca or /oracle/admin/[SID]/scripts/log

directory for any file named spoolmain.log. If one exists, this is a Finding.

Review the System Security Plan for monitoring procedures to detect and delete
the spoolmain.log file. If monitoring procedures are not documented and evidence
of implementation is not present, this is a Finding.

Fix:
Delete the spoolmain.log file after use of the DBCA utility. The DBCA utility
may automatically run during database installation. Develop, document and
implement procedures to monitor the DBMS system to detect and delete any re-
occurrence of the spoolmain.log file.

VKEY: V0002607 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DCFA Check Database Responsibility: Documentable: False
Type: level: False DBA
Manual
Reference: Database STIG 3.1.4.1
STIG Requirement: (DG0191: CAT II) The DBA will ensure credentials stored in or used
by the DBMS that are used to access remote databases or other
applications are protected by encryption and access controls.

10-191 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.14 DO5037: Oracle SQLNet and listener log files protection

Description: The SQLNet and Listener log files provide audit data useful to the
discovery of suspicious behavior. The log files may contain usernames and passwords in
clear text as well as other information that could aid a malicious user with unauthorized
access attempts to the database. Generation and protection of these files helps support
security monitoring efforts.

Check:
Locate the Listener and SQLNet log files. For all Oracle versions/platforms, view
the contents of the sqlnet.ora and listener.ora configuration files located in the
ORACLE_HOME/network/admin directory or the directory specified by the
TNS_ADMIN environment variable (if set) for the listener process/service
account:

If the sqlnet.ora parameter TRACE_LEVEL_SERVER is not defined or is set to

OFF OR 0, then SQLNet logging is not enabled and the check for these
parameters below is NA.

Otherwise, verify the directories specified in the following parameters of the

sqlnet.ora file exist:

LOG_FILE_SERVER = sqlnet [filename is sqlnet.log]

LOG_DIRECTORY_SERVER = [directory on a volume with enough free space]

Verify the directories and files specified in the following parameters of the
listener.ora exist:

NOTE: If the Oracle version is 11.1 or higher and you are using Automatic
Diagnostic Repository (ADR) logging (DIAG_ADR_ENABLED_[listener name]
= ON in listener.ora), the following parameters are NA for Oracle 11.1. Setting
DIAG_ADR_ENABLED_[listener name] = OFF in Oracle 11.1 reverts to
traditional listener tracing/logging and the following parameters are in effect. For
more information on Automatic Diagnostic Repository (ADR), refer to Oracle
MetaLink Note 454927.1.

LOG_DIRECTORY_[listener name] = [directory on a volume with enough free space]

LOG_FILE_[listener name] = listener
TRACE_DIRECTORY_[listener name] = [directory on a volume with enough free space]

Default log file locations (by Oracle Version):

- Oracle 11.1 (DIAG_ADR_ENABLED_[listener name] = OFF):

-- listener log directory and file: ORACLE_HOME/network/log/listener.log

-- listener trace directory and files: ORACLE_HOME/network/trace/listener.trc
-- sqlnet log file: ORACLE_HOME/network/log/sqlnet.log

10-192 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

-- sqlnet trace file: ORACLE_HOME/network/trace/sqlnet.trc

- Oracle 11.1 (DIAG_ADR_ENABLED_[listener name] = ON):

NOTE: The ADR_HOME is defined from the ADR_BASE parameter. If

ADR_BASE is not defined, then ADR_BASE is set to the value of the
DIAGNOSTIC_DEST initialization parameter, or if DIAGNOSTIC_DEST is
not defined, then the value of the ORACLE_BASE environment variable is
used. See Oracle MetaLink Note 453125.1 for more information on ADR file
locations.

-- listener log directory and file: [ADR_HOME]/alert/log.xml

-- listener trace log directory and files: [ADR_HOME]/trace/alert_[SID].log and
[ADR_HOME]/trace/*.trc
-- sqlnet log file: [ADR_BASE]/diag/clients/[database name]/[SID]/trace/sqlnet.log and [listener
name].log
-- sqlnet trace file: [ADR_BASE]/diag/clients/[database name]/[SID]/trace/*.trc

- Oracle 10.2 and earlier:

-- listener and sqlnet log files: ORACLE_HOME/network/log

-- sqlnet log file: ORACLE_HOME/network/log/sqlnet.log
-- sqlnet trace file: ORACLE_HOME/network/trace/*.trc

The listener log file location may also be determined using the lsnrctl utility,
STATUS command, and viewing the value displayed for listener log file.

Review access permissions assigned to the files and directories:

- For UNIX, verify that the permissions on the directory and log files are
restricted to the Oracle software owner and OS DBA and/or Listener process
group.

- For Windows, verify that the file permissions on the listener.log and sqlnet.log
files restrict access to the Oracle software owner and OS DBA and/or Listener
process group.

If access to the files is not restricted as listed above, this is a Finding.

Fix:
Restrict access to the listener and sqlnet log files.

Restrict access to the tnslsnr service account to DBAs, SAs and auditors where
they are required by assigned responsibilities.

10-193 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

VKEY: V0002612 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECTP Check Database Responsibility: Documentable: False
Type: level: False DBA
Manual
Reference: Database STIG 3.3.22
STIG Requirement: (DG0032: CAT II) The DBA will ensure DBMS audit records are
protected from unauthorized access.

10-194 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.15 DG0140: DBMS security data access audit

Description: DBMS security data is useful to malicious users to perpetrate activities that
compromise DBMS operations or data integrity. Implementing auditing of access to
security data can support forensic and accountability investigations.

Check:
Determine the locations of DBMS audit, configuration, credential and other
security data. Review audit settings for these files or data objects.

If access to the security data is not audited, this is a Finding.

If no access is audited, consider the operational impact and appropriateness for

access that is not audited.

If the risk for incomplete auditing of the security files is reasonable and
documented in the System Security Plan, then do not include this as a Finding.

Fix:
Determine all locations for storage of DBMS security and configuration data.
Enable auditing for access to any security data. If auditing results in an
unacceptable adverse impact on application operation, reduce the amount of
auditing to a reasonable and acceptable level. Document any incomplete audit
with acceptance of the risk of incomplete audit in the System Security Plan.

VKEY: V0015643 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECAR Check Database Responsibility: Documentable: False
Type: level: False DBA
Manual
Reference: Database STIG 3.3.2
STIG Requirement: (DG0140: CAT II) The DBA will ensure all access to DBMS
configuration files, database audit data, database credential, or any
other DBMS security information is audited.

10-195 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.16 DO0145: Oracle SYSDBA OS group membership

Description: Oracle SYSDBA privileges include privileges to administer the database
outside of database controls (when the database is shut down) in addition to all privileges
controlled under database operation. Assignment of membership to the OS dba group to
unauthorized persons can compromise all DBMS activities.

Check:
Review the membership for the Oracle DBA host system OS group.

On UNIX systems:
cat /etc/group | grep -i dba [where dba is the default group name from Oracle]

To display the group name if dba is not the default, use the command:
cat $ORACLE_HOME/rdbms/lib/config.[cs] | grep SS_DBA_GRP

On Windows Systems:
Open Computer Management, expand System Tools, expand Local Users and
Groups, select the Group folder. Double-click on the ORA_DBA group to view
group members.

Compare the list of members with the list of authorized DBA accounts
documented in the System Security Plan. If any users are assigned to the group
that are not authorized by the IAO and documented in the System Security Plan
for the system, this is a Finding.

Fix:
Document user accounts that are authorized by the IAO to be assigned DBA
privileges.

Remove any accounts assigned membership in the operating system DBA group
that has not been authorized.

Develop and implement procedures for periodic review of accounts assigned

membership to the DBA group.

VKEY: V0003845 Severity: CAT 3 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DCSD Check Database Responsibility: Documentable: False
Type: level: False
IAO
Manual
Reference: Database STIG 3.1.9
STIG Requirement: (DG0153: CAT III) The IAO will assign and authorize DBA
responsibilities for the DBMS.

10-196 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.17 DG0025: DBMS encryption compliance

Description: Use of cryptography to provide confidentiality and non-repudiation is not
effective unless strong methods are employed with its use. Many earlier encryption
methods and modules have been broken and/or overtaken by increasing computing
power. The NIST FIPS 140-2 cryptographic standards provide proven methods and
strengths to employ cryptography effectively.

Check:
For UNIX systems:
$ORACLE_HOME/OPatch/opatch lsinventory –detail | grep “Oracle Advanced
Security”

For Windows Systems:

%ORACLE_HOME%/OPatch/opatch lsinventory –detail | find “Oracle
Advanced Security”

If Oracle Advanced Security is not installed, this check is NA.

For Oracle version 11.1 and later:

View the FIPS.ORA file found in the ORACLE_HOME/ldap/admin directory or
the directory specified in the FIPS_HOME environment variable if set. If the file
does not exist, it can be created. If SSLFIPS_140=TRUE is not set, this is a
Finding. If SSL_CIPHER_SUITES is not defined, this is a Finding. If any cipher
suite listed in SSL_CIPHER_SUITES value list is not included in the cipher
suite list included below (and in this order), this is a Finding.

For Oracle version 10.1 and 10.2:

View the SQLNET.ORA file. If SQLNET.SSLFIPS_140=TRUE is not set, this
is a Finding. If SSL_CIPHER_SUITES is not defined, this is a Finding. If any
cipher suites listed in SSL_CIPHER_SUITES value list is not included in the
cipher suite list included below (and in this order), this is a Finding.

FIPS 140-2 validated cipher suites for the Oracle SSL Libraries in the order of
strongest to weakest:

SSL_RSA_WITH_AES_256_CBC_SHA
SSL_RSA_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_RC4_128_MD5
SSL_DH_anon_WITH_DES_CBC_SHA

10-197 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

NOTE: Earlier versions of Oracle’s cryptographic modules were validated only

against FIPS 140-1 criteria.

Fix:
Installation of Oracle Advanced Security product (which may require additional
Oracle licensing consideration) is required to use native Oracle encryption.

Please see the Oracle Advanced Security Administration Guide for configuration
and use of encryption in the database. The OAS Administration Guide provides
references to the encryption features provided by Oracle Advanced Security.

Instructions for the configuration of FIPS 140-2 compliance for encryption of

network communications are provided in a dedicated appendix of the Oracle
Advanced Security Administration Guide.

Encryption of data stored within the database is available only in Oracle versions
11.1 and later. View Data Encryption and Integrity in the Oracle Advanced
Security Administration Guide for configuration details. All cipher suites listed
above include FIPS 140-2 validated algorithms available for data encryption.

VKEY: V0015610 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DCNR Check Database Responsibility: Documentable: False
Type: level: False DBA
Manual
Reference: Database STIG 3.1.5
STIG Requirement: (DG0025: CAT II) The DBA will ensure FIPS 140-2 validated
cryptography is used where encryption, digital signature, key
exchange, and secure hashing is required and is configured to use
NIST approved standards.

10-198 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.18 DG0093: Remote administration encryption for confidentiality

Description: Communications between a client and database service across the network
may contain sensitive information including passwords. This is particularly true in the
case of administrative activities. Encryption of remote administrative connections to the
database ensures confidentiality of configuration, management, and other administrative
data.

Check:
Ask the DBA if the DBMS is accessed remotely for administration purposes. If it
is not, this check is NA. If it is, ask the DBA if the remote access to DBA
accounts is made using remote access to the DBMS host or made directly to the
database from a remote database client.

If administration is performed using remote access to the DBMS host, review

policy and procedures documented or noted in the System Security Plan, along
with evidence that remote administration of the DBMS is performed only via an
encrypted connection protocol such as SSH or IPSec. If it is not, this is a Finding.

If administration is performed from a remote database client, confirm that a

dedicated database listener that encrypts communications exists for remote
administrative communications. If a DBMS listener that encrypts traffic is not
configured, this is a Finding.

If any listeners on the DBMS host are configured to accept unencrypted traffic,
review documented policy, procedures and evidence of training DBAs not to use
the unencrypted listener for remote access to DBA accounts. If no such policy
exists or the DBAs have not been instructed not to use the unencrypted
connections, this is a Finding.

Fix:
Where remote access to DBA accounts is not allowed, establish and implement
policies and train DBAs that remote access to DBA accounts is prohibited.

Where remote access to DBA accounts is allowed, the remote connection must be
encrypted. If remote access is established via the database listener, then install a
dedicated listener configured to encrypt all traffic for use by DBAs for remote
access. This requires use of Oracle Advanced Security and Oracle Wallet
Manager. See the Oracle Advanced Security Guide, Configuring Network Data
Encryption and Integrity for Oracle Servers and Clients for details.

Configure the listener to require SSL for the DBA connections by specifying the
TCPS as the network protocol. Sample listener.ora entries:

DBALSNR =
(DESCRIPTION =
10-199 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

(ADDRESS = (PROTOCOL = TCPS) (HOST = [IP]) (PORT = 1575))

(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = [SID])
)
)

Configure the server's FIPS.ORA or SQLNET.ORA file to use FIPS 140-2

compliant settings to encrypt the traffic and ensure integrity of the transmission:

In the FIPS.ORA (11.1 and later) file in the $ORACLE_HOME/ldap/admin

directory or the directory specified in the FIPS_HOME environment variable for
the dedicated listener on the server, add the following line:

SSLFIPS_140=TRUE

In the SQLNET.ORA (10.2 and earlier) file in the ORACLE_HOME/ldap/admin

directory or the directory specified in the TNS_ADMIN environment variable for
the dedicated listener on the server, add the following line (both client and
server):

SQLNET.SSLFIPS_140=TRUE

Monitor the listener log files for evidence of any unencrypted remote access to
DBA accounts.

VKEY: V0003825 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CS;2-CS;3-CS
IA Control: Check Database Responsibility: Documentable: False
ECCT/ECNK Type: level: FalseDBA
Manual
Reference: Database STIG 3.3.6
STIG Requirement: (DG0093: CAT II) The DBA will ensure remote administrative
connections to the database are encrypted.

10-200 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.19 DG0103: DBMS listener network restrictions

Description: Network listeners provide the means to connect to the DBMS from remote
systems. Restricting remote access to specific, trusted systems, helps prevent access by
unauthorized and potentially malicious users.

Check:
If a listener is not running on the local database host server, this check is NA.

IP address restriction may be defined for the database listener, by use of the
Oracle Connection Manager, or by another network device. Identify the method
used to enforce address restriction (interview or System Security Plan review).

If enforced by the database listener, then review the SQLNET.ORA file located in
the ORACLE_HOME/network/admin directory or the directory indicated by the
TNS_ADMIN environment variable or registry setting. If the following entries do
not exist, then restriction by IP address is not configured and is a Finding.

tcp.validnode_checking=YES
tcp.invited_nodes=(IP1, IP2, IP3)

If enforced by an Oracle Connection Manager, then review the CMAN.ORA file

for the Connection Manager (located in the TNS_ADMIN or
ORACLE_HOME/network/admin directory for the connection manager). If a
RULE entry allows all addresses ("/32") or does not match the address range
specified in the System Security Plan, this is a Finding.

(rule=(src=[IP]/27)(dst=[IP])(srv=*)(act=accept))

NOTE: an IP address with a "/" indicates acceptance by subnet mask where the
number after the "/" is the left most number of bits in the address that must match
for the rule to apply. If this rule is database-specific, then determine if the
SERVICE_NAME parameter is set:

From SQL*PLUS:
show parameter service_name;

If SERVICE_NAME is set in the initialization file for the database instance, use
(srv=[service name]), else, use (srv=*) if not set or rule applies to all databases on
the DBMS server.

If network address restriction is by an external device, confirm the device is

configured in accordance with the System Security Plan specification for it. If it is
not, this is a Finding.

Fix:
10-201 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Configure the database listener to restrict access by IP address. Where the number
of addresses to allow is not feasible to define for the listener, use the Oracle
Connection manager or an external device.

See the Oracle Net Reference and Oracle Net Services Administrators Guides
(release-specific) for information on configuring the listener or Connection
Manager.

VKEY: V0015621 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DCFA Check Database Responsibility: Documentable: False
Type: level: False
DBA
Manual
Reference: Database STIG 3.1.4.1
STIG Requirement: (DG0103: CAT II) The DBA will ensure database and host system
listeners that provide configuration of network restrictions are
configured to restrict network connections to the database to
authorized network addresses and protocols.

10-202 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.20 DG0167: Encryption of DBMS sensitive data in transit

Description: Sensitive data served by the DBMS and transmitted across the network in
clear text is vulnerable to unauthorized capture and review.

Check:
Review the System Security Plan to determine if any requirements to encrypt
sensitive data are listed for network transmission of DBMS data. If no
requirements are listed, this check is NA.

If encryption requirements are listed and specify configuration at the host system
or network device level, then review evidence that the configuration meets the
specification. It may be necessary to review network device configuration
evidence or host communications configuration evidence.

If the evidence review does not meet the requirement or specification as listed in
the System Security Plan, this is a Finding.

Fix:
Configure encryption of sensitive data served by the DBMS in accordance with
the specifications provided in the System Security Plan.

VKEY: V0015104 Severity: CAT 1 Policy: All MAC/CONF: 1-

Policies CS;2-CS;3-CS
IA Control: ECCT Check Database Responsibility: Documentable: False
Type: level: False DBA
Manual
Reference: Database STIG 3.3.6
STIG Requirement: (DG0167: CAT I) The DBA will ensure database communications are
encrypted when transmitting sensitive data across untrusted network
segments and in accordance with the application requirements.

10-203 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.21 DG0198: DBMS remote administration encryption

Description: Remote administration provides many conveniences that can assist in the
maintenance of the designed security posture of the DBMS. On the other hand, remote
administration of the database also provides malicious users the ability to access from the
network a highly privileged function. Remote administration needs to be carefully
considered and used only when sufficient protections against its abuse can be applied.
Encryption and dedication of ports to access remote administration functions can help
prevent unauthorized access to it.

Check:
Ask the DBA if the DBMS is accessed remotely for administration purposes. If it
is not, this check is NA.

Check DG0093 specifies remote administration encryption for confidentiality.

This check should confirm the use of dedicated and encrypted network addresses
and ports.

Review configured network access interfaces for remote DBMS administration.

These may be host-based encryptions such as IPSec or may be configured for the
DBMS as part of the network communications and/or in the DBMS listening
process. For DBMS listeners, verify that encrypted ports exist and are restricted to
specific network addresses to access the DBMS. View the System Security Plan
to review the authorized procedures and access for remote administration.

If the configuration does not match the specifications in the System Security Plan,
this is a Finding.

Fix:
Disable remote administration where it is not required. Consider restricting
administrative access to local connections only. Where necessary, configure the
DBMS network communications to provide an encrypted, dedicated port for
remote administration access. Develop and provide procedures for remote
administrative access to DBAs that have been authorized for remote
administration. Verify during audit reviews that DBAs do not access the database
remotely except through the dedicated and encrypted port.

VKEY: V0015662 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CS;2-CS;3-CS
IA Control: EBRP Check Database Responsibility: Documentable: False
Type: level: False DBA
Manual
Reference: Database STIG 3.4.2
STIG Requirement: (DG0198: CAT II) The SA/DBA will ensure remote administration
connections to the database are restricted to dedicated and encrypted
network addresses and ports.
10-204 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.22 DO0285: Oracle listener network port assignment

Description: Use of default ports is required in DoD networks to support network
security device management.

NOTE: This supersedes previous instruction for this check.

Check:
If a listener is not running on the local database host server, this check is NA.

Review the listener.ora file located by default in the

ORACLE_HOME\network\admin directory or in the directory specified in the
environment variable TNS_ADMIN defined for the listener process or service.

View the "PORT=" parameter for any protocols defined. If any do not match an
entry in the following list, then confirm that it is not a default or registered port
for the service.

If any non-default or non-registered ports are listed, this is a Finding.

Default Oracle listener ports: 1521, 2483, 2484 and 1830

Default Connection Manager port: 1630

Registered ports MAY be listed at http://www.iana.org/assignments/port-numbers

or in the DoD Ports, Protocols, and Services Category Assurance List (CAL).

Fix:
Specify a default or registered port for TCP/IP protocols in the listener.ora file in
the PORT= parameter of the address specification.

VKEY: V0003861 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DCPP Check Database Responsibility: Documentable: False
Type: level: False DBA
Manual
Reference: Database STIG 3.1.7
STIG Requirement: (DG0152: CAT II) The SA/DBA will ensure DBMS network
communications comply with DoDI 8551.1 Ports, Protocols and
Services Management.

10-205 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.23 DO0286: Oracle connection timeout parameter

Description: The INBOUND_CONNECT_TIMEOUT_[listener-name] and
SQLNET.INBOUND_CONNECT_TIMEOUT defines the limit the database listener and
database server respectively will wait for a client connection to complete after a
connection request is made. This limit protects the listener and database server from a
Denial-of-Service attack where multiple connection requests are made that are not used
or closed from a client. Server resources can be exhausted if unused connections are
maintained.

Check:
Review the listener.ora file and the sqlnet.ora file.

If the INBOUND_CONNECT_TIMEOUT_[listener-name] parameter does not

exist for each listener found in the listener.ora and contain a value greater than 0,
this is a Finding.

If the SQLNET.INBOUND_CONNECT_TIMEOUT parameter does not exist in

the sqlnet.ora and contain a value greater than 0, this is a Finding.

NOTE: although the default value may provide adequate protection, assuming the
default could lead to unanticipated changes in future product updates. Specify a
value to manage the setting.

Fix:
Using a text editor or administrative tool, modify the listener.ora file to include a
limit for connection request timeouts for the listener.

Example entry (value unit is in seconds):

INBOUND_CONNECT_TIMEOUT_LISTENER = 2

Modify the sqlnet.ora file to include a limit for connection request timeouts for
the listener.

Example entry (value unit is in seconds):

SQLNET.INBOUND_CONNECT_TIMEOUT = 3

10-206 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

VKEY: V0003862 Severity: CAT 2 Policy: All MAC/CONF: 1-

IA Control: ECLO
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: level: FalseDBA
Manual
Database STIG 3.3.10
(DG0134: CAT II) The DBA will configure where supported by the
DBMS a limit of concurrent connections by a single database account
to the limit specified in the System Security Plan, a number
determined by testing or review of logs to be appropriate for the
application. The limit will not be set to unlimited except where
operationally required and documented in the System Security Plan.

10-207 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.24 DO0287: Oracle SQLNET.EXPIRE_TIME parameter

Description: The SQLNET.EXPIRE_TIME parameter defines a limit for the frequency
of active connection verification of a client connection. This prevents indefinite open
connections to the database where client connections have not been terminated properly.
Indefinite open connections could lead to an exhaustion of system resources or leave an
open connection available for compromise.

Check:
View the SQLNET.ORA file to verify if a SQLNET.EXPIRE_TIME has been set
to the value greater than 0.

If it does not exist or is set to 0, this is a Finding.

Fix:
Using a text editor or administrative tool, modify the SQLNET.ORA file on the
database host server to include a limit for connection request timeouts for the
listener.

Example entry (value unit is in seconds):

SQLNET.EXPIRE_TIME=3

NOTE: Use the lowest number possible that does not generate so much network
traffic that performance becomes unacceptable. The lower the number, the less
likely an exhaustion of resources will occur. Set the value to the lowest number
greater than 0 that is supported by the target system environment.

VKEY: V0003863 Severity: CAT 2 Policy: All MAC/CONF: 1-

IA Control: ECLO
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: level: False DBA
Manual
Database STIG 3.3.10
(DG0134: CAT II) The DBA will configure where supported by the
DBMS a limit of concurrent connections by a single database account
to the limit specified in the System Security Plan, a number
determined by testing or review of logs to be appropriate for the
application. The limit will not be set to unlimited except where
operationally required and documented in the System Security Plan.

10-208 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.25 DO3630: Oracle listener authentication

Description: Oracle listener authentication helps prevent unauthorized administration of
the Oracle listener. Unauthorized administration of the listener could lead to DoS
exploits; loss of connection audit data, unauthorized reconfiguration or other
unauthorized access. This is a Category I finding because privileged access to the listener
is not restricted to authorized users. Unauthorized access can result in stopping of the
listener (DoS) and overwriting of listener audit logs.

Check:
If a listener is not running on the local database host server, this check is NA.

NOTE: This check needs to be done only once per host system and once per
listener. Multiple listeners may be defined on a single host system. They must all
be reviewed, but need not be reviewed once per database review. For subsequent
database home reviews on the same host system, mark this check as NA.

Determine all Listeners running on the host.

For Windows hosts, view all Windows services with TNSListener embedded in
the service name
- For 10.1 to 11.1 the service name format is:
Oracle[ORACLE_HOME_NAME]TNSListener
- For 9.2 and earlier the service name format is:
[ORACLE_HOME_NAME]TNSListener

For UNIX hosts, the Oracle Listener process will indicate the TNSLSNR
executable

At a command prompt, issue the command:

ps -ef | grep -i tnslsnr | grep –v grep

The alias for the listener follows tnslsnr in the command output.

For Oracle versions 10.1 and later, you must be logged on the host system using
the account that owns the tnslsnr executable (UNIX). If the account is denied
local login, have the system SA assist you in this task by 'su' to the listener
account from the root account. On Windows platforms, log in using an account
with administrator privileges to complete the check.

Listener versions 10.1 and later require the use of the listener control utility to
access and configure the listener be restricted to users authenticated by the
operating system. The listener "Security" setting displayed by the LSNRCTL
STATUS command returns the current administration authentication setting. If
listener administrative access authentication is set to a value other than Local OS
authentication, this is a Finding.
10-209 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

To view the listener administration authentication setting:

- From a system command prompt, execute the listener control utility:

lsnrctl

NOTE: for listeners prior to version 10.1 that are password-protected, you will
need to use the SET CURRENT_LISTENER command to access a listener with a
name other than LISTENER, followed by the SET PASSWORD command and
password entry in order to use the STATUS command. If you receive the error
"TNS-01169: The listener has not recognized the password", then the listener is
password-protected.

At the LSNRCTL> prompt, enter:

status [listener name] <Enter>

If error messages are displayed, then the Listener is not running, is not configured
properly, or the password must be provided. See NOTE below.

Sample output:

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=net)))
STATUS of the LISTENER
------------------------
Alias EXTOLS
Version TNSLSNR for Linux: Version 10.2.0.4.0 - Production
Start Date 10-JUN-2007 11:03:00
Uptime 40 days 3 hr. 35 min. 46 sec
Trace Level user
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /oracle/network/admin/listener.ora
Listener Log File /oracle/network/log/listener.log
Listener Trace File /oracle/network/trace/listener.trc
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=net)))
Services Summary...
Service "ORCL" has 1 instance(s).
Instance "ORCL", status UNKNOWN 1 handler(s) for this service...
The command completed successfully
--------------------------------

Review the results for the value of Security.

If Security OFF is displayed, this is a Finding.

10-210 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

If Security ON: Local OS Authentication is displayed, this is not a Finding

(Oracle versions 10.1 and higher).

If Security ON: Password or Local OS Authentication, this is a Finding (do not

set a password on Oracle versions 10.1 and higher. Instead, use Local OS
Authentication).

Type exit, to exit the lsnrctl utility

For listener versions earlier than 10.1:

Review of the LISTENER.ORA file:

Repeat for each listener listed in the LISTENER.ORA file and/or each
listener_name.

View the contents of the LISTENER.ORA file. Use the MORE command to view
path/listener.ora where path/listener.ora is the value displayed from LSNRCTL
above.

Look for an entry beginning with PASSWORDS_[listener_name] where

listener_name is the name of the listener. If no value is specified after the
parameter, this is a Finding.

If an unencrypted password is listed, this is a Finding.

NOTE: listener passwords must meet all DoD requirements for passwords
including complexity and 60-day renewal. The listener password is not an
application password and must meet interactive user password requirements.

Fix:
Configure the listener to use Local OS Authentication for Oracle versions 10.1
and higher. This setting prevents remote administration of the listener, restricts
management to the Oracle listener owner account (UNIX) and accounts with
administrator privileges (WIN).

Remote administration of the listener should not be permitted. If listener

administration from a remote system is required, granting secure remote access to
the Oracle DBMS server and performing local administration is preferred.
Authorize and document this requirement in the System Security Plan.

Use the lsnrctl utility to set a password for the listener in Oracle versions that do
not support Local OS authentication. See the Oracle Security Guide and Oracle
Net Services Administrators Guides for detailed instruction on configuring a SSL

10-211 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

connection. Use of Oracle Advanced Security is required as well as Oracle

Internet Directory to support future DoD PKI requirements.

To set a password on listener versions earlier than 10.1, do the following four
steps from the LSNRCTL prompt:
LSNRCTL> set password
(enter the current password when prompted)
LSNRCTL> change_password
(enter the old and new passwords when prompted)
LSNRCTL> set password
(enter the new password when prompted)
LSNRCTL> save_config

VKEY: V0002608 Severity: CAT 1 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: EBRP Check Database Responsibility: Documentable: False
Type: level: FalseDBA
Manual
Reference: Database STIG 3.4.2
STIG Requirement: (DG0157: CAT II) The DBA will ensure remote administration of the
database is not enabled or configured unless mission and/or
operationally required and authorized by the IAO.

10-212 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.26 DO6740: Oracle listener ADMIN_RESTRICTIONS parameter

Description: The Oracle listener process can be dynamically configured. By connecting
to the listener process directly, usually through the Oracle LSNRCTL utility, a user may
change any of the parameters available through the set command. This vulnerability has
been used to overwrite the listener log and trace files. The ADMIN_RESTRICTIONS
parameter, set in the listener.ora file, prohibits dynamic listener configuration changes
and protects the configuration using host operating system security controls.

Check:
If a listener is not running on the local database host server, this check is NA.

Use the LSNRCTL utility and issue the STATUS [listener-name] command to
locate the listener.ora file. Open the listener.ora file in a text editor or viewer.
Locate the line with ADMIN_RESTRICTIONS_[listener-name] = ON where
listener-name is the alias of the listener supplied by the DBA.

If no such line is found, this is a Finding.

Repeat for each listener listed in the LISTENER.ORA file.

Fix:
Edit the listener.ora file and add the following line for each listener in use on the
system:

ADMIN_RESTRICTIONS_[listener-name]=ON

Restart the listener to activate the setting.

VKEY: V0003497 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: EBRP Check Database Responsibility: Documentable: False
Type: level: FalseDBA
Manual
Reference: Database STIG 3.4.2
STIG Requirement: (DG0157: CAT II) The DBA will ensure remote administration of the
database is not enabled or configured unless mission and/or
operationally required and authorized by the IAO.

10-213 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.27 DO6746: Oracle Listener host references

Description: The use of IP address in place of host names helps to protect against
malicious corruption or spoofing of host names. Use of static IP addresses is considered
more stable and reliable than use of hostnames or Fully Qualified Domain Names
(FQDN).

Check:
If a listener is not running on the local database host server, this check is NA.

Review all listener.ora files for the HOST =. Verify the HOST = value specifies
an IP address for all occurrences of the HOST = setting.

Sample:
(ADDRESS= (PROTOCOL=TCP) (HOST= [host IP address]) (PORT=1521))

If any addresses specify a host name in place of an IP or other network address,

this is a Finding.

NOTE: If a host name is used, ensure it can be locally resolved to an IP address

on the DBMS system using a host table, however, if a hostname is used, it is still
a Finding.

Fix:
Edit the listener.ora file and replace any HOST= [hostname or domain name] to
static IP addresses for the host.

The listener.ora file is by default located in the ORACLE_HOME/network/admin

directory or the directory specified in the TNS_ADMIN environment variable for
the listener service or process owner account.

VKEY: V0016031 Severity: CAT 3 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DCFA Check Database Responsibility: Documentable: False
Type: level: False
DBA
Manual
Reference: Database STIG 3.1.4.1
STIG Requirement: (DG0103: CAT II) The DBA will ensure database and host system
listeners that provide configuration of network restrictions are
configured to restrict network connections to the database to
authorized network addresses and protocols.

10-214 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.28 DO6747: Connection Manager remote administration

Description: Remote administration provides a potential opportunity for malicious users
to make unauthorized changes to the Connection Manager configuration or interrupt its
service.

Check:
View the cman.ora file in the ORACLE_HOME/network/admin directory. If the
file does not exist, the database is not accessed via Oracle Connection Manager
and this check is NA.

If the entry and value for REMOTE_ADMIN is not listed or is not set to a value
of NO (REMOTE_ADMIN = NO), this is a Finding.

Fix:
View the cman.ora file in the ORACLE_HOME/network/admin directory of the
Connection Manager. Include the following line in the file:

REMOTE_ADMIN=NO

VKEY: V0016032 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: EBRP Check Database Responsibility: Documentable: False
Type: level: FalseDBA
Manual
Reference: Database STIG 3.4.2
STIG Requirement: (DG0157: CAT II) The DBA will ensure remote administration of the
database is not enabled or configured unless mission and/or
operationally required and authorized by the IAO.

10-215 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.29 DO6751: SQLNET.ALLOWED_LOGON_VERSION

Description: Unsupported Oracle network client installations may introduce
vulnerabilities to the database. Restriction to use of supported versions helps to protect
the database and helps to enforce newer, more robust security controls.

Check:
If the database version is earlier than 10.1, this check is NA.

View the SQLNET.ORA file in the ORACLE_HOME/network/admin directory

or the directory specified in the TNS_ADMIN environment variable. Locate the
following entry:

SQLNET.ALLOWED_LOGON_VERSION = 10

If the parameter does not exist nor is it set to match the value shown above, this is
a Finding.

NOTE: It has been reported that the there is an Oracle bug (6051243) that
prevents connections to the DBMS using JDBC THIN drivers when this
parameter is set. The fix is available as patch 6779501.

Fix:
For Oracle database versions 10.1 and later, edit the SQLNET.ORA file to add or
edit the entry:

SQLNET.ALLOWED_LOGON_VERSION = 10

VKEY: V0016057 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: VIVM Check Database Responsibility: Documentable: False
Type: level: FalseDBA
Manual
Reference: Database STIG 3.6.1
STIG Requirement: (DG0001: CAT I) The IAO will ensure unsupported DBMS software
is removed or upgraded prior to a vendor dropping support.

10-216 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.30 DG0005: DBMS administration OS accounts

Description: Database administration accounts are frequently granted more permissions
to the local host system than are necessary. This allows inadvertent or malicious changes
to the host operating system.

Check:
Review host system privileges assigned to the Oracle DBA group and all
individual Oracle DBA accounts.

NOTE: do not include the Oracle software installation account in any results for
this check.

For UNIX systems (as root):

cat /etc/group | grep -i dba
groups root

If "root" is returned in the first list, this is a Finding.

If any accounts listed in the first list are also listed in the second list, this is a
Finding.

Investigate any user account group memberships other than DBA or root groups
that are returned by the following command (also as root):

groups [dba user account]

Replace [dba user account] with the user account name of each DBA account.

If individual DBA accounts are assigned to groups that grant access or privileges
for purposes other than DBA responsibilities, this is a Finding.

For Windows Systems (click or select):

Start / Settings / Control Panel / Administrative Tools / Computer Management /
Local Users and Groups / Groups / ORA_DBA
Start / Settings / Control Panel / Administrative Tools / Computer Management /
Local Users and Groups / Groups / ORA_[SID]_DBA (if present)

NOTE: Users assigned DBA privileges on a Windows host are granted

membership in the ORA_DBA and/or ORA_[SID]_DBA groups. The ORA_DBA
group grants DBA privileges to any database on the system. The
ORA_[SID]_DBA groups grant DBA privileges to specific Oracle instances only.

Make a note of each user listed. For each user (click or select):
Start / Settings / Control Panel / Administrative Tools / Computer Management /
Local Users and Groups / Users / [DBA user name] / Member of
10-217 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

If DBA users belong to any groups other than DBA groups and the Windows
Users group, this is a Finding.

Examine User Rights assigned to DBA groups or group members:

Start / Settings / Control Panel / Administrative Tools / Local Security Policy /
Security Settings / Local Policies / User Rights Assignments

If any User Rights are assigned directly to the DBA group(s) or DBA user
accounts, this is a Finding.

Fix:
Revoke all host system privileges from the DBA group accounts and DBA user
accounts not required for DBMS administration.

Revoke all OS group memberships that assign excessive privileges to the DBA
group accounts and DBA user accounts.

Remove any directly applied permissions or user rights from the DBA group
accounts and DBA user accounts.

Document all DBA group accounts and individual DBA account assigned
privileges in the System Security Plan.

VKEY: V0006756 Severity: CAT 2 Policy: All MAC/CONF: 1-

IA Control: ECLP
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: level: False DBA
Manual
Database STIG 3.3.11.1
(DG0005: CAT II) The SA/DBA will ensure database administration
OS accounts required for operation and maintenance of the DBMS are
assigned the minimum OS privileges required by the specific DBMS
to perform DBA functions.

10-218 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.31 DO0120: Oracle process account host system privileges

Description: A compromise of the Oracle database process could be used to gain access
to the host operating system under the security account of the process owner. Limitation
of the privileges assigned to the process account can help contain access to other
processes and host system resources. This can in turn help to limit any resulting
malicious activity.

Check:
Review the Oracle process/owner account.

For UNIX Systems:

Log into the Oracle installation account and from a system prompt enter:

groups

If root is returned in the list, this is a Finding.

For Windows Systems:

Log in using an account with administrator privileges. Open the Services snap-
in. If the OracleService* services are not assigned a custom created account used
for the Oracle software installation (view the Log on As tab), this is a Finding.

If the account is assigned group membership to other than the local administrator
account and Oracle DBA groups, this is a Finding.

View user rights assigned to the service accounts. If Deny Logon Locally is not
assigned to all of the Oracle service accounts, this is a Finding.

If the service account is a domain rather than local user account, confirm with
the DBA that domain resources are required and that the account is not assigned
to any domain groups not required for Oracle operation (e.g. the domain users or
domain administrators groups). If the service account is a domain account and
the account is assigned to domain groups not required for Oracle operations, this
is a Finding.

Fix:
Remove root privileges from the Oracle software owner account on UNIX
systems.

On Windows systems, restrict Oracle service accounts to local administrator and

Oracle DBA privileges and assign the Deny Logon Locally user right.

10-219 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

VKEY: V0003842 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DCFA Check Database Responsibility: Documentable: False
Type: level: False DBA
Manual
Reference: Database STIG 3.1.4.1
STIG Requirement: (DG0102: CAT II) The DBA will ensure each database service or
process runs under a custom, dedicated OS account that is assigned
the minimum privileges required for operation where applicable.

10-220 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.32 DO0121: Oracle service and process dedicated accounts

Description: Shared accounts do not provide separation of duties nor allow for
assignment of least privileges for use by database processes and services. Without
separation and least privilege, the exploit of one service or process is more likely to be
able to compromise another or all other services.

Check:
For UNIX Systems (enter at command prompt):
ps ef | grep -i pmon | grep –v grep (all database processes)
ps ef | grep -i tns | grep –v grep (all listener processes)
ps ef | grep -i dbsnmp | grep –v grep (Oracle Intelligent Agents)

Sample output (database processes):

oracle 5593 1 0 08:15 ? 00:00:00 ora_pmon_oraprod1

Sample output (listener processes):

oratns 5505 1 0 08:15 ? 00:00:00
/var/opt/oracle/product/10.2.0/db_1/bin/tnslsnr LISTENER –inherit

Sample output (listener processes):

oracle 1734 1 0 08:16 ? 00:00:00
/var/opt/oracle/product/10.2.0/db_1/bin/dbsnmp

In the above samples, the occurrence of “oracle” and "oratns” indicate the user
account that owns the process

If a listener is running on the local database host and the Oracle Listener account
uses the same account as the Oracle Processes, this is a Finding. If a listener is
not running on the local database host server, this check is NA.

For Windows Systems:

Log in using account with administrator privileges. Open the Services snap-in.
Review the Oracle processes. The Oracle Listener process should be run (Log
On As) by a dedicated OS account separate from that used for all other Oracle
services. All other Oracle services should be run by a dedicated windows
account (Oracle Owner account) and not as LocalSystem.

If any Oracle service is run as LocalSystem, this is a Finding. If the Oracle

Listener and Oracle service services share the same dedicated account, this is a
Finding.

Fix:
Create and assign a custom account for the Oracle Listener. Create and assign a
custom account for other Oracle services (Windows) or ensure Oracle Process
Owner account is used (UNIX).
10-221 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

The Oracle SNMP agent (Intelligent or Management Agent) is required (by

Oracle Corp per MetaLink Note 548928.1) to use the Oracle Process owner
account.

Assign read-only permissions to the custom listener account in the

ORACLE_HOME/network directory and ownership of listener configuration and
log files to the listener accounts.

VKEY: V0003843 Severity: CAT 2 Policy: MAC/CONF: 1-

Platinum CSP;2-CSP;3-CSP
IA Control: DCFA Check Database Responsibility: Documentable: False
Type: level: False DBA
Manual
Reference: Database STIG 3.1.4.1
STIG Requirement: (DG0102: CAT II) The DBA will ensure each database service or
process runs under a custom, dedicated OS account that is assigned
the minimum privileges required for operation where applicable.

10-222 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.33 DO0279: Oracle software owner umask setting

Description: The UNIX umask sets the user file creation mask for files created or
updated during process operations. If the umask setting is not set to the most secure and
authorized setting, then Oracle data, log, and other critical files are not protected from
unauthorized access.

Check:
If the DBMS host system is not a UNIX system, this check is NA.

Log in using the Oracle software owner account and enter the command:

umask

If the value returned is 022 or more restrictive, this is not a Finding.

If the value returned is less restrictive than 022, this is a Finding.

The first number sets the mask for user/owner file permissions. The second
number sets the mask for group file permissions. The third number sets file
permission mask for other users. The list below shows the available settings:

0 = read/write/execute
1 = read/write
2 = read/execute
3 = read
4 = write/execute
5 = write
6 = execute
7 = no permissions

Setting the umask to 022 effectively sets files for user/owner to read/write, group
to read and other to read. Directories are set for user/owner to read/write/execute,
group to read/execute and other to read/execute.

Fix:
Set the umask of the Oracle software owner account to 022. Determine the shell
being used for the Oracle software owner account:

env | grep -i shell

Startup files for each shell are as follows (located in users $HOME directory):

C-Shell (CSH) = .cshrc

Bourne Shell (SH) = .profile
Korn Shell (KSH) = .kshrc
10-223 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

TC Shell (TCS) = .tcshrc

BASH Shell = .bash_profile or .bashrc

Edit the shell startup file for the account and add or modify the line:

umask 022

Log off and login, then enter the umask command to confirm the setting.

NOTE: To effect this change for all Oracle processes, a reboot of the DBMS
server may be required.

VKEY: V0003860 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DCSL Check Database Responsibility: Documentable: False
Type: level: False
DBA
Manual
Reference: Database STIG 3.1.10
STIG Requirement: (DG0009: CAT II) The SA/DBA will ensure access to DBMS
software is restricted to authorized OS accounts.

10-224 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.34 DG0016: DBMS unused components

Description: Unused and/or unnecessary DBMS components increase the attack vector
for the DBMS by introducing additional targets for attack. By minimizing the services
and applications installed on the system, the number of potential vulnerabilities is
reduced.

Check:
Use the Oracle Universal Installer or OPATCH utility to display the list of
installed products. Review the list of installed products with the DBA and verify
any installed products listed below are required and licensed. If any are installed
and are not required or not licensed, this is a Finding.

From Command Prompt:

$ORACLE_HOME/OPatch/opatch lsinventory –detail | more (UNIX)
%ORACLE_HOME%/OPatch/opatch lsinventory –detail | more (Windows)

Data Mining
Database Workspace Manager
[Enterprise] Manager, Agent OR Intelligent Agent
iSQL*Plus
Configuration Manager
Connection Manager
interMedia
Internet Directory
LDAP
Spatial
Text
Wallet Manager
XML Development
Sample SCHEMA
HTTP Server

NOTE: This list does not take into account product dependencies that when
selected for de-install, remove required database software. A custom installation
without selection of unnecessary components is required to ensure a clean install
of only required and licensed products. The list of product dependencies may be
subject to change by Oracle and is not addressed here.

Fix:
Review the list of installed products available for the DBMS install. If any are
required and licensed for operation of applications that will be accessing the
DBMS, then include them in the application design specification and list them in
the System Security Plan. If any are not, but have been installed, then uninstall
them and remove any database SCHEMA, objects and applications that
exclusively support them.
10-225 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

VKEY: V0003728 Severity: CAT 3 Policy: All MAC/CONF: 1-

IA Control: DCFA
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: level: False DBA
Manual
Database STIG 3.1.4.1
(DG0016: CAT III) The DBA will ensure unused optional database
components or features, applications, and objects are removed from
the database and host system. If the optional component cannot be
uninstalled or removed, then the DBA will ensure the unused
component or feature is disabled.

10-226 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.35 DO6754: Oracle Configuration Manager

Description: Oracle Configuration Manager (OCM) is a function of the Oracle Software
Configuration Manager (SCM). OCM collects system configuration data used for
automated upload to systems owned and managed by Oracle to assist in providing
customer support. The configuration information about the server that the OCM collects
includes IP addresses, hostname, database username, location of datafiles, etc.

Check:
NOTE: The collection does not include application or custom data within the
database. If released to unauthorized persons, system configuration data may be
used by malicious persons to gain additional unauthorized access to the database
or other systems.

On UNIX Systems:
ls $ORACLE_HOME/ccr

On Windows Systems (From Windows Explorer):

Browse to the ORACLE_HOME directory.

If the directory ORACLE_HOME\ccr does not exist, this is not a Finding.

If the ccr directory exists, confirm if any of the Oracle databases have been
configured for OCM:

From SQL*Plus:
select username from dba_users where username='ORACLE_OCM';

If the account exists, OCM has been installed (on this database) and is a Finding.

Fix:
Remove Oracle Configuration Manager. Details for removal are provided in
Oracle MetaLink Note 369111.1 or in MetaLink Note 728989.1 for a link to the
OCM Installation and Administration Guide.

VKEY: V0016056 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECAN Check Database Responsibility: Documentable: False
Type: level: FalseDBA
Manual
Reference: Database STIG 3.3.1
STIG Requirement: (DG0076: CAT II) The DBA will ensure sensitive application data
exported from the database for import to remote databases or
applications is not provided to personnel or applications not
authorized or approved by the Information Owner.

10-227 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.36 DG0104: DBMS service identification

Description: Network services that do not employ unique or clearly identifiable targets
can lead to inadvertent or unauthorized connections.

Check:
Review the Oracle instance names on the DBMS host:

On UNIX platforms:
Solaris: cat /var/opt/oracle/oratab
Other UNIX: cat /etc/oratab

The format of lines in the oratab file is:

sid:oracle_home_directory:Y or N

The instance name is the sid.

On Windows platforms:
Go to Start / Administrative Tools / Services

View service names that begin with "OracleService".

The remainder of the service name is the instance name.

Example: OracleServicesalesDB -- where salesDB is the instance name

If instance names are listed and do not clearly identify the use of the instance or
clearly differentiate individual instances, this is a Finding.

An example of instance naming that meets the requirement: prdinv01 (Production

Inventory Database #1), dvsales02 (Development Sales Database #2), orfindb1
(Oracle Financials Database #1).

Examples of instance naming that do not meet the requirement: Instance1,

MyInstance, orcl, 10gdb1

Interview the DBA to get an understanding of the naming scheme used to

determine if the names are clear differentiations.

Fix:
Follow the instructions in Oracle Doc ID: 15390.1 to change the SID without re-
creating the database. Set the value so that it does not identify the Oracle version
and clearly identifies its purpose.

10-228 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

VKEY: V0015622 Severity: CAT 3 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DCFA Check Database Responsibility: Documentable: False
Type: level: False DBA
Manual
Reference: Database STIG 3.1.4.1
STIG Requirement: (DG0104: CAT III) The DBA will ensure all local and network-
advertised named database services are uniquely and clearly
identified.

10-229 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.37 DG0106: Database data encryption configuration

Description: Access to sensitive data may not always be sufficiently protected by
authorizations and require encryption. In some cases, the required encryption may be
provided by the application accessing the database. In others, the DBMS may be
configured to provide the data encryption. When the DBMS provides the encryption, the
requirement must be implemented as identified by the Information Owner to prevent
unauthorized disclosure or access.

Check:
Review the System Security Plan and note sensitive data identified by the
Information Owner as requiring encryption using DBMS features administered by
the DBA. If no sensitive data is present or encryption of sensitive data is not
required by the Information Owner, this check is NA.

Review the encryption configuration against the System Security Plan

specification.

If the specified encryption is not configured, this is a Finding.

Fix:
Configure DBMS encryption features and functions as required by the System
Security Plan. Discrepancies between what features are and are not available
should be resolved with the Information Owner, Application Developer and DBA
as overseen by the IAO.

VKEY: V0015143 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DCFA Check Database Responsibility: Documentable: False
Type: level: False DBA
Manual
Reference: Database STIG 3.1.4.3
STIG Requirement: (DG0106: CAT II) The DBA will ensure security requirements
specific to the use of the database are configured as identified in the
System Security Plan.

10-230 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.38 DO0280: Oracle external procedure access

Description: The Oracle external procedure capability provides use of the Oracle
process account outside the operation of the DBMS process. You can use it to submit and
execute applications stored externally from the database under operating system controls.
The external procedure process is the subject of frequent and successful attacks as it
allows unauthenticated use of the Oracle process account on the operating system. As of
Oracle version 11.1, the external procedure agent may be run directly from the database
and not require use of the Oracle listener. This reduces the risk of unauthorized access to
the procedure from outside of the database process.

Check:
Review the System Security Plan to determine if the use of the external procedure
agent is authorized. Review the ORACLE_HOME/bin directory or search the
ORACLE_BASE path for the executable extproc (UNIX) or extproc.exe
(Windows). If external procedure agent is not authorized for use in the System
Security Plan and the executable file exists, this is a Finding.

If use of the external procedure agent is authorized, ensure extproc is restricted to

execution of authorized applications. External jobs are run using the account
nobody by default. Review the contents of the file
ORACLE_HOME/rdbms/admin/externaljob.ora for the lines run_user= and
run_group=. If the user assigned to these parameters is not "nobody", this is a
Finding.

For versions 11.1 and later:

NOTE: The external procedure agent (extproc executable) is available directly

from the database and does not require definition in the listener.ora file for use.

Review the contents of the file ORACLE_HOME/hs/admin/extproc.ora. If the

file does not exist, this is a Finding. If the following entry does not appear in the
file, this is a Finding:

EXTPROC_DLLS=ONLY:[dll full file name1]:[dll full file name2]:..

[dll full file name] represents a full path and file name. This list of file names is
separated by ":".

NOTE: If "ONLY" is specified, then the list is restricted to allow execution of

only the DLLs specified in the list and is not a Finding. If "ANY" is specified,
then there are no restrictions for execution except what is controlled by operating
system permissions and is a Finding. If no specification is made, any files
located in the %ORACLE_HOME%\bin directory on Windows systems or
$ORACLE_HOME/lib directory on UNIX systems can be executed (the default)
and is a Finding.
10-231 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Ensure that EXTPROC is not accessible from the listener. Review the
listener.ora file. If any entries reference "extproc", this is a Finding.

NOTE: Bug 7560049 may cause external procedures in 11g not to work on
certain platforms. Fix will be in Oracle 11g Release 2. If external procedures are
required and you are experiencing this bug, then follow instructions for
configuring external procedures for versions earlier than 11.1 and document as
authorized in the System Security Plan.

For versions earlier than 11.1:

Determine if the external procedure agent is in use:

Review the listener.ora file. If any entries reference "extproc", then the agent is
in use. If external procedure agent is not authorized for use in the System
Security Plan and references to "extproc" exist, this is a Finding.

Sample listener.ora entries with extproc included:

LISTENER =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = 127.0.0.1)(PORT = 1521))
)

EXTLSNR =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC))
)

SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(GLOBAL_DBNAME = ORCL)
(ORACLE_HOME = /home/oracle/app/oracle/product/10.2.0/db_1)
(SID_NAME = ORCL)
)
)

SID_LIST_EXTLSNR =
(SID_LIST =
(SID_DESC =
(PROGRAM = extproc)
(SID_NAME = PLSExtProc)
(ORACLE_HOME = /home/oracle/app/oracle/product/10.2.0/db_1)
(ENVS="EXTPROC_DLLS=ONLY:/home/app1/app1lib.so:/home/app2/app2lib.so,
LD_LIBRARY_PATH=/private/app2/lib:/private/app1,
MYPATH=/usr/fso:/usr/local/packages")
)
)

10-232 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Sample tnsnames.ora entries with extproc included:

ORCL =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = 127.0.0.1)(PORT = 1521))
)
(CONNECT_DATA =
(SERVICE_NAME = ORCL)
)
)

EXTPROC_CONNECTION_DATA =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = IPC)(KEY = extproc))
)
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = PLSExtProc)
)
)

If EXTPROC is in use, confirm that a listener is dedicated to serving the external

procedure agent (as shown above). View the protocols configured for the
listener. For the listener to be dedicated, the only entries will be to specify
extproc.

If there is not a dedicated listener in use for the external procedure agent, this is
a Finding.

If the PROTOCOL= specified is other than IPC, this is a Finding.

Verify the dedicated listener uses an unprivileged account. View group

memberships for the dedicated listener Windows service account or UNIX file
owner account. If the account is a member of any DBA group or group that has
been granted access other than read-only to the listener.ora file, the
ORACLE_HOME/bin directory, and any directories that contain executables
authorized for the agent to use, this is a Finding.

Write access may be granted to a log file directory dedicated to use by this
listener (no other listener logs or other files not used by the dedicated listener).
The account requires only the user right to log in as a batch job on Windows.

Verify and ensure extproc is restricted executing authorized external applications

only and extproc is restricted to execution of authorized applications. Review the
listener.ora file. If the following entry does not exist, this is a Finding:

EXTPROC_DLLS=ONLY:[dll full file name1]:[dll full file name2]:...

10-233 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

NOTE: [dll full file name] represents a full path and file name. This list of file
names is separated by ":".

NOTE: If "ONLY" is specified, then the list is restricted to allow execution of

only the DLLs specified in the list and is not a Finding. If "ANY" is specified,
then there are no restrictions for execution except what is controlled by operating
system permissions and is a Finding. If no specification is made, any files
located in the %ORACLE_HOME%\bin directory on Windows systems or
$ORACLE_HOME/lib directory on UNIX systems can be executed (the default)
and is a Finding.

View the listener.ora file (usually in ORACLE_HOME/network/admin or

directory specified by the TNS_ADMIN environment variable). If multiple
listener processes are running, then the listener.ora file for each must be viewed.
For each process, determine the directory specified in the ORACLE_HOME or
TNS_ADMIN environment variable defined for the process account to locate the
listener.ora file.

Fix:
If the use of external processes is required, then authorize and document the
requirement in the System Security Plan. For versions 11.1 and later, if the
external procedure agent must be accessible to the Oracle listener, then specify
this and authorize it in the System Security Plan.

If use of the Oracle External Procedure agent is not required, delete the Oracle
extproc or extproc.exe executable.
- Stop the Oracle Listener process
- Remove all references to extproc in the listener.ora and tnsnames.ora files
- Delete the extproc executable from the ORACLE_HOME/bin directory

If required:
- Restrict extproc execution to only authorized applications. Specify
EXTPROC_DLLS=ONLY:[list of authorized DLLS] in the extproc.ora (11.1
only) and the listener.ora files
- Create a separate, dedicated listener and process account for use by the
external procedure agent
- Use a minimally privileged account for extproc execution. Assign minimal
privileges and permissions to the dedicated listener Windows service account or
UNIX file owner account. The account requires:
-- Read-only access to the listener.ora file (do not grant write privileges to this
account)
-- Execute access to the ORACLE_HOME/bin directory, and any directories
that contain executables authorized for the agent to use
-- Write access may be granted to a log file directory dedicated to use by this
listener (no other listener logs or other files not used by the dedicated listener)
10-234 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

-- The account requires the user right to log in as a service on Windows

Please see the Oracle Net Services Administrators Guides, External Procedures
section for detailed configuration information.

VKEY: V0002841 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: DFCA Check Database Responsibility: Documentable: False
Type: level: False DBA
Manual
Reference: Database STIG 3.1.4.1
STIG Requirement: (DG0099: CAT II) The DBA will disable use of external procedures
by the database unless mission and/or operationally required and
documented in the AIS functional architecture documentation.

10-235 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

10.39 DO5036: Oracle Net TRACE_LEVEL

Description: The network listener provided by Oracle may be subject to unauthorized
access attempts to the database or the host system. Log files provide a means to detect
and research suspicious or unauthorized connections.

Check:
Review the listener.ora file. If the following line is not listed in the file nor is it set
to one of the allowed values listed below, this is a Finding.

TRACE_LEVEL_[listener-name] =

Allowed Values:
user OR 4
admin OR 6
support OR 16

NOTE: The lines below are optional and may add value to auditing and
connection troubleshooting, but will generate a very large number of files. Set the
following parameters to support troubleshooting or provide enhanced auditing
provided there is a documented requirement to do so.

Review the sqlnet.ora file. Add the following lines and restart the listener:

TRACE_LEVEL_SERVER = server
TRACE_FILE_SERVER = sqlnet
TRACE_DIRECTORY_SERVER = [directory on a volume with enough free space]
LOG_FILE_SERVER = sqlnet
LOG_DIRECTORY_SERVER = [directory on a volume with enough free space]

Fix:
Enable trace file logging for the Oracle Net listener and client. Add the following
line to the listener.ora file and specify one of the allowed values listed, and then
restart the listener service/process:

TRACE_LEVEL_[listener-name] =

Allowed Values:
user OR 4 (provides minimal tracing information)
admin OR 6 (provides medial tracing information)
support OR 16 (provides maximum tracing information)

Document this setting in the System Security Plan.

10-236 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

VKEY: V0016049 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECAR Check Database Responsibility: Documentable: False
Type: level: False DBA
Manual
Reference: Database STIG 3.3.2
STIG Requirement: (DG0141: CAT II) The DBA will ensure all database logons, account
locking events, blocking or disabling of a database account or logon
source location, or any attempt to circumvent access controls is
audited.

10-237 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

11. Oracle Home Verify Check Procedures

11.1 DG0051: Database job/batch queue monitoring

Description: Unauthorized users may bypass security mechanisms by submitting jobs to
job queues managed by the database. These jobs run under a more privileged security
context of the database or host system. These queues should be monitored regularly to
detect any such unauthorized job submissions.

Check:
The DBMS_JOB PL/SQL package has been replaced by DBMS_SCHEDULER
in Oracle versions 10.1 and higher, though it continues to be supported for
backward compatibility.

From SQL*Plus:
select value from v$parameter where name='job_queue_processes';
select value from all_scheduler_global_attribute
where ATTRIBUTE_NAME='MAX_JOB_SLAVE_PROCESSES';

To understand the relationship between these settings, review:

http://download.oracle.com/docs/cd/B28359_01/server.111/b28310/appendix_a0
03.htm

Review documented and implemented procedures for monitoring the Oracle

DBMS job/batch queues for unauthorized submissions. If procedures for job
queue review are not defined, documented or evidence of implementation does
not exist, this is a Finding.

Job queue information is available from the DBA_JOBS view. The following
command lists jobs submitted to the queue. DBMS_JOB does not generate a
'history' of previous job executions.

From SQL*Plus:
select job, next_date, next_sec, failures, broken from dba_jobs;

Scheduler queue information is available from the DBA_SCHEDULER_JOBS

view. The following command lists jobs submitted to the queue.

From SQL*Plus:
select owner, job_name, state, job_class, job_type, job_action
from dba_scheduler_jobs;

Scheduled task execution history information is available from the

DBA_SCHEDULER_JOB_LOG view. The following command shows a high-
level view of scheduled task execution history.

11-238 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

From SQL*Plus:
select log_id, log_date, owner, job_name, status from dba_scheduler_job_log;

Fix:
Develop, document and implement procedures to monitor the database job queues
for unauthorized job submissions. Develop, document and implement a formal
migration plan to convert jobs using DBMS_JOB to use DBMS_SCHEDULER
instead. Set the value of the job_queue_processes parameter to a low value to
restrict concurrent DBMS_JOB executions.

For Oracle versions earlier than 10.1, use auditing to capture use of the
DBMS_JOB package in the audit trail. Review the audit trail for unauthorized use
of the DBMS_JOB package.

VKEY: V0003808 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: ECLP Check Database Responsibility: Documentable: False
Type: level: False DBA
Verify
Reference: Database STIG 3.3.11.3
STIG Requirement: (DG0051: CAT II) The DBA will monitor database batch and job
queues to ensure no unauthorized jobs are accessing the database.

11-239 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

11.2 DG0090: Sensitive data identification and encryption

Description: Sensitive data stored in unencrypted format within the database is
vulnerable to unauthorized viewing.

Check:
If no data is identified as being sensitive or classified in the System Security Plan
or if no sensitive or classified data is identified as requiring encryption by the
Information Owner in the System Security Plan, this check is NA.

Review sensitive data stored in the database as identified in the System Security
Plan using select statements. Note in the System Security Plan if the data is
encrypted by column or by transparent encryption. Transparent data encryption is
available only in Oracle versions 10.2 and later using Oracle Advanced Security.

If transparent data encryption is specified, then verify it is enabled.

By data columns:

From SQL*Plus (Oracle 10.2 and higher):

select owner, table_name, column_name from dba_encrypted_columns;

By tablespace:

From SQL*Plus (Oracle 11.1 and higher):

select tablespace_name from dba_tablespaces where encrypted='YES';

If columns within tables, tables and/or tablespaces listed in the System Security
Plan are required to be encrypted transparently are not listed above, this is a
Finding.

If the DBMS products are used to encrypt data, view the sensitive data fields
required to be encrypted using select statements. If any data is displayed in
human-readable format, this is a Finding.

NOTE: This check result may be marked not a Finding and the requirement of
encryption in the database waived where the database has only database
administrative accounts and application accounts that have a need-to-know to the
data. This waiver does not preclude any requirement for encryption of the
associated database data file (see DG0092).

Fix:
Identify all sensitive data and the method to be used to encrypt specified sensitive
data in the System Security Plan.

11-240 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Use NIAP evaluated third-party tools, FIPS-validated encryption modules within

the application, or native DBMS features to encrypt sensitive or classified data
stored in the database.

Configure DBMS encryption features where specified to use FIPS 140-2

compliant algorithms. Oracle transparent data encryption (available in Oracle
version 10.2 and later) requires Oracle Advanced Security. See the chapter on
Transparent Data Encryption in the Oracle Database Advanced Security Guide
Administrator's Guide for details on using and configuring transparent data
encryption.

Document acceptance of risk by the Information Owner where sensitive or

classified data is not encrypted. Have the Information Owner document assurance
that the unencrypted sensitive or classified information is otherwise inaccessible
to those without need-to-know access to the data.

Developers should consider using a record-specific encryption method to protect

individual records. For example, by employing the session username or other
individualized element as part of the encryption key, then decryption of a data
element is only possible by that user or other data accessible only by that user.

Consider applying additional auditing of access to any unencrypted sensitive or

classified data when accessed by unauthorized users (without need-to-know).

VKEY: V0015131 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CS;2-CS;3-CS
IA Control: ECCR Check Database Responsibility: Documentable: False
Type: level: False IAO
Verify
Reference: Database STIG 3.3.5
STIG Requirement: (DG0090: CAT II) The IAO/DBA will ensure sensitive data is
encrypted within the database where required by the Information
Owner.

11-241 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

11.3 DO0360: DBMS mid-tier application account access

Description: Database connections by mid-tier systems are not protected, encrypted and
authenticated according to database, network and web requirements. Multi-tier systems
may be configured with the database and connecting middle-tier system located on an
internal network, with the database located on an internal network behind a firewall and
the middle-tier system located in a DMZ, or with the database and middle-tier system
located in the DMZ. In cases where either or both systems are located in the DMZ,
network communications between both systems must be encrypted. In all cases, the
application account requires PKI authentication. IP address restriction to the backend
database system, under a separate requirement, provides an additional level of protection.

Check:
Review the System Security Plan for remote applications that access and use the
database. If none of the applications accessing the database uses a single account
for access by multiple persons or processes, this check is NA.

Verify that the application account uses PKI authentication:

From SQL*Plus:
select external_name from dba_users where username='[application user
name]';

If the external_name indicates a directory name, then verify that the directory
name is authenticated using PKI. You may require the DBA or directory server
administrator to display the username definition in the directory service to you. If
the external_name does not specify a certificate or PKI-authenticated user
account, this is a Finding.

Fix:
Configure PKI authentication to help protect access to the shared account.

PKI authentication may be accomplished using Oracle Advanced Security on

most platforms. On a Windows host, user authentication using PKI may be used
with Active Directory or NTS authentication using the DoD CAC. On UNIX and
other hosts, Oracle Advanced Security may used to authenticate via LDAP or
SSL. The application may require storage of the authentication certificate in the
Oracle Wallet or on a hardware security module (HSM) to authenticate.

Please see the Oracle Security Guides and the Oracle Advanced Security Guides
for instructions on configuring PKI authentication.

11-242 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

VKEY: V0003440 Severity: CAT 2 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: IAGA Check Database Responsibility: Documentable: False
Type: level: False IAO
Verify
Reference: Database STIG 3.2.1
STIG Requirement: (DG0060: CAT II) The IAO/DBA will ensure actions by a single
database account that is accessed by multiple interactive users are
attributable to an individual identifier.

11-243 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

11.4 DG0002: DBMS version upgrade plan

Description: Unsupported software versions are not patched by vendors to address
newly discovered security versions. An unpatched version is vulnerable to attack.
Developing and implementing an upgrade plan prior to a lapse in support helps to protect
against published vulnerabilities.

Check:
From SQL*Plus:
select substr(version,1,4) from v$instance;

If the Oracle version is 10.2 or higher, this check is NA.

If the Oracle version is less than 10.2, review evidence that Oracle Extended
Support has been purchased for continued support. If Extended Support has not
been purchased or proof of Oracle Extended Support is not documented, this is a
Finding. If Extended Support will expire within 6 months, review evidence that an
upgrade to a supported version or an extension for Oracle Extended Support is in
progress. If it is not, this is a Finding.

For any version where Extended Support ends within 6 months, review evidence
than an upgrade to a supported version is in progress. If it is not, this is a Finding.

Product: Oracle Database

Highest Supported Version: 11.1

(See Oracle MetaLink Note 161818.1 for Oracle RDBMS Release support status)

Product versions / Premier Support Ends / Extended Support Ends:

11.1.0.X / Aug 2012 / Aug 2015

10.2.0.X / Jul 2010 / Jul 2013
10.1.0.X / Jan 2009 / Jan 2012 (NOTE: 10.1.0.5 is terminal patch set)
9.2.0.X / Jul 2007 / Jul 2010 (NOTE: 9.2.0.8 is terminal patch set)

Fix:
Create and implement an upgrade/migration plan for obsolete or expiring Oracle
versions. Use the table above as a guideline for Oracle version support. The cost
of the version upgrade should be budgeted including any additional testing and
development required supporting the version upgrade. A plan for testing the
version upgrade should also be scheduled. Any other steps for the version upgrade
should be included in the plan and the plan for the version upgrade should be
scheduled for completion prior to expiration of the current Oracle database server
product.

11-244 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

VKEY: V0004758 Severity: CAT 1 Policy: All MAC/CONF: 1-

Policies CSP;2-CSP;3-CSP
IA Control: VIVM Check Database Responsibility: Documentable: False
Type: level: False IAO
Verify
Reference: Database STIG 3.6.1
STIG Requirement: (DG0002: CAT I) The IAO will ensure the site has a formal migration
plan for removing or upgrading DBMS systems 6 months prior to the
date the vendor drops security patch support.

11-245 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

11.5 DO6753: Oracle Application Express

Description: The Oracle Application Express, formerly called HTML DB, is an
application development component installed by default with Oracle database 11.1.
Unauthorized application development can introduce a variety of vulnerabilities to the
database.

Check:
If the database is a shared development/production system, then confirm that
Oracle Application Express is authorized for development use. If it is, this check
is NA.

From SQL*Plus:
select count(*) from dba_users where username like 'FLOWS_%';

If the value returned is not 0, this is a Finding.

Fix:
If this is a production system, remove Application Express using the instruction
found in Oracle MetaLink Note 558340.1.

For new installations, select custom installation and de-select Application Express
from the selectable options if available.

VKEY: V0016055 Severity: CAT 2 Policy: All MAC/CONF: 1-

IA Control: ECSD
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: level: False DBA
Verify
Database STIG 3.3.20
(DG0017: CAT II) The DBA will ensure software development on a
production system is separated through the use of separate and
uniquely identified data and application file storage partitions and
processes/services.

11-246 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

11.6 DG0179: DBMS warning banner

Description: Without sufficient warning of monitoring and access restrictions of a
system, legal prosecution to assign responsibility for unauthorized or malicious access
may not succeed. A warning message provides legal support for such prosecution. Access
to the DBMS or the applications used to access the DBMS require this warning to help
assign responsibility for database activities.

Check:
A warning banner displayed as a function of an Operating System or application
login for applications that use the database makes this check NA for all supported
versions of Oracle.

For Oracle 11.1, view the sqlnet.ora file. If the following lines do not exist, this is
a Finding (requires application code to display the warning banner, which is not
covered in this check):

SEC_USER_AUDIT_ACTION_BANNER = path/filename with banner text

SEC_USER_UNAUTHORIZED_ACCESS_BANNER = path/filename with
banner text

For other supported versions of Oracle, this requirement can be fulfilled

programmatically and is not covered in this check; however, if required and not
performed, this is a Finding.

For Oracle 11.1, view the files specified. If they do not contain the following text
as written below, this is a Finding:

[A. Use this banner for desktops, laptops, and other devices accommodating
banners of 1300 characters. The banner shall be implemented as a click-through
banner at logon (to the extent permitted by the operating system), meaning it
prevents further activity on the information system unless and until the user
executes a positive action to manifest agreement by clicking on a box indicating
"OK."]

You are accessing a U.S. Government (USG) Information System (IS) that is
provided for USG-authorized use only. By using this IS (which includes any
device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for

purposes including, but not limited to, penetration testing, COMSEC monitoring,
network operations and defense, personnel misconduct (PM), law enforcement
(LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.
11-247 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

-Communications using, or data stored on, this IS are not private, are subject to
routine monitoring, interception, and search, and may be disclosed or used for any
USG authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to

protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE
or CI investigative searching or monitoring of the content of privileged
communications, or work product, related to personal representation or services
by attorneys, psychotherapists, or clergy, and their assistants. Such
communications and work product are private and confidential. See User
Agreement for details.
OK

[B. For Blackberries and other PDAs/PEDs with severe character limitations:]

I've read & consent to terms in IS user agreem't.

This User Agreement conforms to DoD Standard Notice and Consent

Banner and User Agreement – JTF-GNO CTO 08-008A, May 9, 2008.

Fix:
For Oracle database versions 11.1 and later, add the following lines to the
sqlnet.ora file:

SEC_USER_AUDIT_ACTION_BANNER = [banner file]

SEC_USER_UNAUTHORIZED_ACCESS_BANNER = [banner file]

Replace [banner file] with the path and file name to a TEXT file containing the
banner text as shown above.

NOTE: Defining these parameters and this text makes the banner available to
applications. It is not displayed unless the application is designed to display the
text using OCI calls.

For all versions of Oracle, this requirement can be fulfilled where the database
user receives the warning message when authenticating or connecting to a front-
end system that includes or covers the Oracle DBMS. Mark this check as a
Finding if the display of a warning banner (not necessarily this specific warning
banner) cannot be confirmed.

The banner text listed in the Check section above supersedes that referenced in
the STIG requirement below.
11-248 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

VKEY: V0015658 Severity: CAT 2 Policy: All MAC/CONF: 1-

IA Control: ECWM
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: level: False DBA
Verify
Database STIG 3.3.23
(DG0179: CAT II) Where available, the DBA will ensure the DBMS
is configured to display a warning message upon interactive user
connection to the DBMS that complies with Chairman of the Joint
Chiefs of Staff Memorandum (CJCSM) 6510.01 Defense in Depth:
Information Assurance (IA) and Computer Network Defense (CND),
current as of 14 August 2006. This requirement may be fulfilled where
the database user receives the warning message when authenticating
or connecting to a front-end system that includes or covers the DBMS.

11-249 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

11.7 DO0430: Oracle management agent use

Description: The Oracle Management Agent (Oracle Intelligent Agent in earlier
versions) provides the mechanism for local and/or remote management of the local
Oracle Database by Oracle Enterprise Manager or other SNMP management platforms.
Because it provides access to operating system and database functions, it should be
disabled if not in use.

Check:
Determine if the Oracle Management Agent is enabled:

From SQL*Plus:
select username, account_status from dba_users
where lower(username)='dbsnmp';

If no rows are returned, this is not a Finding.

If the DBSNMP account exists and the account_status is OPEN, then verify in the
System Security Plan that operation and use of the Oracle Enterprise Manager
Management Agent or another SNMP management program is documented and
authorized.

If it is not documented in the System Security Plan as being required, this is a

Finding. If the DBSNMP account exists and the account_status is not OPEN,
schedule the FIX action below then mark as not a Finding. Despite any
justification or authorization, if a Management Agent is installed on a server that
is in a DMZ and Internet facing, this is a Finding.

Fix:
Use the ORACLE_HOME/rdbms/admin/catnsnmp.sql script to remove all Oracle
SNMP management agent objects in the database. Delete the executable file
ORACLE_HOME/bin/dbsnmp or dbsnmp.exe if it exists from any Oracle Home
not authorized for SNMP management.

Uninstall any SNMP management agents installed on Oracle database servers

installed in a DMZ that serve applications to Internet users.

Uninstall any SNMP management agents that have not been authorized and
documented in the System Security Plan.

Document any authorized use of the SNMP management agent on database

servers that do not support Internet applications in a DMZ in the System Security
Plan.

NOTE: Removal of SNMP management objects will prevent the ability to

generate database statistics within Oracle Enterprise Manager.
11-250 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

VKEY: V0003866 Severity: CAT 3 Policy: All MAC/CONF: 1-

IA Control: DCFA
Reference:
STIG Requirement:
Policies CSP;2-CSP;3-CSP
Check Database Responsibility: Documentable: False
Type: level: False DBA
Verify
Database STIG 3.1.4.1
(DG0016: CAT III) The DBA will ensure unused optional database
components or features, applications, and objects are removed from
the database and host system. If the optional component cannot be
uninstalled or removed, then the DBA will ensure the unused
component or feature is disabled.

11-251 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

12. Appendix A – IAVM Bulletin Compliance

As of this date, IAVM compliance for Oracle-related notices are maintained in the
UNIX, Windows, and other operating system host STIGs. Please refer to those STIGs
for IAVM compliance information on Oracle products.

12-252 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

13. Appendix B – Record of Changes

This is a new checklist based on the Database STIG V8R1. Changes to previous
STIG IDs and additions are listed below:

Added: Removed:
DG0003 DG0096 DG0166 DG0018
DG0005 DG0097 DG0167 DG0065
DG0012 DG0100 DG0172 DG0073
DG0013 DG0103 DG0175 DG0094
DG0020 DG0104 DG0176 DO0276
DG0025 DG0106 DG0179 DO0291
DG0031 DG0107 DG0186 DO0370
DG0041 DG0108 DG0187 DO0410
DG0042 DG0109 DG0194 DO3621
DG0054 DG0110 DG0195 DO3673
DG0064 DG0112 DG0198
DG0069 DG0117 DO0233
DG0071 DG0118 DO5036
DG0072 DG0127 DO6746
DG0074 DG0133 DO6747
DG0076 DG0135 DO6748
DG0083 DG0138 DO6749
DG0086 DG0140 DO6750
DG0087 DG0154 DO6751
DG0088 DG0159 DO6752
DG0089 DG0161 DO6753
DG0090 DG0165 DO6754
DG0092

Many checks that were removed were consolidated under other checks.

13-253 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

14. Appendix C – VMS SRR Process Guide for Oracle DB Server

14.1 VMS Terminology

Following is a list of VMS terms and how they are used within these instructions.

Asset – This is the host system for the DBMS being reviewed. It is typically defined
using the domain\computer name, the IP address and/or the MAC address.

Installation Posture – This is the DBMS instance or installation as defined in VMS for
the DBMS under review. It is defined as a VMS posture on the host asset. For Oracle
database Servers, the installation posture is referred to as an Oracle Home and the name
assigned to the Oracle Home at installation time is referred to as the Oracle Home Name.
It is recommended that the Oracle Home Name as identified on the host be used also to
identify the Oracle Home within VMS.

Database Posture – This database as defined in VMS exists within the DBMS under
review. It is defined as a VMS posture on the host asset. An Oracle database posture is a
single occurrence of an Oracle database instance associated with the Oracle Home (there
could be more than one Oracle instance per Oracle Home). VMS requires that each
database posture include a reference to a DBMS instance or installation. The Oracle
Home posture must be defined prior to the creation of the database posture.

Target – The word “target” is used within an SRR script XML import file to designate a
specific installation or database posture assigned to an asset defined in VMS. (XML
import files are not available for generic DBMS reviews.) Compliance or “Finding”
results included in the XML import file update the status of the security item within VMS
for the “target” database/installation posture. Typically, installation “targets” must
include the DBMS installation name to update the vulnerability statuses of the installation
under review. Database “targets” must include the both the installation posture identifier
as well as the database name to correctly update the vulnerability status for the database
under review.

Element - The word “element” is used within a VMS XML import file to create an
installation or database posture for the asset specified in the same import file. The DBMS
installation element must include the DBMS installation identifier. The DBMS database
element must include the database identifier and reference the DBMS installation
identifier.

Vulnerability – The word “vulnerability” is an item of security significance in VMS.

Vulnerabilities are assigned directly to assets or to the asset’s postures. DBMS
vulnerabilities are assigned to installation and database postures defined for an asset.

Identifier - The identifier is a name assigned to the database posture. It is recommended

that the database identifier match and DBMS database name configured for the DBMS.

14-254 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Parent Identifier – In the case of DBMS postures/targets, a parent identifier exists only
for databases. The parent identifier is the DBMS installation identifier that supports the
database being identified. This indicates a “dependent relationship” of the database to the
instance.

14.2 Database VMS Maintenance

Identify the VMS DBMS Host Asset and DBMS postures

Each DBMS to be tracked within VMS requires assignment to a host asset. The host asset
is identified by name, IP address and MAC address.

The host asset, operating system and database postures must be created before entering
SRR results into VMS.

As mentioned above under VMS terminology, each DBMS defined within VMS requires
a minimum of two posture definitions. These postures are the DBMS installation and
DBMS database postures. Two postures are necessary to provide the level of granularity
required for tracking vulnerabilities. For example, vulnerabilities defined at the
installation level (e.g., file permissions) occur only once per installation. Vulnerabilities
defined at the database level (e.g., database role membership) occur once per defined
database.

VMS requires that an identifier be defined for each of the DBMS postures. When you
create generic database postures, make sure that you assign the correct installation
identifier.

NOTE: For the import to work correctly, the Oracle Home ([SID]-dbsrr-itf-I.xml)
file must be imported before the Oracle Database file. This is required to assign the
Oracle Database to Oracle Home database postures correctly. If the Oracle Home
database posture is not created first, the database XML import file will fail.

When you are creating DBMS database postures, specify the same database identifier as
defined within the DBMS. Database postures must also include the DBMS installation
name as the “parent identifier” to identify the database as belonging to a specific
installation.

To view/confirm the DBMS host asset and confirm/create DBMS postures:

1. Collect from the database host system, the following information:

− All IP and MAC addresses defined for the host (ipconfig /all for Windows;
ifconfig –a for UNIX)
− Host name (%computername% for Windows; hostname for UNIX)

2. In VMS, select the host asset supporting the DBMS

− For System Administrators:
14-255 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

o From the left navigation frame on VMS 6, expand Asset Finding

Maint[enance]
o From the expanded list, select Assets / Findings
o Under Navigation on the Asset and Finding Maintenance screen,
expand By Location, expand the location where the asset resides,
expand Computing, and select the asset where the DBMS is installed

− For Reviewers:
o From the left navigation frame on VMS 6, expand Asset Finding
Maint[enance]
o From the expanded list, select Assets / Findings
o Under Navigation on the Asset and Finding Maintenance screen,
expand Visit, expand the location where the asset resides, expand
Computing, and select the asset where the DBMS is installed

3. Verify the host name (under the General tab) matches the data collected
4. Verify the IP Address (under the Asset Identification tab) matches the data collected
5. Verify the MAC Address (under the Asset Identification tab) matches the data
collected
6. Select the Asset Posture tab
7. Verify that the appropriate Operating System has been selected
8. Under Selected, expand the asset name, expand Application, expand Database,
expand Oracle, expand or select Oracle Home or Oracle Database
9. View/note any product version and identifiers (in parentheses to the right of the
version)
10. To add an Oracle Home posture to the Asset posture:
− Follow steps 6 and 7 under Available
− Expand Oracle Home Installation, select the Oracle Home version number and
click the >> button to move the selections under Selected
− When prompted for an identifier, enter the Oracle Home name
− Save the posture (until the Oracle Home postures is saved, database posture
creations assigned to this Oracle Home will fail)
11. To add an Oracle Database posture to the Asset posture:
− Follow steps 6 and 8 under Available
− Expand Oracle Database, select the Oracle Database version and click the >>
button to move the selections under Selected
− When prompted for a parent identifier, enter the Oracle Home name
− When prompted for an identifier, enter the Oracle database name; or click on
the add hyperlink icon to add the identifier, and enter the Oracle database
name
− Repeat for each database defined for the Oracle Home
− Save the posture (Click on the Save icon in the middle of the bottom of the
screen)

14-256 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Importing results produced by the automated scripts.

The SRR script for Oracle produces two XML files: one contains the security review
results for the Oracle Home ([SID]-dbsrr-itf-I.xml) and the Oracle Database ([SID]-dbsrr-
itf-D.xml). The files include data that identifies the Oracle asset and the Oracle VMS
postures if postures for the specified database or home already exist. To import an XML
file, complete the following:

1. In the left navigation frame, expand Asset Finding Maint.

2. Select FSO Tool Import
3. Click on the Reviewer or System Admin button
4. For System Admin:
a. Select the site where the database host asset is registered and click the Submit
button
b. Enter the path and filename of the script results xml file to be imported or
click the Browse… button to navigate to the XML files being imported
c. Click on the Submit button
d. If the results will not import or do not import all findings, Print or save the
resulting screen and see the troubleshooting section later in this document
e. Manually review vulnerability statuses to ensure the results were correctly and
completely imported. Any vulnerability displaying a Not Reviewed (NR)
status requires a manual review
5. For Reviewer:
a. Select the Visit to update
b. Select the Asset posture under Summary
c. Select the organization
d. Select the Asset Type
e. Next to the Computing folder, click on the blue XML arrow
f. Enter the path and filename of the script results xml file to be imported or
click the Browse… button to navigate to the XML files being imported
g. Click on the Submit button
h. If the results will not import or do not import all findings, Print or save the
resulting screen and see the troubleshooting section later in this document
i. Manually review vulnerability statuses to ensure the results were correctly and
completely imported. Any vulnerability displaying a Not Reviewed (NR)
status requires a manual review

NOTE: VMS 6 imports finding data for all check results. The reviewer may want to
consider completing a manual review of checks with a status of NR prior to import to
determine if some findings are Open and the finding status in the XML file marked
accordingly, i.e. <FINDING_STATUS>NR</FINDING_STATUS>, in order to preserve
the additional data provided by the script. The XML file may be edited with any text
editor. Special care should be taken when editing the XML file to prevent the
introduction of XML format errors that would prevent the script from importing
successfully.

14-257 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Manually entering review results into VMS (For System Administrators):

− From the left navigation frame on VMS 6, expand Asset Finding Maint.
− From the expanded list, select Assets / Findings
− System Administrators: Under Navigation expand By Location
− Reviewers: Under Navigation expand Visit
− Expand the location where the asset resides
− Expand Computing
− Expand the asset where the target database is installed
− Expand the database engine or installation
− For each vulnerability listed, select the vulnerability and enter the review
results, and click Save

14-258 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

15. Appendix D – VMS KEY and STIGID Cross Reference and Index

Sort By VMS Key Sort by STIGID

VMS Key STIGID Page STIGID VMS Key Page
V0002420 DG0010 9-143 DG0002 V0004758 11-244
V0002422 DG0040 9-172 DG0003 V0005659 8-138
V0002423 DG0050 9-148 DG0005 V0006756 10-217
V0002424 DG0060 6-76 DG0010 V0002420 9-143
V0002507 DG0030 5-67 DG0011 V0003726 9-144
V0002508 DG0070 6-77 DG0012 V0004754 10-184
V0002509 DO0100 8-141 DG0013 V0015126 9-145
V0002511 DO0140 5-73 DG0015 V0003727 7-97
V0002512 DO0150 7-104 DG0016 V0003728 10-225
V0002513 DO0160 7-119 DG0017 V0003803 10-175
V0002514 DO0170 4-36 DG0019 V0003805 10-185
V0002515 DO0190 7-106 DG0020 V0015129 9-147
V0002516 DO0210 7-121 DG0021 V0003806 10-177
V0002517 DO0220 7-133 DG0025 V0015610 10-197
V0002519 DO0240 4-8 DG0030 V0002507 5-67
V0002520 DO0250 7-135 DG0031 V0015133 5-74
V0002521 DO0260 7-136 DG0040 V0002422 9-172
V0002522 DO0270 4-62 DG0041 V0015110 9-173
V0002523 DO3413 4-12 DG0042 V0015111 9-174
V0002527 DO3440 7-112 DG0050 V0002423 9-148
V0002529 DO3445 4-44 DG0051 V0003808 11-238
V0002530 DO3446 7-110 DG0052 V0003807 10-178
V0002531 DO3447 4-13 DG0053 V0003809 9-150
V0002533 DO3451 4-28 DG0054 V0015611 10-179
V0002537 DO3473 4-31 DG0060 V0002424 6-76
V0002539 DO3475 4-32 DG0064 V0015120 9-170
V0002541 DO3487 4-52 DG0066 V0003811 9-151
V0002543 DO3504 4-54 DG0067 V0003812 9-152
V0002552 DO3536 7-124 DG0068 V0003813 9-153
V0002553 DO3537 4-60 DG0069 V0015140 9-154
V0002554 DO3538 4-14 DG0070 V0002508 6-77
V0002555 DO3539 4-15 DG0071 V0003815 7-113
V0002556 DO3540 4-16 DG0072 V0015612 7-115
V0002558 DO3546 4-17 DG0074 V0015130 5-72
V0002559 DO3547 4-18 DG0075 V0003818 7-127
V0002561 DO3609 4-29 DG0076 V0003819 5-68
V0002562 DO3610 4-63 DG0077 V0003820 7-102
V0002564 DO3612 4-30 DG0080 V0003821 5-69
V0002574 DO3622 7-101 DG0083 V0015102 9-155
V0002586 DO3685 4-19 DG0086 V0015106 9-156
V0002587 DO3686 4-34 DG0087 V0015616 7-129
V0002589 DO3689 4-35 DG0088 V0015112 9-157
V0002592 DO3692 4-65 DG0089 V0015114 6-78
V0002593 DO3696 4-20 DG0090 V0015131 11-240

15-259 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Sort By VMS Key Sort by STIGID

VMS Key STIGID Page STIGID VMS Key Page
V0002595 DO3698 4-21 DG0091 V0003823 7-130
V0002596 DO3709 4-39 DG0092 V0015132 10-187
V0002607 DO3847 10-191 DG0093 V0003825 10-199
V0002608 DO3630 10-209 DG0095 V0003827 9-158
V0002609 DO3485 7-122 DG0096 V0015138 9-159
V0002612 DO5037 10-192 DG0097 V0015139 9-160
V0002841 DO0280 10-231 DG0100 V0015619 6-79
V0003436 DO0310 7-108 DG0103 V0015621 10-201
V0003437 DO0320 4-38 DG0104 V0015622 10-228
V0003438 DO0340 7-111 DG0106 V0015143 10-230
V0003439 DO0350 7-99 DG0107 V0015144 9-161
V0003440 DO0360 11-242 DG0108 V0015145 9-162
V0003442 DO0380 7-126 DG0109 V0015146 10-180
V0003444 DO0400 4-42 DG0110 V0015179 9-163
V0003497 DO6740 10-213 DG0112 V0015623 7-94
V0003726 DG0011 9-144 DG0117 V0015627 4-26
V0003727 DG0015 7-97 DG0118 V0015127 9-171
V0003728 DG0016 10-225 DG0127 V0015634 7-117
V0003803 DG0017 10-175 DG0133 V0015639 4-41
V0003805 DG0019 10-185 DG0135 V0015641 5-75
V0003806 DG0021 10-177 DG0138 V0015642 5-71
V0003807 DG0052 10-178 DG0140 V0015643 10-195
V0003808 DG0051 11-238 DG0154 V0015150 9-164
V0003809 DG0053 9-150 DG0159 V0015118 9-165
V0003811 DG0066 9-151 DG0161 V0015103 9-166
V0003812 DG0067 9-152 DG0165 V0015654 5-70
V0003813 DG0068 9-153 DG0166 V0015142 7-80
V0003815 DG0071 7-113 DG0167 V0015104 10-203
V0003818 DG0075 7-127 DG0172 V0015657 7-132
V0003819 DG0076 5-68 DG0175 V0015116 10-182
V0003820 DG0077 7-102 DG0176 V0015117 10-183
V0003821 DG0080 5-69 DG0179 V0015658 11-247
V0003823 DG0091 7-130 DG0186 V0015122 9-167
V0003825 DG0093 10-199 DG0187 V0015121 9-168
V0003827 DG0095 9-158 DG0194 V0015108 9-169
V0003842 DO0120 10-219 DG0195 V0015109 10-188
V0003843 DO0121 10-221 DG0198 V0015662 10-204
V0003844 DO0133 10-189 DO0100 V0002509 8-141
V0003845 DO0145 10-196 DO0120 V0003842 10-219
V0003846 DO0155 4-27 DO0121 V0003843 10-221
V0003847 DO0157 7-98 DO0133 V0003844 10-189
V0003848 DO0221 7-134 DO0140 V0002511 5-73
V0003849 DO0231 7-107 DO0145 V0003845 10-196
V0003850 DO0234 7-84 DO0150 V0002512 7-104
V0003851 DO0235 7-86 DO0155 V0003846 4-27
V0003852 DO0236 7-88 DO0157 V0003847 7-98
V0003853 DO0237 7-90 DO0160 V0002513 7-119
V0003854 DO0238 7-92 DO0170 V0002514 4-36
15-260 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Sort By VMS Key Sort by STIGID

VMS Key STIGID Page STIGID VMS Key Page
V0003855 DO0241 4-9 DO0190 V0002515 7-106
V0003856 DO0242 4-10 DO0210 V0002516 7-121
V0003857 DO0243 4-11 DO0220 V0002517 7-133
V0003858 DO0275 7-95 DO0221 V0003848 7-134
V0003860 DO0279 10-223 DO0231 V0003849 7-107
V0003861 DO0285 10-205 DO0233 V0015747 7-82
V0003862 DO0286 10-206 DO0234 V0003850 7-84
V0003863 DO0287 10-208 DO0235 V0003851 7-86
V0003865 DO0420 7-137 DO0236 V0003852 7-88
V0003866 DO0430 11-250 DO0237 V0003853 7-90
V0004754 DG0012 10-184 DO0238 V0003854 7-92
V0004758 DG0002 11-244 DO0240 V0002519 4-8
V0005659 DG0003 8-138 DO0241 V0003855 4-9
V0006756 DG0005 10-217 DO0242 V0003856 4-10
V0015102 DG0083 9-155 DO0243 V0003857 4-11
V0015103 DG0161 9-166 DO0250 V0002520 7-135
V0015104 DG0167 10-203 DO0260 V0002521 7-136
V0015106 DG0086 9-156 DO0270 V0002522 4-62
V0015108 DG0194 9-169 DO0275 V0003858 7-95
V0015109 DG0195 10-188 DO0279 V0003860 10-223
V0015110 DG0041 9-173 DO0280 V0002841 10-231
V0015111 DG0042 9-174 DO0285 V0003861 10-205
V0015112 DG0088 9-157 DO0286 V0003862 10-206
V0015114 DG0089 6-78 DO0287 V0003863 10-208
V0015116 DG0175 10-182 DO0310 V0003436 7-108
V0015117 DG0176 10-183 DO0320 V0003437 4-38
V0015118 DG0159 9-165 DO0340 V0003438 7-111
V0015120 DG0064 9-170 DO0350 V0003439 7-99
V0015121 DG0187 9-168 DO0360 V0003440 11-242
V0015122 DG0186 9-167 DO0380 V0003442 7-126
V0015126 DG0013 9-145 DO0400 V0003444 4-42
V0015127 DG0118 9-171 DO0420 V0003865 7-137
V0015129 DG0020 9-147 DO0430 V0003866 11-250
V0015130 DG0074 5-72 DO3413 V0002523 4-12
V0015131 DG0090 11-240 DO3440 V0002527 7-112
V0015132 DG0092 10-187 DO3445 V0002529 4-44
V0015133 DG0031 5-74 DO3446 V0002530 7-110
V0015138 DG0096 9-159 DO3447 V0002531 4-13
V0015139 DG0097 9-160 DO3451 V0002533 4-28
V0015140 DG0069 9-154 DO3473 V0002537 4-31
V0015142 DG0166 7-80 DO3475 V0002539 4-32
V0015143 DG0106 10-230 DO3485 V0002609 7-122
V0015144 DG0107 9-161 DO3487 V0002541 4-52
V0015145 DG0108 9-162 DO3504 V0002543 4-54
V0015146 DG0109 10-180 DO3536 V0002552 7-124
V0015150 DG0154 9-164 DO3537 V0002553 4-60
V0015179 DG0110 9-163 DO3538 V0002554 4-14
V0015610 DG0025 10-197 DO3539 V0002555 4-15
15-261 V8R1.3 Mar 2009
UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Sort By VMS Key Sort by STIGID

VMS Key STIGID Page STIGID VMS Key Page
V0015611 DG0054 10-179 DO3540 V0002556 4-16
V0015612 DG0072 7-115 DO3546 V0002558 4-17
V0015616 DG0087 7-129 DO3547 V0002559 4-18
V0015619 DG0100 6-79 DO3609 V0002561 4-29
V0015621 DG0103 10-201 DO3610 V0002562 4-63
V0015622 DG0104 10-228 DO3612 V0002564 4-30
V0015623 DG0112 7-94 DO3622 V0002574 7-101
V0015627 DG0117 4-26 DO3630 V0002608 10-209
V0015634 DG0127 7-117 DO3685 V0002586 4-19
V0015639 DG0133 4-41 DO3686 V0002587 4-34
V0015641 DG0135 5-75 DO3689 V0002589 4-35
V0015642 DG0138 5-71 DO3692 V0002592 4-65
V0015643 DG0140 10-195 DO3696 V0002593 4-20
V0015654 DG0165 5-70 DO3698 V0002595 4-21
V0015657 DG0172 7-132 DO3709 V0002596 4-39
V0015658 DG0179 11-247 DO3847 V0002607 10-191
V0015662 DG0198 10-204 DO5036 V0016049 10-236
V0015747 DO0233 7-82 DO5037 V0002612 10-192
V0016031 DO6746 10-214 DO6740 V0003497 10-213
V0016032 DO6747 10-215 DO6746 V0016031 10-214
V0016033 DO6748 4-22 DO6747 V0016032 10-215
V0016035 DO6749 4-23 DO6748 V0016033 4-22
V0016049 DO5036 10-236 DO6749 V0016035 4-23
V0016053 DO6750 4-24 DO6750 V0016053 4-24
V0016054 DO6752 4-25 DO6751 V0016057 10-216
V0016055 DO6753 11-246 DO6752 V0016054 4-25
V0016056 DO6754 10-227 DO6753 V0016055 11-246
V0016057 DO6751 10-216 DO6754 V0016056 10-227

15-262 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

16. Appendix E – STIG STIGID / Checklist Discrepancy List

Below is a list of general requirements listed in the Database STIG that are not
directly addressed in this checklist. The Database STIG provides general guidance for
all database management systems and may not relate well to a single configuration or
documentation requirement for a specific product.

Database STIG Requirement Disposition

(DG0065: CAT II) The IAO will ensure a DoD This is not currently included due to
PKI class 3 or 4 certificate and an approved the complexity and variety of
hardware security token (DoD CAC for DoD implementation. It is, however, still
employees or contractors) or an NSA-certified required but not enforced until
product is used for identification and procedures for verification can be
authentication to the database. determined.
(DG0073: CAT II) The DBA will configure the This is included under check
DBMS to lock database accounts after three or DO3537.
an IAO-specified number of consecutive
unsuccessful connection attempts within a 60-
minute period. The counter may be reset to 0 if a
third failed logon attempt does not occur before
reset. Where this requirement is not compatible
with the operation of a front-end application, the
unsuccessful logon count and time will be
specified and the operational need documented
in the System Security Plan.
(DG0084: CAT III) The DBA will ensure DBMS This feature is not configurable in
resource controls are enabled to clear residual Oracle. It is included by default.
data from released object stores.
(DG0101: CAT II) The DBA will ensure OS This is included under check
accounts used for execution of external database DO0280.
procedures have the minimum OS privileges
required assigned to them.
(DG0115: CAT II) The DBA will configure the This is not configurable under
DBMS to use only authorized software, data files, Oracle.
or other critical files during recovery.
(DG0120: CAT II) The DBA will ensure database This is included under check
application user roles are not granted DO0340.
unauthorized access to external database objects.
(DG0124: CAT II) The IAO will ensure This is included under check
privileged database accounts are used only for DO0160.
privileged database job functions. The IAO will
ensure non-privileged database accounts are
used to perform non-privileged job functions.

16-263 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Database STIG Requirement Disposition

DG0130: CAT II) The DBA/IAO will ensure This is included under check
database account passwords are not stored in DO0133.
batch jobs or application source code.
(DG0131: CAT III) The DBA will change or Oracle does not support changing
delete default account usernames where default user names.
supported.
(DG0145: CAT II) The DBA will ensure audit This is included under the Oracle
records contain the user ID, date and time of the audit configuration checks.
audited event, and the type of the event
(DG0146: CAT II) The DBA will ensure audit This is included under the Oracle
records include the reason for any blocking or audit configuration checks.
blacklisting of database accounts or connection
source locations.
(DG0151: CAT II) The SA/DBA will ensure This is included under DO0285.
random port assignment to network connections
is disabled when traversing network firewalls.
(DG0155: CAT II) The DBA will ensure all This is not configurable under
applicable DBMS settings are configured to use Oracle.
trusted files, functions, features, or other
components during startup, shutdown, aborts or
other unplanned interruptions.
(DG0156: CAT III) The IAM will assign and This is checked under an Enclave
authorize IAO responsibilities for the DBMS. review. The IAM is not expected to
be available for a DB review.
(DG0158: CAT II) The DBA will configure This is included under the Oracle
auditing of all actions taken by database audit configuration checks.
administrators during remote sessions.
(DG0160: CAT III) The DBA will ensure This is covered under separate Oracle
database connection attempts are limited to a checks.
specific number of times within a specific time as
specified in the System Security Plan. The limit
will not be set to unlimited.
(DG0170: CAT II) The DBA will configure the This is not configurable in Oracle
DBMS to enable transaction rollback and and is operational by default.
transaction journaling or their technical
equivalent to maintain data consistency and
recovery during operational cancellations,
failures, or other interruptions.
(DG0171: CAT II) The DBA will ensure This is included under check
interconnections between databases or other DG0075.
applications operating at different classification
levels are identified and their communications
configured to comply with the interface controls
specified in the System Security Plan.

16-264 V8R1.3 Mar 2009

UNCLASSIFIED
Oracle Database Security Checklist V8R1.3 Mar 2009 Field Security Operations
Defense Information Systems Agency

Database STIG Requirement Disposition

(DG0190: CAT II) The DBA will ensure use of This is included under check
credentials used to access remote databases or DO0133.
other applications are restricted to authorized
database accounts and used only for mission
and/or operationally required and documented
purposes.
(DG0193: CAT II) The DBA will set expiration This is included under check
times for non-interactive database application DO3504.
account passwords to 365 days or less where
supported by the DBMS.

Updated by: Stephen W. Price, CISSP on 15 April 2009

16-265 V8R1.3 Mar 2009

UNCLASSIFIED