Topics:
Learn about Security Technical Implementation Guides.
A Security Technical Implementation Guide (STIG) is a methodology followed by the U.S. Department of Defense (DOD) to reduce the attack surface of computer systems and networks, thereby ensuring a lockdown of highly confidential information stored within the DOD network. STIGs provide secure configuration standards for the DOD's Information Assurance (IA) and IA-enabled devices and systems. STIGs are created by the Defense Information Systems Agency (DISA).
For over a decade, Oracle has worked closely with the DOD to develop, publish, and maintain a growing list of STIGs for a variety of core Oracle products and technologies including:
Oracle Database
Oracle Solaris
Oracle Linux
Oracle WebLogic
When STIGs are updated, Oracle analyzes the latest recommendations in order to identify new ways to improve the security of its products by:
Implementing new and innovative security capabilities that are then added to future STIG updates
Delivering functionality to automate the assessment and implementation of STIG recommendations
After you enable the STIG rules in Oracle Audit Vault and Database Firewall, the settings are preserved when you perform any upgrades.
Improving "out of the box" security configuration settings based upon STIG recommendations
STIG recommendations
Oracle Audit Vault Server is a highly tuned and tested software appliance. Any additional software installed on this server can cause unstable behavior. Hence Oracle does not recommend the installation of any software on Oracle Audit Vault Server. If there are requirements for virus scan, then utilize external scanners as much as possible.
The following are some cases where external scanners cannot be utilized and an Anti-virus is installed on the Audit Vault Server:
If there is an issue, then Oracle support may request that the user uninstall the Anti-virus software to enable troubleshooting.
If there are no issues and there is a new Bundle Patch to be applied for Oracle Audit Vault and Database Firewall, then Oracle support may request that you uninstall the anti-virus software, apply the patch, and then re-install the anti-virus software on Oracle Audit Vault Server. This reduces some of the issues after applying the patch.
If there are no issues but the anti-virus scanner has detected a virus or malware, then you should contact the anti-virus scanner vendor to verify the validity of the finding.
If the anti-virus software was not removed in advance and the Bundle Patch upgrade has failed, then Oracle may recommend a fresh installation of Oracle Audit Vault and Database Firewall and a consequent Bundle Patch upgrade. Only after this the anti-virus scanner can be re-installed.
If the customer followed the instructions from Oracle, the anti-virus scanner does not uninstall completely, and the Bundle Patch upgrade fails, contact the anti-virus vendor for instructions on how to remove their software completely. Once this is completed Oracle Audit Vault and Database Firewall Bundle Patch should be installed. If the install fails, then a clean install may be warranted.
You can enable STIG rules on Oracle Audit Vault and Database Firewall by enabling Strict mode.
Learn how to enable STIG rules on Oracle Audit Vault and Database Firewall.
To enable strict mode:
Oracle has developed a security-hardened configuration of Oracle Audit Vault and Database Firewall that supports U.S. Department of Defense Security Technical Implementation Guide (STIG) recommendations.
Table F-1 lists the three vulnerability categories that STIG recommendations.
Table F-1 Vulnerability Categories
Category | Description |
---|---|
CAT I |
Any vulnerability, the exploitation of which will, directly and immediately result in loss of Confidentiality, Availability, or Integrity. |
CAT II |
Any vulnerability, the exploitation of which has a potential to result in loss of Confidentiality, Availability, or Integrity. |
CAT III |
Any vulnerability, the existence of which degrades measures to protect against loss of Confidentiality, Availability, or Integrity. |
Learn about the current implementation of database STIG rules on Oracle Audit Vault and Database Firewall.
Table F-2 shows the current implementation of Database STIG rules on Oracle Audit Vault and Database Firewall.
Table F-2 Current Implementation of Database STIG Rules
STIG ID | Title | Severity | Addressed by Script | Addressed by Documentation | Action required | Implemented | Notes |
---|---|---|---|---|---|---|---|
DG0004-ORACLE11 |
DBMS application object owner accounts |
CAT II |
No |
No |
None |
No |
Application object owner accounts |
DG0008-ORACLE11 |
DBMS application object ownership |
No |
No |
Yes |
No |
No |
For more information, see DG0008-ORACLE11 STIG Rule. |
DG0014-ORACLE11 |
DBMS demonstration and sample databases |
CAT II |
No |
No |
None |
No |
All default demonstration and sample database objects have been removed. |
DG0071-ORACLE11 |
DBMS password change variance |
CAT II |
No |
No |
No |
No |
Currently not supported |
DG0073-ORACLE11 |
DBMS failed login account lock |
CAT II |
Yes |
No |
No |
No |
|
DG0075-ORACLE11 |
DBMS links to external databases |
CAT II |
No |
Yes |
No |
No |
For more information, see DG0075-ORACLE11, DO0250-ORACLE11 STIG Rules. |
DG0077-ORACLE11 |
Production data protection on a shared system |
CAT II |
No |
No |
None |
No |
No |
DG0116-ORACLE11 |
DBMS privileged role assignments |
CAT II |
Yes |
Yes |
No |
No |
Revoked |
DG0117-ORACLE11 |
DBMS administrative privilege assignment |
CAT II |
No |
No |
No |
No |
Currently not supported |
DG0121-ORACLE11 |
DBMS application user privilege assignment |
CAT II |
No |
No |
No |
No |
Currently not supported |
DG0123-ORACLE11 |
DBMS Administrative data access |
CAT II |
No |
No |
No |
No |
Currently not supported |
DG0125-ORACLE11 |
DBMS account password expiration |
CAT II |
Yes |
No |
No |
No |
|
DG0126-ORACLE11 |
DBMS account password reuse |
CAT II |
No |
No |
None |
No |
Password reuse is not allowed on Oracle Audit Vault and Database Firewall. |
DG0128-ORACLE11 |
DBMS default passwords |
CAT I |
Yes |
No |
No |
No |
Account |
DG0133-ORACLE11 |
DBMS Account lock time |
CAT II |
Yes |
No |
No |
No |
No |
DG0141-ORACLE11 |
DBMS access control bypass |
CAT II |
Yes |
No |
No |
No |
Users can use a script to audit the following events:
|
DG0142-ORACLE11 |
DBMS Privileged action audit |
CAT II |
No |
No |
None |
No |
No |
DG0192-ORACLE11 |
DBMS fully-qualified name for remote access |
CAT II |
Yes |
No |
No |
No |
Currently not supported |
DO0231-ORACLE11 |
Oracle application object owner tablespaces |
CAT II |
No |
No |
No |
No |
Currently not supported |
DO0250-ORACLE11 |
Oracle database link usage |
CAT II |
No |
Yes |
No |
No |
For more information, see DG0075-ORACLE11, DO0250-ORACLE11 STIG Rules. |
DO0270-ORACLE11 |
Oracle redo log file availability |
CAT II |
No |
No |
No |
No |
Currently not supported |
DO0350-ORACLE11 |
Oracle system privilege assignment |
CAT II |
No |
No |
No |
No |
Currently not supported |
DO3475-ORACLE11 |
Oracle |
CAT II |
No |
No |
No |
No |
Currently not supported |
DO3536-ORACLE11 |
Oracle |
CAT II |
Yes |
No |
No |
No |
No |
DO3540-ORACLE11 |
Oracle |
CAT II |
No |
No |
None |
No |
Parameter |
DO3609-ORACLE11 |
System privileges granted WITH ADMIN OPTION |
CAT II |
No |
No |
No |
No |
Currently not supported |
DO3610-ORACLE11 |
Oracle minimum object auditing |
CAT II |
No |
No |
No |
No |
Currently not supported |
DO3689-ORACLE11 |
Oracle object permission assignment to PUBLIC |
CAT II |
No |
No |
No |
No |
Currently not supported |
DO3696-ORACLE11 |
Oracle RESOURCE_LIMIT parameter |
CAT II |
No |
No |
No |
No |
Currently not supported |
O121-BP-021900 |
The Oracle |
CAT I |
No |
No |
No |
Yes |
None |
O121-BP-022000 |
The Oracle |
CAT I |
No |
No |
No |
Yes |
None |
O121-BP-022700 |
The |
CAT I |
No |
No |
No |
Yes |
None |
O121-C1-004500 |
DBA OS accounts must be granted only those host system privileges necessary for the administration of the DBMS. |
CAT I |
No |
No |
No |
Yes |
In Audit Vault and Database Firewall, only Oracle user can connect to the database as SYSDBA. Oracle user is granted only necessary privileges. |
O121-C1-011100 |
Oracle software must be evaluated and patched against newly found vulnerabilities. |
CAT I |
No |
No |
No |
No |
Apply Audit Vault and Database Firewall release quarterly bundle patch which patches OS, DB, and Java on the Audit Vault Server and Database Firewall. |
O121-C1-015000 |
DBMS default accounts must be assigned custom passwords. |
CAT I |
Yes |
No |
No |
Yes |
DVSYS is assigned custom password in product. Other users are assigned passwords through the STIG script. |
O121-C1-015400 |
The DBMS, when using PKI-based authentication, must enforce authorized access to the corresponding private key. |
CAT I |
No |
No |
No |
Yes |
None |
O121-C1-019700 |
The DBMS must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission unless the transmitted data is otherwise protected by alternative physical measures. |
CAT I |
No |
No |
No |
Yes |
On Audit Vault Server, the following list of encryption algorithms is set in sqlnet.ora: SQLNET.ENCRYPTION_TYPES_SERVER = (AES256,AES192,AES128). The communication between agent and the Audit Vault Server is encrypted. |
O121-N1-015601 |
Applications must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation or use by unauthorized individuals. |
CAT I |
No |
No |
No |
Yes |
All passwords in Audit Vault and Database Firewall are either stored in Oracle Wallet or encrypted in the database. All passwords are sent through encrypted channel. |
O121-N1-015602 |
When using command-line tools such as Oracle SQL*Plus, which can accept a plain-text password, users must use an alternative login method that does not expose the password. |
CAT I |
No |
No |
No |
Cannot completely comply. |
Audit Vault and Database Firewall has a command line interface AVCLI. The password can be typed clearly without any issue. However AVCLI also provides an alternative login method which does not expose the password as clear text. |
O121-OS-004600 |
Use of the DBMS software installation account must be restricted to DBMS software installation. |
CAT I |
No |
No |
No |
Yes |
None |
O121-BP-021300 |
Oracle instance names must not contain Oracle version numbers. |
CAT II |
No |
No |
No |
Yes |
None |
O121-BP-021400 |
Fixed user and public database links must be authorized for use. |
CAT II |
No |
See Note. |
No |
No |
|
O121-BP-022100 |
The Oracle SQL92_SECURITY parameter must be set to TRUE. |
CAT II |
No |
No |
No |
Yes |
None |
O121-BP-022200 |
The Oracle |
CAT II |
No |
No |
No |
Yes |
None |
O121-BP-022300 |
System privileges granted using the |
CAT II |
No |
No |
No |
Yes |
None |
O121-BP-022400 |
System privileges must not be granted to |
CAT II |
No |
No |
No |
Yes |
None |
O121-BP-022500 |
Oracle roles granted using the |
CAT II |
No |
No |
No |
Yes |
None |
O121-BP-022600 |
Object permissions granted to |
CAT II |
No |
No |
No |
Yes |
None |
O121-BP-022800 |
Application role permissions must not be assigned to the Oracle |
CAT II |
No |
No |
No |
Yes |
None |
O121-BP-023000 |
Connections by mid-tier web and application systems to the Oracle DBMS must be protected, encrypted, and authenticated according to database, web, application, enclave, and network requirements. |
CAT II |
No |
No |
No |
Yes |
None |
O121-BP-023200 |
Unauthorized database links must not be defined and left active. |
CAT II |
No |
See Note. |
No |
No |
|
O121-BP-023600 |
Only authorized system accounts must have the |
CAT II |
No |
No |
No |
Yes |
None |
O121-BP-023900 |
The Oracle |
CAT II |
No |
No |
No |
Yes |
None |
O121-BP-025200 |
Credentials stored and used by the DBMS to access remote databases or applications must be authorized and restricted to authorized users. |
CAT II |
No |
See Note. |
No |
No |
|
O121-BP-025700 |
DBMS data files must be dedicated to support individual applications. |
CAT II |
No |
No |
No |
Yes |
None |
O121-BP-025800 |
Changes to configuration options must be audited. |
CAT II |
No |
No |
No |
Yes |
None |
O121-BP-026600 |
Network client connections must be restricted to supported versions. |
CAT II |
No |
No |
No |
Yes |
The following parameter in sqlnet.ora on the Audit Vault Server is set to |
O121-C2-002100 |
The DBMS must automatically disable accounts after a period of 35 days of account inactivity. |
CAT II |
Yes |
No |
No |
No |
None |
O121-C2-003000 |
The DBMS must enforce Discretionary Access Control (DAC) policy allowing users to specify and control sharing by named individuals, groups of individuals, or by both, limiting propagation of access rights and including or excluding access to the granularity of a single user. |
CAT II |
No |
No |
No |
Yes |
None |
O121-C2-003400 |
DBMS processes or services must run under custom and dedicated OS accounts. |
CAT II |
No |
No |
No |
Yes |
None |
O121-C2-003600 |
A single database connection configuration file must not be used to configure all database clients. |
CAT II |
No |
No |
No |
Yes |
None |
O121-C2-004900 |
The DBMS must verify account lockouts and persist until reset by an administrator. |
CAT II |
Addressed in Audit Vault and Database Firewall 12.2.0.1.0 STIG script. |
No |
No |
No |
None |
O121-C2-006700 |
A DBMS utilizing Discretionary Access Control (DAC) must enforce a policy that includes or excludes access to the granularity of a single user. |
CAT II |
No |
No |
No |
Yes |
None |
O121-C2-006900 |
The DBMS must allow designated organizational personnel to select specific events that can be audited by the database. |
CAT II |
No |
No |
No |
Yes |
None |
O121-C2-011500 |
Default demonstration, sample databases, database objects, and applications must be removed. |
CAT II |
No |
No |
No |
Yes |
None |
O121-C2-011600 |
Unused database components, DBMS software, and database objects must be removed. |
CAT II |
No |
No |
No |
Yes |
None |
O121-C2-011700 |
Unused database components that are integrated in the DBMS and cannot be uninstalled must be disabled. |
CAT II |
No |
No |
No |
Yes |
None |
O121-C2-013800 |
The DBMS must support organizational requirements to disable user accounts after a defined time period of inactivity set by the organization. |
CAT II |
Yes |
No |
No |
No |
None |
O121-C2-014600 |
The DBMS must support organizational requirements to enforce password encryption for storage. |
CAT II |
No |
No |
No |
Yes |
None |
O121-C2-015100 |
DBMS passwords must not be stored in compiled, encoded, or encrypted batch jobs or compiled, encoded, or encrypted application source code. |
CAT II |
No |
No |
No |
Yes |
None. |
O121-C2-015200 |
The DBMS must enforce password maximum lifetime restrictions. |
CAT II |
Yes |
No |
No |
No |
None |
Note:
The use of the DB link has already been documented in Audit Vault and Database Firewall 12.2.0.1.0 STIG documentation.
Additional notes regarding STIG IDs are in Table F-2.
Object owner accounts in Audit Vault Server:
AVSYS
APEX_040100
MANAGEMENT
AVRULEOWNER
SECURELOG
AVREPORTUSER
Object owner accounts in Database Firewall:
APEX_040100
MANAGEMENT
SECURELOG
Database links used on Oracle Audit Vault Server:
AVRPTUSR_LINK.DBFWDB: (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=127.0.0.1)(PORT=1521)) (CONNECT_DATA=(SERVICE_NAME=dbfwdb)))
The database link is created during installation of the Oracle Audit Vault Server and is used by the REDO collector.
Table F-3 lists accounts and role assignments in Audit Vault Server.
Table F-3 Accounts and Role Assignments in Audit Vault Server
Account | Role Assignment |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
Table F-4 lists accounts and role assignments in Database Firewall.
Table F-4 Accounts and Role Assignments in Database Firewall
Account | Role Assignment |
---|---|
|
|
|
|
Learn about the current implementation of operating system STIG rules.
This topic contains information on the current implementation of Operating System STIG Rules on Oracle Audit Vault and Database Firewall.
Note:
The Operating System STIG Rule set reference is as follows:
Table F-5 Operating System STIG Rule Set Reference
Reference | Detail |
---|---|
Document |
Oracle Linux 6 Security Technical Implementation Guide |
Version |
1 |
Release |
6 |
Release Date |
22/April/ 2016 |
Document Link |
Table F-6 User Action – Definition and Guidelines
User action | Description of the guideline |
---|---|
None |
The guideline is implemented by default and no user action is required. |
Enable strict mode |
The guideline can be implemented by switching the appliance to strict mode. |
Site policy |
The guideline can be implemented depending on local policy and it requires administrator action. See the Notes column for additional information on implementation. |
Administrative task |
The guideline implementation is administrator configuration action after installation or upgrade. It can also be a regularly used and defined administrative procedure. |
Table F-7 shows the current implementation of Operating System STIG Rules on Oracle Audit Vault and Database Firewall.
Table F-7 Current Implementation of Operating System STIG Rules
STIG ID | Severity | User action | Title | Notes |
---|---|---|---|---|
OL6-00-000008 |
CAT I |
None |
Vendor provided cryptographic certificates must be installed to verify the integrity of system software. |
Implemented by default |
OL6-00-000019 |
CAT I |
None |
There must be no |
Implemented by default |
OL6-00-000030 |
CAT I |
None |
The system must not have accounts configured with blank or null passwords. |
Implemented by default |
OL6-00-000206 |
CAT I |
None |
The |
Implemented by default |
OL6-00-000211 |
CAT I |
None |
The telnet daemon must not be running. |
Implemented by default |
OL6-00-000213 |
CAT I |
None |
The |
Implemented by default |
OL6-00-000214 |
CAT I |
None |
The |
Implemented by default |
OL6-00-000216 |
CAT I |
None |
The |
Implemented by default |
OL6-00-000218 |
CAT I |
None |
The |
Implemented by default |
OL6-00-000227 |
CAT I |
None |
The SSH daemon must be configured to use only the SSHv2 protocol. |
Implemented by default |
OL6-00-000239 |
CAT I |
None |
The SSH daemon must not allow authentication using an empty password. |
Implemented by default |
OL6-00-000284 |
CAT I |
Administrative task |
The system must use and update a DoD approved virus scan program. |
Audit Vault and Database Firewall does not ship with an anti-virus. The administrator may install one. |
OL6-00-000286 |
CAT I |
None |
The x86 |
Implemented by default |
OL6-00-000309 |
CAT I |
None |
The NFS server must not have the insecure file locking option enabled. |
Implemented by default |
OL6-00-000338 |
CAT I |
None |
The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system. |
Implemented by default |
OL6-00-000341 |
CAT I |
Administrative task |
The |
Audit Vault and Database Firewall randomizes the SNMP community string at install time. Use the WUI to set a specific value. |
OL6-00-000005 |
CAT II |
Administrative task |
The audit system must alert designated staff members when the audit storage volume approaches capacity. |
Configure remote |
OL6-00-000011 |
CAT II |
Administrative task |
System security patches and updates must be installed and up to date. |
Apply bundle patches in a timely manner. |
OL6-00-000013 |
CAT II |
None |
The system package management tool must cryptographically verify the authenticity of system software packages during installation. |
Implemented by default |
OL6-00-000016 |
CAT II |
None |
A file integrity tool must be installed. |
Implemented by default |
OL6-00-000017 |
CAT II |
None |
The system must use a Linux Security Module at boot time. |
Implemented by default |
OL6-00-000027 |
CAT II |
None |
The system must prevent the root account from logging in from virtual consoles. |
Implemented by default |
OL6-00-000031 |
CAT II |
None |
The |
Implemented by default |
OL6-00-000032 |
CAT II |
None |
The root account must be the only account having a UID of 0. |
Implemented by default |
OL6-00-000033 |
CAT II |
None |
The |
Implemented by default |
OL6-00-000034 |
CAT II |
None |
The |
Implemented by default |
OL6-00-000035 |
CAT II |
None |
The |
Implemented by default |
OL6-00-000036 |
CAT II |
None |
The |
Implemented by default |
OL6-00-000037 |
CAT II |
None |
The |
Implemented by default |
OL6-00-000038 |
CAT II |
None |
The |
Implemented by default |
OL6-00-000039 |
CAT II |
None |
The |
Implemented by default |
OL6-00-000040 |
CAT II |
None |
The |
Implemented by default |
OL6-00-000041 |
CAT II |
None |
The |
Implemented by default |
OL6-00-000042 |
CAT II |
None |
The |
Implemented by default |
OL6-00-000043 |
CAT II |
None |
The |
Implemented by default |
OL6-00-000044 |
CAT II |
None |
The |
Implemented by default |
OL6-00-000046 |
CAT II |
None |
Library files must be owned by a system account. |
Implemented by default |
OL6-00-000047 |
CAT II |
None |
All system command files must have mode 755 or less permissive. |
Implemented by default |
OL6-00-000048 |
CAT II |
None |
All system command files must be owned by root. |
Implemented by default |
OL6-00-000050 |
CAT II |
Enable strict mode |
The system must require passwords to contain a minimum of 15 characters. |
Implemented in strict mode |
OL6-00-000051 |
CAT II |
None |
Users must not be able to change passwords more than once every 24 hours. |
Implemented by default |
OL6-00-000053 |
CAT II |
Enable strict mode |
User passwords must be changed at least every 60 days. |
Implemented in strict mode |
OL6-00-000061 |
CAT II |
None |
The system must disable accounts after three consecutive unsuccessful login attempts. |
Implemented by default |
OL6-00-000062 |
CAT II |
None |
The system must use a |
Implemented by default |
OL6-00-000063 |
CAT II |
None |
The system must use a |
Implemented by default |
OL6-00-000064 |
CAT II |
None |
The system must use a |
Implemented by default |
OL6-00-000065 |
CAT II |
None |
The system boot loader configuration files must be owned by root. |
Implemented by default |
OL6-00-000066 |
CAT II |
None |
The system boot loader configuration files must be group-owned by root. |
Implemented by default |
OL6-00-000067 |
CAT II |
None |
The system boot loader configuration files must have mode 0600 or less permissive. |
Implemented by default |
OL6-00-000069 |
CAT II |
Administrative task |
The system must require authentication upon booting into single-user and maintenance modes. |
|
OL6-00-000070 |
CAT II |
None |
The system must not permit interactive boot. |
Implemented by default |
OL6-00-000078 |
CAT II |
None |
The system must implement virtual address space randomization. |
Implemented by default |
OL6-00-000079 |
CAT II |
None |
The system must limit the ability of processes to have simultaneous write and execute access to memory. |
Implemented by default |
OL6-00-000080 |
CAT II |
None |
The system must not send ICMPv4 redirects by default. |
Implemented by default |
OL6-00-000081 |
CAT II |
None |
The system must not send ICMPv4 redirects from any interface. |
Implemented by default |
OL6-00-000082 |
CAT II |
None |
IP forwarding for IPv4 must not be enabled, unless the system is a router. |
Implemented by default |
OL6-00-000083 |
CAT II |
None |
The system must not accept IPv4 source-routed packets on any interface. |
Implemented by default |
OL6-00-000084 |
CAT II |
None |
The system must not accept ICMPv4 redirect packets on any interface. |
Implemented by default |
OL6-00-000086 |
CAT II |
None |
The system must not accept ICMPv4 secure redirect packets on any interface. |
Implemented by default |
OL6-00-000089 |
CAT II |
None |
The system must not accept IPv4 source-routed packets by default. |
Implemented by default |
OL6-00-000090 |
CAT II |
None |
The system must not accept ICMPv4 secure redirect packets by default. |
Implemented by default |
OL6-00-000095 |
CAT II |
None |
The system must be configured to use TCP syncookies when experiencing a TCP SYN flood. |
Implemented by default |
OL6-00-000096 |
CAT II |
None |
The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces. |
Implemented by default |
OL6-00-000097 |
CAT II |
None |
The system must use a reverse-path filter for IPv4 network traffic when possible by default. |
Implemented by default |
OL6-00-000098 |
CAT II |
None |
The IPv6 protocol handler must not be bound to the network stack unless needed. |
Implemented by default |
OL6-00-000099 |
CAT II |
None |
The system must ignore ICMPv6 redirects by default. |
Implemented by default |
OL6-00-000103 |
CAT II |
None |
The system must employ a local IPv6 firewall. |
Not applicable |
OL6-00-000106 |
CAT II |
None |
The operating system must connect to external networks or information systems only through managed IPv6 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. |
Not applicable |
OL6-00-000107 |
CAT II |
None |
The operating system must prevent public IPv6 access into the organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices. |
Not applicable |
OL6-00-000113 |
CAT II |
None |
The system must employ a local IPv4 firewall. |
Implemented by default |
OL6-00-000116 |
CAT II |
Site policy |
The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. |
This is outside of the scope of Audit Vault and Database Firewall and must be enforced externally. |
OL6-00-000117 |
CAT II |
None |
The operating system must prevent public IPv4 access to internal networks of an organization. This excludes appropriately mediated and managed interfaces employing boundary protection devices. |
Implemented by default |
OL6-00-000120 |
CAT II |
None |
The local IPv4 firewall of the system must implement a deny-all and allow-by-exception policy for inbound packets. |
Implemented by default |
OL6-00-000124 |
CAT II |
None |
The Datagram Congestion Control Protocol (DCCP) must be disabled unless required. |
Implemented by default |
OL6-00-000125 |
CAT II |
None |
The Stream Control Transmission Protocol (SCTP) must be disabled unless required. |
Implemented by default |
OL6-00-000127 |
CAT II |
None |
The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required. |
Implemented by default |
OL6-00-000133 |
CAT II |
None |
All |
Implemented by default |
OL6-00-000145 |
CAT II |
None |
The operating system must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event. |
Implemented by default |
OL6-00-000148 |
CAT II |
None |
The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods. |
Implemented by default |
OL6-00-000154 |
CAT II |
None |
The operating system must produce audit records containing sufficient information to establish what type of events occurred. |
Implemented by default |
OL6-00-000159 |
CAT II |
None |
The system must retain enough rotated audit logs to cover the required log retention period. |
Implemented by default |
OL6-00-000160 |
CAT II |
None |
The system must set a maximum audit log file size. |
Implemented by default |
OL6-00-000161 |
CAT II |
None |
The system must rotate audit log files that reach the maximum file size. |
Implemented by default |
OL6-00-000163 |
CAT II |
None |
The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low. |
Implemented by default |
OL6-00-000202 |
CAT II |
None |
The audit system must be configured to audit the loading and unloading of dynamic kernel modules. |
Implemented by default |
OL6-00-000203 |
CAT II |
None |
The |
Implemented by default |
OL6-00-000220 |
CAT II |
None |
The |
Implemented by default |
OL6-00-000221 |
CAT II |
None |
The |
Implemented by default |
OL6-00-000222 |
CAT II |
None |
The |
Implemented by default |
OL6-00-000223 |
CAT II |
None |
The |
Implemented by default |
OL6-00-000224 |
CAT II |
None |
The |
Implemented by default |
OL6-00-000234 |
CAT II |
None |
The SSH daemon must ignore |
Implemented by default |
OL6-00-000236 |
CAT II |
None |
The SSH daemon must not allow host-based authentication. |
Implemented by default |
OL6-00-000237 |
CAT II |
None |
The system must not permit root login using remote access programs such as |
Implemented by default |
OL6-00-000243 |
CAT II |
None |
The |
Implemented by default |
OL6-00-000247 |
CAT II |
Administrative task |
The system clock must be synchronized continuously, or at least daily. |
Use the WUI to configure NTP servers. |
OL6-00-000248 |
CAT II |
None |
The system clock must be synchronized to an authoritative DoD time source. |
Implemented by default |
OL6-00-000249 |
CAT II |
None |
Mail relaying must be restricted. |
Implemented by default. Audit Vault and Database Firewall does not contain an SMTA. |
OL6-00-000252 |
CAT II |
None |
If the system is using LDAP for authentication or account information, the system must use a |
Audit Vault and Database Firewall does not use LDAP for authentication or account information. |
OL6-00-000253 |
CAT II |
None |
The LDAP client must use a |
Audit Vault and Database Firewall does not use LDAP client. |
OL6-00-000257 |
CAT II |
None |
The graphical desktop environment must set the idle time out value not exceeding 15 minutes. |
Implemented by default |
OL6-00-000258 |
CAT II |
None |
The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user re-authentication to unlock the environment. |
Implemented by default |
OL6-00-000259 |
CAT II |
None |
The graphical desktop environment must have automatic lock enabled. |
Implemented by default |
OL6-00-000269 |
CAT II |
None |
Remote file systems must be mounted with the |
Implemented by default |
OL6-00-000270 |
CAT II |
None |
Remote file systems must be mounted with the |
Implemented by default |
OL6-00-000274 |
CAT II |
None |
The system must prohibit the reuse of passwords within five iterations. |
Implemented by default |
OL6-00-000278 |
CAT II |
None |
The system package management tool must verify permissions on all files and directories associated with the audit package. |
Implemented by default |
OL6-00-000279 |
CAT II |
None |
The system package management tool must verify ownership on all files and directories associated with the audit package. |
Implemented by default |
OL6-00-000280 |
CAT II |
None |
The system package management tool must verify group-ownership on all files and directories associated with the audit package. |
Implemented by default |
OL6-00-000281 |
CAT II |
None |
The system package management tool must verify contents of all files associated with the audit package. |
Implemented by default |
OL6-00-000282 |
CAT II |
None |
There must be no world-writable files on the system. |
Implemented by default |
OL6-00-000285 |
CAT II |
None |
The system must have a host-based intrusion detection tool installed. |
Implemented by default |
OL6-00-000288 |
CAT II |
None |
The |
Implemented by default |
OL6-00-000290 |
CAT II |
None |
X Windows must not be enabled unless required. |
Implemented by default |
OL6-00-000311 |
CAT II |
Administrative task |
The audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity. |
Configure remote syslog forwarding. |
OL6-00-000313 |
CAT II |
None |
The audit system must identify staff members to receive notifications of audit log storage volume capacity issues. |
Implemented by default |
OL6-00-000315 |
CAT II |
None |
The Bluetooth kernel module must be disabled. |
Implemented by default |
OL6-00-000320 |
CAT II |
None |
The systems local firewall must implement a |
Implemented by default |
OL6-00-000324 |
CAT II |
None |
A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts. |
Implemented by default |
OL6-00-000326 |
CAT II |
None |
The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts. |
Audit Vault and Database Firewall does not contain a graphical desktop environment. |
OL6-00-000331 |
CAT II |
None |
The |
Implemented by default |
OL6-00-000347 |
CAT II |
None |
There must be no |
Implemented by default |
OL6-00-000348 |
CAT II |
None |
The |
Audit Vault and Database Firewall does not serve FTP or FTPS. |
OL6-00-000356 |
CAT II |
Enable strict mode |
The system must require administrator action to unlock an account locked by excessive failed login attempts. |
Implemented in strict mode |
OL6-00-000357 |
CAT II |
None |
The system must disable accounts after excessive login failures within a 15 minute interval. |
Implemented by default |
OL6-00-000372 |
CAT II |
None |
The operating system, upon successful login or access, must display to the user the number of unsuccessful login or access attempts since the last successful login or access. |
Implemented by default |
OL6-00-000383 |
CAT II |
None |
Audit log files must have mode 0640 or less permissive. |
Implemented by default |
OL6-00-000384 |
CAT II |
None |
Audit log files must be owned by root. |
Implemented by default |
OL6-00-000385 |
CAT II |
None |
Audit log directories must have mode 0755 or less permissive. |
Implemented by default |
OL6-00-000503 |
CAT II |
None |
The operating system must enforce requirements for the connection of mobile devices to operating systems. |
Implemented by default |
OL6-00-000504 |
CAT II |
Site policy |
The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives. |
|
OL6-00-000505 |
CAT II |
Site policy |
The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives. |
|
OL6-00-000507 |
CAT II |
None |
The operating system, upon successful logon, must display to the user the date and time of the last logon or access through ssh. |
Implemented by default |
OL6-00-000522 |
CAT II |
None |
Audit log files must be group-owned by root. |
Implemented by default |
OL6-00-000523 |
CAT II |
None |
The systems local IPv6 firewall must implement a |
Not applicable |
OL6-00-000524 |
CAT II |
Site policy |
The system must provide automated support for account management functions. |
None |
OL6-00-000527 |
CAT II |
None |
The login user list must be disabled. |
Audit Vault and Database Firewall does not include a graphical login. |
OL6-00-000529 |
CAT II |
None |
The sudo command must require authentication. |
Implemented by default. Accounts which are permitted to use sudo are not permitted to login. |
OL6-00-000001 |
CAT III |
None |
The system must use a separate file system for |
Implemented by default |
OL6-00-000002 |
CAT III |
None |
The system must use a separate file system for |
Audit Vault and Database Firewall uses separate file systems for directories under |
OL6-00-000003 |
CAT III |
None |
The system must use a separate file system for |
Implemented by default |
OL6-00-000007 |
CAT III |
None |
The system must use a separate file system for user home directories. |
Implemented by default |
OL6-00-000009 |
CAT III |
None |
The Red Hat Network Service ( |
Implemented by default |
OL6-00-000015 |
CAT III |
None |
The system package management tool must cryptographically verify the authenticity of all software packages during installation. |
Implemented by default |
OL6-00-000023 |
CAT III |
None |
The system must use a Linux Security Module configured to limit the privileges of system services. |
Implemented by default |
OL6-00-000028 |
CAT III |
None |
The system must prevent the root account from logging in from serial consoles. |
Implemented by default |
OL6-00-000054 |
CAT III |
None |
Users must be warned 7 days in advance of password expiration. |
Implemented by default |
OL6-00-000056 |
CAT III |
None |
The system must require passwords to contain at least one numeric character. |
Implemented by default |
OL6-00-000057 |
CAT III |
None |
The system must require passwords to contain at least one uppercase alphabetic character. |
Implemented by default |
OL6-00-000058 |
CAT III |
None |
The system must require passwords to contain at least one special character. |
Implemented by default |
OL6-00-000059 |
CAT III |
None |
The system must require passwords to contain at least one lower-case alphabetic character. |
Implemented by default |
OL6-00-000060 |
CAT III |
Administrative task |
The system must require at least eight characters be changed between the old and new passwords during a password change. |
|
OL6-00-000091 |
CAT III |
None |
The system must ignore ICMPv4 redirect messages by default. |
Implemented by default |
OL6-00-000092 |
CAT III |
None |
The system must not respond to ICMPv4 sent to a broadcast address. |
Implemented by default |
OL6-00-000093 |
CAT III |
None |
The system must ignore ICMPv4 bogus error responses. |
Implemented by default |
OL6-00-000126 |
CAT III |
None |
The Reliable Datagram Sockets (RDS) protocol must be disabled unless required. |
Implemented by default |
OL6-00-000138 |
CAT III |
None |
System logs must be rotated daily. |
Implemented by default |
OL6-00-000165 |
CAT III |
None |
The audit system must be configured to audit all attempts to alter system time through |
Implemented by default |
OL6-00-000167 |
CAT III |
None |
The audit system must be configured to audit all attempts to alter system time through |
Implemented by default |
OL6-00-000169 |
CAT III |
None |
The audit system must be configured to audit all attempts to alter system time through |
Implemented by default |
OL6-00-000171 |
CAT III |
None |
The audit system must be configured to audit all attempts to alter system time through |
Implemented by default |
OL6-00-000173 |
CAT III |
None |
The audit system must be configured to audit all attempts to alter system time through |
Implemented by default |
OL6-00-000174 |
CAT III |
None |
The operating system must automatically audit account creation. |
Implemented by default |
OL6-00-000175 |
CAT III |
None |
The operating system must automatically audit account modification. |
Implemented by default |
OL6-00-000176 |
CAT III |
None |
The operating system must automatically audit account disabling actions. |
Implemented by default |
OL6-00-000177 |
CAT III |
None |
The operating system must automatically audit account termination. |
Implemented by default |
OL6-00-000183 |
CAT III |
None |
The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux). |
Implemented by default |
OL6-00-000184 |
CAT III |
None |
The audit system must be configured to audit all discretionary access control permission modifications using |
Implemented by default |
OL6-00-000185 |
CAT III |
None |
The audit system must be configured to audit all discretionary access control permission modifications using |
Implemented by default |
OL6-00-000186 |
CAT III |
None |
The audit system must be configured to audit all discretionary access control permission modifications using |
Implemented by default |
OL6-00-000187 |
CAT III |
None |
The audit system must be configured to audit all discretionary access control permission modifications using |
Implemented by default |
OL6-00-000188 |
CAT III |
None |
The audit system must be configured to audit all discretionary access control permission modifications using |
Implemented by default |
OL6-00-000189 |
CAT III |
None |
The audit system must be configured to audit all discretionary access control permission modifications using |
Implemented by default |
OL6-00-000190 |
CAT III |
None |
The audit system must be configured to audit all discretionary access control permission modifications using |
Implemented by default |
OL6-00-000191 |
CAT III |
None |
The audit system must be configured to audit all discretionary access control permission modifications using |
Implemented by default |
OL6-00-000192 |
CAT III |
None |
The audit system must be configured to audit all discretionary access control permission modifications using |
Implemented by default |
OL6-00-000193 |
CAT III |
None |
The audit system must be configured to audit all discretionary access control permission modifications using |
Implemented by default |
OL6-00-000194 |
CAT III |
None |
The audit system must be configured to audit all discretionary access control permission modifications using |
Implemented by default |
OL6-00-000195 |
CAT III |
None |
The audit system must be configured to audit all discretionary access control permission modifications using |
Implemented by default |
OL6-00-000196 |
CAT III |
None |
The audit system must be configured to audit all discretionary access control permission modifications using |
Implemented by default |
OL6-00-000197 |
CAT III |
None |
The audit system must be configured to audit failed attempts to access files and programs. |
Implemented by default |
OL6-00-000199 |
CAT III |
None |
The audit system must be configured to audit successful file system mounts. |
Implemented by default |
OL6-00-000200 |
CAT III |
None |
The audit system must be configured to audit user deletions of files and programs. |
Implemented by default |
OL6-00-000201 |
CAT III |
None |
The audit system must be configured to audit changes to the |
Implemented by default |
OL6-00-000204 |
CAT III |
None |
The |
Implemented by default |
OL6-00-000230 |
CAT III |
None |
The SSH daemon must set a time out interval on idle sessions. |
Implemented by default |
OL6-00-000231 |
CAT III |
None |
The SSH daemon must set a time out count on idle sessions. |
Implemented by default |
OL6-00-000241 |
CAT III |
None |
The SSH daemon must not permit user environment settings. |
Implemented by default |
OL6-00-000246 |
CAT III |
None |
The |
Implemented by default |
OL6-00-000256 |
CAT III |
None |
The |
Implemented by default |
OL6-00-000260 |
CAT III |
None |
The system must display a publicly viewable pattern during a graphical desktop environment session lock. |
Implemented by default |
OL6-00-000261 |
CAT III |
None |
The Automatic Bug Reporting Tool ( |
Implemented by default |
OL6-00-000262 |
CAT III |
None |
The |
Implemented by default |
OL6-00-000265 |
CAT III |
None |
The |
Implemented by default |
OL6-00-000266 |
CAT III |
None |
The |
Implemented by default |
OL6-00-000267 |
CAT III |
None |
The |
Implemented by default |
OL6-00-000268 |
CAT III |
None |
The |
Implemented by default |
OL6-00-000271 |
CAT III |
None |
The |
The Audit Vault and Database Firewall |
OL6-00-000273 |
CAT III |
None |
The system must use SMB client signing, for connecting to samba servers using |
Audit Vault and Database Firewall does not use |
OL6-00-000289 |
CAT III |
None |
The |
Implemented by default |
OL6-00-000291 |
CAT III |
None |
The |
Implemented by default |
OL6-00-000294 |
CAT III |
None |
All GIDs referenced in |
Implemented by default |
OL6-00-000296 |
CAT III |
None |
All accounts on the system must have unique user or account names. |
Implemented by default |
OL6-00-000297 |
CAT III |
None |
Temporary accounts must be provisioned with an expiration date. |
Audit Vault and Database Firewall does not support temporary accounts. |
OL6-00-000298 |
CAT III |
None |
Emergency accounts must be provisioned with an expiration date. |
Audit Vault and Database Firewall does not support emergency accounts. |
OL6-00-000299 |
CAT III |
None |
The system must require passwords to contain no more than three consecutive repeating characters. |
Implemented by default |
OL6-00-000308 |
CAT III |
Administrative task |
Process core dumps must be disabled unless needed. |
|
OL6-00-000319 |
CAT III |
Administrative task |
The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements. |
|
OL6-00-000336 |
CAT III |
None |
The sticky bit must be set on all public directories. |
Implemented by default |
OL6-00-000337 |
CAT III |
None |
All public directories must be owned by a system account. |
Implemented by default |
OL6-00-000339 |
CAT III |
None |
The FTP daemon must be configured for logging or verbose mode. |
Audit Vault and Database Firewall does not include an FTP daemon. |
OL6-00-000345 |
CAT III |
None |
The system default |
Implemented by default |
OL6-00-000346 |
CAT III |
None |
The system default |
Implemented by default |
OL6-00-000508 |
CAT III |
None |
The system must allow locking of graphical desktop sessions. |
Audit Vault and Database Firewall does not include a graphical desktop. |
OL6-00-000515 |
CAT III |
None |
The NFS server must not have the |
Audit Vault and Database Firewall does not serve NFS. |
OL6-00-000525 |
CAT III |
None |
Auditing must be enabled at boot by setting a kernel parameter. |
Implemented by default |
OL6-00-000526 |
CAT III |
None |
Automated file system mounting tools must not be enabled unless needed. |
Implemented by default |
Note 1 - Alerts through syslog:
Oracle Audit Vault and Database Firewall sends alerts through syslog. Use the WUI to configure an appropriate syslog destination.
The syslog option is acceptable when it can be demonstrated that the local log management infrastructure notifies an appropriate administrator in a timely manner.
The messages are in the following form:
Audit daemon has no space left on logging partition Audit daemon is suspending logging due to no space left on logging partition.
Note 2 - Backup:
This is outside of the scope of Oracle Audit Vault and Database Firewall.
Oracle Audit Vault and Database Firewall provides the tools to support this. (For example: ssh, tar).
Note 3 OL6-00-000319 - administrator actions:
Log in as root user.
Create the following file:
/etc/security/limits.d/99-avdf-maxlogins.conf
Include the following content in the file:
# Bug 24398453 * hard maxlogins 10
Note 4 OL6-00-000308 - administrator actions:
Log in as root user.
Create the following file:
/etc/security/limits.d/99-avdf-core.conf
Include the following content in the file:
# Bug 24397420 * hard core 0
Note 5 OL6-00-000060 - administrator actions:
Log in as root user.
Take backup of the following file:
/usr/local/dbfw/templates/template-system-auth
Upon successfully taking a backup, edit the original file. Search for the string difok=4
and replace it with difok=8
Run the following command as root user:
/usr/local/dbfw/bin/stig --apply
Verify the change. Review the output of the following command:
find /etc/pam.d -type f \! -name \*.bak -exec fgrep difok {} +
Note 6 OL6-00-000069 - administrator actions:
Log in as root user.
Make a backup of the following file:
/etc/sysconfig/init
Upon successfully taking the backup, edit the file. Find the key SINGLE
and replace it with SINGLE=/sbin/sulogin