H Security Technical Implementation Guides

Oracle Audit Vault and Database Firewall follows the Security Technical Implementation Guides (STIG)-based compliance standards.

H.1 About Security Technical Implementation Guides

Learn about Security Technical Implementation Guides.

A Security Technical Implementation Guide (STIG) is a methodology followed by the U.S. Department of Defense (DOD) to reduce the attack surface of computer systems and networks, thereby ensuring a lockdown of highly confidential information stored within the DOD network. STIGs provide secure configuration standards for the DOD's Information Assurance (IA) and IA-enabled devices and systems. STIGs are created by the Defense Information Systems Agency (DISA).

For over a decade, Oracle has worked closely with the DOD to develop, publish, and maintain a growing list of STIGs for a variety of core Oracle products and technologies including:

  • Oracle Database

  • Oracle Solaris

  • Oracle Linux

  • Oracle WebLogic

When STIGs are updated, Oracle analyzes the latest recommendations in order to identify new ways to improve the security of its products by:

  • Implementing new and innovative security capabilities that are then added to future STIG updates

  • Delivering functionality to automate the assessment and implementation of STIG recommendations

After you enable the STIG rules in Oracle Audit Vault and Database Firewall, the settings are preserved when you perform any upgrades.

Improving "out of the box" security configuration settings based upon STIG recommendations

STIG recommendations

Oracle Audit Vault Server is a highly tuned and tested software appliance. Any additional software installed on this server can cause unstable behavior. Hence Oracle does not recommend the installation of any software on Oracle Audit Vault Server. If there are requirements for virus scan, then utilize external scanners as much as possible.

The following are some cases where external scanners cannot be utilized and an Anti-virus is installed on the Audit Vault Server:

  • If there is an issue, then Oracle support may request that the user uninstall the Anti-virus software to enable troubleshooting.

  • If there are no issues and there is a new Bundle Patch to be applied for Oracle Audit Vault and Database Firewall, then Oracle support may request that you uninstall the anti-virus software, apply the patch, and then re-install the anti-virus software on Oracle Audit Vault Server. This reduces some of the issues after applying the patch.

  • If there are no issues but the anti-virus scanner has detected a virus or malware, then you should contact the anti-virus scanner vendor to verify the validity of the finding.

  • If the anti-virus software was not removed in advance and the Bundle Patch upgrade has failed, then Oracle may recommend a fresh installation of Oracle Audit Vault and Database Firewall and a consequent Bundle Patch upgrade. Only after this the anti-virus scanner can be re-installed.

  • If the customer followed the instructions from Oracle, the anti-virus scanner does not uninstall completely, and the Bundle Patch upgrade fails, contact the anti-virus vendor for instructions on how to remove their software completely. Once this is completed Oracle Audit Vault and Database Firewall Bundle Patch should be installed. If the install fails, then a clean install may be warranted.

H.2 Enabling and Disabling STIG Rules on Oracle Audit Vault and Database Firewall

You can enable STIG rules on Oracle Audit Vault and Database Firewall by enabling Strict mode.

H.2.1 Enabling STIG Rules on Oracle Audit Vault and Database Firewall

Learn how to enable STIG rules on Oracle Audit Vault and Database Firewall.

To enable strict mode:

  1. Log in to the operating system of Oracle Audit Vault Server as the root user.
  2. Run the following command as root:

    /usr/local/dbfw/bin/stig --enable

H.2.2 Disabling STIG Rules on Oracle Audit Vault and Database Firewall

Learn how to disable STIG Rules on Oracle Audit Vault and Database Firewall.

To disable strict mode:

  1. Log in to the operating system of Oracle Audit Vault Server as the root user.
  2. Run the following command as root:

    /usr/local/dbfw/bin/stig --disable

H.3 Current Implementation of STIG Rules on Oracle Audit Vault and Database Firewall

Oracle Audit Vault and Database Firewall is security-hardened because the configurations follow Security Technical Implementation Guide (STIG) recommendations.

Oracle has developed a security-hardened configuration of Oracle Audit Vault and Database Firewall that supports U.S. Department of Defense Security Technical Implementation Guide (STIG) recommendations.

Table H-1 lists the three vulnerability categories that STIG recommendations.

Table H-1 Vulnerability Categories

Category Description

CAT I

Any vulnerability, the exploitation of which will, directly and immediately result in loss of Confidentiality, Availability, or Integrity.

CAT II

Any vulnerability, the exploitation of which has a potential to result in loss of Confidentiality, Availability, or Integrity.

CAT III

Any vulnerability, the existence of which degrades measures to protect against loss of Confidentiality, Availability, or Integrity.

H.4 Current Implementation of Database STIG Rules

Learn about the current implementation of database STIG rules on Oracle Audit Vault and Database Firewall.

Table H-2 shows the current implementation of Database STIG rules on Oracle Audit Vault and Database Firewall.

Table H-2 Current Implementation of Database STIG Rules

STIG ID Title Severity Addressed by Script Addressed by Documentation Action required Implemented Notes

DG0004-ORACLE11

DBMS application object owner accounts

CAT II

No

No

None

No

Application object owner accounts AVSYS, MANAGEMENT, SECURELOG are locked after the installation of Oracle Audit Vault and Database Firewall.

DG0008-ORACLE11

DBMS application object ownership

No

No

Yes

No

No

For more information, see DG0008-ORACLE11 STIG Rule.

DG0014-ORACLE11

DBMS demonstration and sample databases

CAT II

No

No

None

No

All default demonstration and sample database objects have been removed.

DG0071-ORACLE11

DBMS password change variance

CAT II

No

No

No

No

Currently not supported

DG0073-ORACLE11

DBMS failed login account lock

CAT II

Yes

No

No

No

MONITORING_PROFILE no longer exists in Oracle Audit Vault and Database Firewall 12.2. For other profiles, FAILED_LOGIN_ATTEMPTS is set to the required limit in the script.

DG0075-ORACLE11

DBMS links to external databases

CAT II

No

Yes

No

No

For more information, see DG0075-ORACLE11 and DO0250-ORACLE11 STIG Rules.

DG0077-ORACLE11

Production data protection on a shared system

CAT II

No

No

None

No

No

DG0116-ORACLE11

DBMS privileged role assignments

CAT II

Yes

Yes

No

No

Revoked DBFS_ROLE from AV_ADMIN. For more information, see DG0116-ORACLE11 STIG Rule.

DG0117-ORACLE11

DBMS administrative privilege assignment

CAT II

No

No

No

No

Currently not supported

DG0121-ORACLE11

DBMS application user privilege assignment

CAT II

No

No

No

No

Currently not supported

DG0123-ORACLE11

DBMS Administrative data access

CAT II

No

No

No

No

Currently not supported

DG0125-ORACLE11

DBMS account password expiration

CAT II

Yes

No

No

No

MONITORING_PROFILE no longer exists in Oracle Audit Vault and Database Firewall 12.2. For other profiles, PASSWORD_LIFE_TIME is set to the required limit in the script.

DG0126-ORACLE11

DBMS account password reuse

CAT II

No

No

None

No

Password reuse is not allowed on Oracle Audit Vault and Database Firewall.

DG0128-ORACLE11

DBMS default passwords

CAT I

Yes

No

No

No

Account OWBSYS_AUDIT no longer exists in Oracle Audit Vault and Database Firewall 12.2. Accounts such as CTXSYS , AUDSYS, DBSNMP, and ORDSYS are assigned a random password in the script.

DG0133-ORACLE11

DBMS Account lock time

CAT II

Yes

No

No

No

No

DG0141-ORACLE11

DBMS access control bypass

CAT II

Yes

No

No

No

Users can use a script to audit the following events:

DROP ANY SYNONYM

DROP ANY INDEXTYPE

DG0142-ORACLE11

DBMS Privileged action audit

CAT II

No

No

None

No

No

DG0192-ORACLE11

DBMS fully-qualified name for remote access

CAT II

Yes

No

No

No

Currently not supported

DO0231-ORACLE11

Oracle application object owner tablespaces

CAT II

No

No

No

No

Currently not supported

DO0250-ORACLE11

Oracle database link usage

CAT II

No

Yes

No

No

For more information, see DG0075-ORACLE11 and DO0250-ORACLE11 STIG Rules.

DO0270-ORACLE11

Oracle redo log file availability

CAT II

No

No

No

No

Currently not supported

DO0350-ORACLE11

Oracle system privilege assignment

CAT II

No

No

No

No

Currently not supported

DO3475-ORACLE11

Oracle PUBLIC access to restricted packages

CAT II

No

No

No

No

Currently not supported

DO3536-ORACLE11

Oracle IDLE_TIME profile parameter

CAT II

Yes

No

No

No

No

DO3540-ORACLE11

Oracle SQL92_SECURITY parameter

CAT II

No

No

None

No

Parameter SQL92_SECURITY is already set to TRUE.

DO3609-ORACLE11

System privileges granted WITH ADMIN OPTION

CAT II

No

No

No

No

Currently not supported

DO3610-ORACLE11

Oracle minimum object auditing

CAT II

No

No

No

No

Currently not supported

DO3689-ORACLE11

Oracle object permission assignment to PUBLIC

CAT II

No

No

No

No

Currently not supported

DO3696-ORACLE11

Oracle RESOURCE_LIMIT parameter

CAT II

No

No

No

No

Currently not supported

O121-BP-021900

The Oracle REMOTE_OS_AUTHENT parameter must be set to FALSE.

CAT I

No

No

No

Yes

None

O121-BP-022000

The Oracle REMOTE_OS_ROLES parameter must be set to FALSE.

CAT I

No

No

No

Yes

None

O121-BP-022700

The Oracle Listener must be configured to require administration authentication.

CAT I

No

No

No

Yes

None

O121-C1-004500

DBA OS accounts must be granted only those host system privileges necessary for the administration of the DBMS.

CAT I

No

No

No

Yes

In Audit Vault and Database Firewall, only Oracle user  can connect to the database as SYSDBA. Oracle user is granted only necessary privileges.

O121-C1-011100

Oracle software must be evaluated and patched against newly found vulnerabilities.

CAT I

No

No

No

No

Apply Audit Vault and Database Firewall release quarterly bundle patch which patches OS, DB, and Java on the Audit Vault Server and Database Firewall.

O121-C1-015000

DBMS default accounts must be assigned custom passwords.

CAT I

Yes

No

No

Yes

DVSYS is assigned custom password in product. Other users are assigned passwords through the STIG script.

O121-C1-015400

The DBMS, when using PKI-based authentication, must enforce authorized access to the corresponding private key.

CAT I

No

No

No

Yes

None

O121-C1-019700

The DBMS must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission unless the transmitted data is otherwise protected by alternative physical measures.

CAT I

No

No

No

Yes

On Audit Vault Server, the following list of encryption algorithms is set in sqlnet.ora: SQLNET.ENCRYPTION_TYPES_SERVER = (AES256,AES192,AES128). The communication between agent and the Audit Vault Server is encrypted.

O121-N1-015601

Applications must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation or use by unauthorized individuals.

CAT I

No

No

No

Yes

All passwords in Audit Vault and Database Firewall are either stored in Oracle Wallet or encrypted in the database. All passwords are sent through encrypted channel.

O121-N1-015602

When using command-line tools such as Oracle SQL*Plus, which can accept a plain-text password, users must use an alternative login method that does not expose the password.

CAT I

No

No

No

Cannot completely comply.

Audit Vault and Database Firewall has a command line interface AVCLI. The password can be typed clearly without any issue. However AVCLI also provides an alternative login method which does not expose the password as clear text.

O121-OS-004600

Use of the DBMS software installation account must be restricted to DBMS software installation.

CAT I

No

No

No

Yes

None

O121-BP-021300

Oracle instance names must not contain Oracle version numbers.

CAT II

No

No

No

Yes

None

O121-BP-021400

Fixed user and public database links must be authorized for use.

CAT II

No

See Note.

No

No

See note

O121-BP-022100

The Oracle SQL92_SECURITY parameter must be set to TRUE.

CAT II

No

No

No

Yes

None

O121-BP-022200

The Oracle REMOTE_LOGIN_PASSWORDFILE parameter must be set to EXCLUSIVE or NONE.

CAT II

No

No

No

Yes

None

O121-BP-022300

System privileges granted using the WITH ADMIN OPTION must not be granted to unauthorized user.

CAT II

No

No

No

Yes

None

O121-BP-022400

System privileges must not be granted to PUBLIC role.

CAT II

No

No

No

Yes

None

O121-BP-022500

Oracle roles granted using the WITH ADMIN OPTION must not be granted to unauthorized accounts.

CAT II

No

No

No

Yes

None

O121-BP-022600

Object permissions granted to PUBLIC role must be restricted.

CAT II

No

No

No

Yes

None

O121-BP-022800

Application role permissions must not be assigned to the Oracle PUBLIC role.

CAT II

No

No

No

Yes

None

O121-BP-023000

Connections by mid-tier web and application systems to the Oracle DBMS must be protected, encrypted, and authenticated according to database, web, application, enclave, and network requirements.

CAT II

No

No

No

Yes

None

O121-BP-023200

Unauthorized database links must not be defined and left active.

CAT II

No

See Note.

No

No

See note

O121-BP-023600

Only authorized system accounts must have the SYSTEM table space specified as the default table space.

CAT II

No

No

No

Yes

None

O121-BP-023900

The Oracle _TRACE_FILES_PUBLIC parameter if present must be set to FALSE.

CAT II

No

No

No

Yes

None

O121-BP-025200

Credentials stored and used by the DBMS to access remote databases or applications must be authorized and restricted to authorized users.

CAT II

No

See Note.

No

No

See note

O121-BP-025700

DBMS data files must be dedicated to support individual applications.

CAT II

No

No

No

Yes

None

O121-BP-025800

Changes to configuration options must be audited.

CAT II

No

No

No

Yes

None

O121-BP-026600

Network client connections must be restricted to supported versions.

CAT II

No

No

No

Yes

The following parameter in sqlnet.ora on the Audit Vault Server is set to SQLNET.ALLOWED_LOGON_VERSION_SERVER = 11

O121-C2-002100

The DBMS must automatically disable accounts after a period of 35 days of account inactivity.

CAT II

Yes

No

No

No

None

O121-C2-003000

The DBMS must enforce Discretionary Access Control (DAC) policy allowing users to specify and control sharing by named individuals, groups of individuals, or by both, limiting propagation of access rights and including or excluding access to the granularity of a single user.

CAT II

No

No

No

Yes

None

O121-C2-003400

DBMS processes or services must run under custom and dedicated OS accounts.

CAT II

No

No

No

Yes

None

 O121-C2-003600

A single database connection configuration file must not be used to configure all database clients.

CAT II

No

No

No

Yes

None

O121-C2-004900

The DBMS must verify account lockouts and persist until reset by an administrator.

CAT II

Addressed in Audit Vault and Database Firewall 12.2.0.1.0 STIG script.

No

No

No

None

O121-C2-006700

A DBMS utilizing Discretionary Access Control (DAC) must enforce a policy that includes or excludes access to the granularity of a single user.

CAT II

No

No

No

Yes

None

O121-C2-006900

The DBMS must allow designated organizational personnel to select specific events that can be audited by the database.

CAT II

No

No

No

Yes

None

O121-C2-011500

Default demonstration, sample databases, database objects, and applications must be removed.

CAT II

No

No

No

Yes

None

O121-C2-011600

Unused database components, DBMS software, and database objects must be removed.

CAT II

No

No

No

Yes

None

O121-C2-011700

Unused database components that are integrated in the DBMS and cannot be uninstalled must be disabled.

CAT II

No

No

No

Yes

None

O121-C2-013800

The DBMS must support organizational requirements to disable user accounts after a defined time period of inactivity set by the organization.

CAT II

Yes

No

No

No

None

O121-C2-014600

The DBMS must support organizational requirements to enforce password encryption for storage.

CAT II

No

No

No

Yes

None

O121-C2-015100

DBMS passwords must not be stored in compiled, encoded, or encrypted batch jobs or compiled, encoded, or encrypted application source code.

CAT II

No

No

No

Yes

None.

O121-C2-015200

The DBMS must enforce password maximum lifetime restrictions.

CAT II

Yes

No

No

No

None

Note:

The use of the DB link has already been documented in Audit Vault and Database Firewall 12.2.0.1.0 STIG documentation.

H.5 Additional STIG Rule Notes

Learn about additional advice regarding STIG rules.

H.5.1 DG0008-ORACLE11 STIG Rule

Learn about STIG rule DG0008-ORACLE11.

Object owner accounts in Audit Vault Server:

  • APEX

    • APEX_180200 (Oracle AVDF 20.1 to 20.3)

    • APEX_200100 (Oracle AVDF 20.4 to 20.5)

    • APEX_210100 (Oracle AVDF 20.6 and later)

  • MANAGEMENT

  • AVRULEOWNER

  • SECURELOG

  • AVREPORTUSER

  • AVSYS

Object owner accounts in Database Firewall:

  • MANAGEMENT

  • SECURELOG

H.5.2 DG0075-ORACLE11 and DO0250-ORACLE11 STIG Rules

Learn about STIG rules DG0075-ORACLE11 and DO0250-ORACLE11.

Database links used on Oracle Audit Vault Server:

AVRPTUSR_LINK.DBFWDB:
 (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=127.0.0.1)(PORT=1521))
 (CONNECT_DATA=(SERVICE_NAME=dbfwdb)))

The database link is created during installation of Oracle Audit Vault Server and is used by the REDO collector.

H.5.3 DG0116-ORACLE11 STIG Rule

Learn about STIG rule DG0116-ORACLE11.

Table H-3 lists accounts and role assignments in Audit Vault Server.

Table H-3 Accounts and Role Assignments in Audit Vault Server

Account Role Assignment

AV_ADMIN

AQ_ADMINISTRATOR_ROLE

SELECT_CATALOG_ROLE

XDBADMIN

AV_AUDITOR

SELECT_CATALOG_ROLE

AV_MONITOR

SELECT_CATALOG_ROLE

AV_SOURCE

AQ_USER_ROLE

HS_ADMIN_ROLE

HS_ADMIN_EXECUTE_ROLE

HS_ADMIN_SELECT_ROLE

OEM_MONITOR

SELECT_CATALOG_ROLE

Table H-4 lists accounts and role assignments in Database Firewall.

Table H-4 Accounts and Role Assignments in Database Firewall

Account Role Assignment

HS_ADMIN_ROLE

HS_ADMIN_EXECUTE_ROLE

HS_ADMIN_SELECT_ROLE

OEM_MONITOR

SELECT_CATALOG_ROLE

H.6 Current Implementation of Operating System STIG Rules

Learn about the current implementation of operating system STIG rules.

This topic contains information on the current implementation of Operating System STIG Rules on Oracle Audit Vault and Database Firewall.

Note:

The Operating System STIG Rule set reference is as follows:

Table H-5 Operating System STIG Rule Set Reference

Reference Detail

Document

Oracle Linux 7 Security Technical Implementation Guide

Version

1.1

Release

7

Release Date

03/February/2020

Document Link

Oracle Linux Security Technical Implementation Guide

Table H-6 User Action – Definition and Guidelines

User action Description of the guideline

None

The guideline is implemented by default and no user action is required.

Enable strict mode

The guideline can be implemented by switching the appliance to strict mode.

Site policy

The guideline can be implemented depending on local policy and it requires administrator action. See the Notes column for additional information on implementation.

Administrative task

The guideline implementation is administrator configuration action after installation or upgrade. It can also be a regularly used and defined administrative procedure.

The table below contains the current implementation of Operating System STIG Rules on Oracle Audit Vault and Database Firewall.

Table H-7 Current Implementation of Operating System STIG Rules

STIG ID Severity User action Title Notes
OL07-00-010290 CAT I None The Oracle Linux operating system must not have accounts configured with blank or null passwords. Implemented by default
OL07-00-010300 CAT I None The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using an empty password. Implemented by default
OL07-00-010440 CAT I None The Oracle Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface. Implemented by default
OL07-00-010450 CAT I None The Oracle Linux operating system must not allow an unrestricted logon to the system. Implemented by default
OL07-00-010480 CAT I None Oracle Linux operating systems prior to version 7.2 with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes. Implemented by default
OL07-00-010482 CAT I None Oracle Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes. Implemented by default
OL07-00-010490 CAT I None Oracle Linux operating systems prior to version 7.2 using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes. Implemented by default
OL07-00-010491 CAT I None Oracle Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes. Implemented by default
OL07-00-020000 CAT I None The Oracle Linux operating system must not have the rsh-server package installed. Implemented by default
OL07-00-020010 CAT I None The Oracle Linux operating system must not have the ypserv package installed. Implemented by default
OL07-00-020050 CAT I None The Oracle Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. Implemented by default
OL07-00-020250 CAT I None The Oracle Linux operating system must be a vendor supported release. Implemented by default
OL07-00-020310 CAT I None The Oracle Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system. Implemented by default
OL07-00-021710 CAT I None The Oracle Linux operating system must not have the telnet-server package installed. Implemented by default
OL07-00-030000 CAT I None The Oracle Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users. Implemented by default
OL07-00-040390 CAT I None The Oracle Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol. Implemented by default
OL07-00-040540 CAT I None The Oracle Linux operating system must not contain .shosts files. Implemented by default
OL07-00-040550 CAT I None The Oracle Linux operating system must not contain shosts.equiv files. Implemented by default
OL07-00-040690 CAT I None The Oracle Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed. Implemented by default
OL07-00-040700 CAT I None The Oracle Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support. Implemented by default
OL07-00-040710 CAT I None The Oracle Linux operating system must be configured so that remote X connections for interactive users are encrypted. AVDF does not serve X connections.
OL07-00-040800 CAT I None SNMP community strings on the Oracle Linux operating system must be changed from the default. Implemented by default
OL07-00-010030 CAT II None The Oracle Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon. AVDF does not install a graphical user login
OL07-00-010040 CAT II None The Oracle Linux operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon. AVDF does not install a graphical user login
OL07-00-010060 CAT II None The Oracle Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures. Implemented by default
OL07-00-010061 CAT II None The Oracle Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon. AVDF does not install a graphical user login
OL07-00-010070 CAT II None The Oracle Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces. AVDF does not install a graphical user interface
OL07-00-010081 CAT II None The Oracle Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface. AVDF does not install a graphical user interface
OL07-00-010090 CAT II None The Oracle Linux operating system must have the screen package installed. Implemented by default
OL07-00-010100 CAT II None The Oracle Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces. AVDF does not install a graphical user interface
OL07-00-010101 CAT II None The Oracle Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface. AVDF does not install a graphical user interface
OL07-00-010110 CAT II None The Oracle Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated. AVDF does not install a graphical user interface
OL07-00-010118 CAT II None The Oracle Linux operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords. Implemented by default
OL07-00-010119 CAT II None The Oracle Linux operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used. Implemented by default
OL07-00-010120 CAT II None The Oracle Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one upper-case character. Implemented by default
OL07-00-010130 CAT II None The Oracle Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one lower-case character. Implemented by default
OL07-00-010140 CAT II None The Oracle Linux operating system must be configured so that when passwords are changed or new passwords are assigned, the new password must contain at least one numeric character. Implemented by default
OL07-00-010150 CAT II None The Oracle Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one special character. Implemented by default
OL07-00-010160 CAT II None The Oracle Linux operating system must be configured so that when passwords are changed a minimum of eight of the total number of characters must be changed. Implemented by default
OL07-00-010170 CAT II None The Oracle Linux operating system must be configured so that when passwords are changed a minimum of four character classes must be changed. Implemented by default
OL07-00-010180 CAT II None The Oracle Linux operating system must be configured so that when passwords are changed the number of repeating consecutive characters must not be more than three characters. Implemented by default
OL07-00-010190 CAT II None The Oracle Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters. Implemented by default
OL07-00-010200 CAT II None The Oracle Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords. Implemented by default
OL07-00-010210 CAT II None The Oracle Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords. Implemented by default
OL07-00-010220 CAT II None The Oracle Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords. Implemented by default
OL07-00-010230 CAT II None The Oracle Linux operating system must be configured so that passwords for new users are restricted to a 24 hours/1 day minimum lifetime. Implemented by default
OL07-00-010240 CAT II None The Oracle Linux operating system must be configured so that passwords are restricted to a 24 hours/1 day minimum lifetime. Implemented by default
OL07-00-010250 CAT II Enable strict mode The Oracle Linux operating system must be configured so that passwords for new users are restricted to a 60-day maximum lifetime. Implemented in strict mode
OL07-00-010260 CAT II None The Oracle Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime. Implemented by default
OL07-00-010270 CAT II None The Oracle Linux operating system must be configured so that passwords are prohibited from reuse for a minimum of five generations. Implemented by default
OL07-00-010280 CAT II None The Oracle Linux operating system must be configured so that passwords are a minimum of 15 characters in length. Implemented by default
OL07-00-010310 CAT II None The Oracle Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires. Implemented by default
OL07-00-010430 CAT II None The Oracle Linux operating system must be configured so that the delay between logon prompts following a failed console logon attempt is at least four seconds. Implemented by default
OL07-00-010460 CAT II None The Oracle Linux operating system must not allow users to override SSH environment variables. Implemented by default
OL07-00-010470 CAT II None The Oracle Linux operating system must not allow a non-certificate trusted host SSH logon to the system. Implemented by default
OL07-00-010481 CAT II None The Oracle Linux operating system must require authentication upon booting into single-user and maintenance modes. Implemented by default
OL07-00-020100 CAT II None The Oracle Linux operating system must be configured to disable USB mass storage. Implemented by default
OL07-00-020101 CAT II None The Oracle Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required. Implemented by default
OL07-00-020110 CAT II None The Oracle Linux operating system must disable the file system automounter unless required. Implemented by default
OL07-00-020240 CAT II None The Oracle Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. Implemented by default
OL07-00-020610 CAT II None The Oracle Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory. Implemented by default
OL07-00-021020 CAT II None The Oracle Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS). Implemented by default
OL07-00-021021 CAT II None The Oracle Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS). Implemented by default
OL07-00-021030 CAT II None The Oracle Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group. Implemented by default
OL07-00-021110 CAT II None The Oracle Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root. Implemented by default
OL07-00-021120 CAT II None The Oracle Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root. Implemented by default
OL07-00-030210 CAT II None The Oracle Linux operating system must take appropriate action when the audisp-remote buffer is full. Implemented by default
OL07-00-030211 CAT II None The Oracle Linux operating system must label all off-loaded audit logs before sending them to the central log server. Implemented by default
OL07-00-030350 CAT II None The Oracle Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. Implemented by default
OL07-00-030360 CAT II None The Oracle Linux operating system must audit all executions of privileged functions. Implemented by default
OL07-00-030370 CAT II None The Oracle Linux operating system must audit all uses of the chown syscall. Implemented by default
OL07-00-030380 CAT II None The Oracle Linux operating system must audit all uses of the fchown syscall. Implemented by default
OL07-00-030390 CAT II None The Oracle Linux operating system must audit all uses of the lchown syscall. Implemented by default
OL07-00-030400 CAT II None The Oracle Linux operating system must audit all uses of the fchownat syscall. Implemented by default
OL07-00-030410 CAT II None The Oracle Linux operating system must audit all uses of the chmod syscall. Implemented by default
OL07-00-030420 CAT II None The Oracle Linux operating system must audit all uses of the fchmod syscall. Implemented by default
OL07-00-030430 CAT II None The Oracle Linux operating system must audit all uses of the fchmodat syscall. Implemented by default
OL07-00-030440 CAT II None The Oracle Linux operating system must audit all uses of the setxattr syscall. Implemented by default
OL07-00-030450 CAT II None The Oracle Linux operating system must audit all uses of the fsetxattr syscall. Implemented by default
OL07-00-030460 CAT II None The Oracle Linux operating system must audit all uses of the lsetxattr syscall. Implemented by default
OL07-00-030470 CAT II None The Oracle Linux operating system must audit all uses of the removexattr syscall. Implemented by default
OL07-00-030480 CAT II None The Oracle Linux operating system must audit all uses of the fremovexattr syscall. Implemented by default
OL07-00-030490 CAT II None The Oracle Linux operating system must audit all uses of the lremovexattr syscall. Implemented by default
OL07-00-030500 CAT II None The Oracle Linux operating system must audit all uses of the creat syscall. Implemented by default
OL07-00-030510 CAT II None The Oracle Linux operating system must audit all uses of the open syscall. Implemented by default
OL07-00-030520 CAT II None The Oracle Linux operating system must audit all uses of the openat syscall. Implemented by default
OL07-00-030530 CAT II None The Oracle Linux operating system must audit all uses of the open_by_handle_at syscall. Implemented by default
OL07-00-030540 CAT II None The Oracle Linux operating system must audit all uses of the truncate syscall. Implemented by default
OL07-00-030550 CAT II None The Oracle Linux operating system must audit all uses of the ftruncate syscall. Implemented by default
OL07-00-030560 CAT II None The Oracle Linux operating system must audit all uses of the semanage command. Implemented by default
OL07-00-030570 CAT II None The Oracle Linux operating system must audit all uses of the setsebool command. Implemented by default
OL07-00-030580 CAT II None The Oracle Linux operating system must audit all uses of the chcon command. Implemented by default
OL07-00-030590 CAT II None The Oracle Linux operating system must audit all uses of the setfiles command. Implemented by default
OL07-00-030610 CAT II None The Oracle Linux operating system must generate audit records for all unsuccessful account access events. Implemented by default
OL07-00-030620 CAT II None The Oracle Linux operating system must generate audit records for all successful account access events. Implemented by default
OL07-00-030630 CAT II None The Oracle Linux operating system must audit all uses of the passwd command. Implemented by default
OL07-00-030640 CAT II None The Oracle Linux operating system must audit all uses of the unix_chkpwd command. Implemented by default
OL07-00-030650 CAT II None The Oracle Linux operating system must audit all uses of the gpasswd command. Implemented by default
OL07-00-030660 CAT II None The Oracle Linux operating system must audit all uses of the chage command. Implemented by default
OL07-00-030670 CAT II None The Oracle Linux operating system must audit all uses of the userhelper command. Implemented by default
OL07-00-030680 CAT II None The Oracle Linux operating system must audit all uses of the su command. Implemented by default
OL07-00-030690 CAT II None The Oracle Linux operating system must audit all uses of the sudo command. Implemented by default
OL07-00-030700 CAT II None The Oracle Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory. Implemented by default
OL07-00-030710 CAT II None The Oracle Linux operating system must audit all uses of the newgrp command. Implemented by default
OL07-00-030720 CAT II None The Oracle Linux operating system must audit all uses of the chsh command. Implemented by default
OL07-00-030740 CAT II None The Oracle Linux operating system must audit all uses of the mount command and syscall. Implemented by default
OL07-00-030750 CAT II None The Oracle Linux operating system must audit all uses of the umount command. Implemented by default
OL07-00-030760 CAT II None The Oracle Linux operating system must audit all uses of the postdrop command. Implemented by default
OL07-00-030770 CAT II None The Oracle Linux operating system must audit all uses of the postqueue command. Implemented by default
OL07-00-030780 CAT II None The Oracle Linux operating system must audit all uses of the ssh-keysign command. Implemented by default
OL07-00-030800 CAT II None The Oracle Linux operating system must audit all uses of the crontab command. Implemented by default
OL07-00-030810 CAT II None The Oracle Linux operating system must audit all uses of the pam_timestamp_check command. Implemented by default
OL07-00-030819 CAT II None The Oracle Linux operating system must audit all uses of the create_module syscall. Implemented by default
OL07-00-030820 CAT II None The Oracle Linux operating system must audit all uses of the init_module syscall. Implemented by default
OL07-00-030821 CAT II None The Oracle Linux operating system must audit all uses of the finit_module syscall. Implemented by default
OL07-00-030830 CAT II None The Oracle Linux operating system must audit all uses of the delete_module syscall. Implemented by default
OL07-00-030840 CAT II None The Oracle Linux operating system must audit all uses of the kmod command. Implemented by default
OL07-00-030870 CAT II None The Oracle Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. Implemented by default
OL07-00-030871 CAT II None The Oracle Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. Implemented by default
OL07-00-030872 CAT II None The Oracle Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. Implemented by default
OL07-00-030873 CAT II None The Oracle Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. Implemented by default
OL07-00-030874 CAT II None The Oracle Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd. Implemented by default
OL07-00-030880 CAT II None The Oracle Linux operating system must audit all uses of the rename syscall. Implemented by default
OL07-00-030890 CAT II None The Oracle Linux operating system must audit all uses of the renameat syscall. Implemented by default
OL07-00-030900 CAT II None The Oracle Linux operating system must audit all uses of the rmdir syscall. Implemented by default
OL07-00-030910 CAT II None The Oracle Linux operating system must audit all uses of the unlink syscall. Implemented by default
OL07-00-030920 CAT II None The Oracle Linux operating system must audit all uses of the unlinkat syscall. Implemented by default
OL07-00-040201 CAT II None The Oracle Linux operating system must implement virtual address space randomization. Implemented by default
OL07-00-040300 CAT II None The Oracle Linux operating system must be configured so that all networked systems have SSH installed. Implemented by default
OL07-00-040320 CAT II None The Oracle Linux operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements. Implemented by default
OL07-00-040330 CAT II None The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication. Implemented by default
OL07-00-040340 CAT II None The Oracle Linux operating system must be configured so that all network connections associated with SSH traffic terminate after a period of inactivity. Implemented by default
OL07-00-040350 CAT II None The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication. Implemented by default
OL07-00-040360 CAT II None The Oracle Linux operating system must display the date and time of the last successful account logon upon an SSH logon. Implemented by default
OL07-00-040370 CAT II None The Oracle Linux operating system must not permit direct logons to the root account using remote access via SSH. Implemented by default
OL07-00-040380 CAT II None The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication. Implemented by default
OL07-00-040410 CAT II None The Oracle Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive. Implemented by default
OL07-00-040420 CAT II None The Oracle Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive. Implemented by default
OL07-00-040430 CAT II None The Oracle Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed. Implemented by default
OL07-00-040440 CAT II None The Oracle Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed. Implemented by default
OL07-00-040450 CAT II None The Oracle Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files. Implemented by default
OL07-00-040460 CAT II None The Oracle Linux operating system must be configured so that the SSH daemon uses privilege separation. Implemented by default
OL07-00-040470 CAT II None The Oracle Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication. Implemented by default
OL07-00-040610 CAT II None The Oracle Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets. Implemented by default
OL07-00-040620 CAT II None The Oracle Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default. Implemented by default
OL07-00-040630 CAT II None The Oracle Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. Implemented by default
OL07-00-040640 CAT II None The Oracle Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted. Implemented by default
OL07-00-040641 CAT II None The Oracle Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages. Implemented by default
OL07-00-040650 CAT II None The Oracle Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default. Implemented by default
OL07-00-040660 CAT II None The Oracle Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects. Implemented by default
OL07-00-040730 CAT II None The Oracle Linux operating system must not have an X Windows display manager installed unless approved. Implemented by default
OL07-00-040740 CAT II None The Oracle Linux operating system must not be performing packet forwarding unless the system is a router. Implemented by default
OL07-00-040830 CAT II None The Oracle Linux operating system must not forward IPv6 source-routed packets. Implemented by default
OL07-00-020300 CAT III None The Oracle Linux operating system must be configured so that all Group Identifiers (GIDs) referenced in the /etc/passwd file are defined in the /etc/group file. Implemented by default
OL07-00-021310 CAT III None The Oracle Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent). Implemented by default
OL07-00-021320 CAT III None The Oracle Linux operating system must use a separate file system for /var. AVDF uses separate file systems for directories under /var.
OL07-00-021340 CAT III None The Oracle Linux operating system must use a separate file system for /tmp (or equivalent). Implemented by default
OL07-00-040000 CAT III None The Oracle Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types. Implemented by default
OL07-00-040600 CAT III Administrative task At least two name servers must be configured for Oracle Linux operating systems using DNS resolution. Use the WUI to assign DNS servers.

Note 1 - Alerts through syslog:

Oracle Audit Vault and Database Firewall sends alerts through syslog. Use the WUI to configure an appropriate syslog destination.

The syslog option is acceptable when it can be demonstrated that the local log management infrastructure notifies an appropriate administrator in a timely manner.

The messages are in the following form:

Audit daemon has no space left on logging partition
Audit daemon is suspending logging due to no space left on logging partition.

Note 2 - Backup:

This is outside of the scope of Oracle Audit Vault and Database Firewall.

Oracle Audit Vault and Database Firewall provides the tools to support this. (For example: ssh, tar).