22 Security Technical Implementation Guides
About Security Technical Implementation Guides
In keeping with Oracle's commitment to provide a secure environment, Enterprise Manager supports an implementation in the form of compliance standards of several Security Technical Implementation Guides (STIG). A STIG is a set of rules, checklists, and other best practices created by the Defense Information Systems Agency (DISA) to ensure compliance with Department of Defense (DOD)-mandated security requirements.
The currently available STIG based compliance standards are:
-
Security Technical Implementation Guide (STIG Version 1.8) for Oracle Database [Release 1.8]
-
Security Technical Implementation Guide (STIG Version 1.8) for Oracle Cluster Database [Release 1.8]
-
Security Technical Implementation Guide (STIG Version 8 Release 1.11) for Oracle Database
-
Security Technical Implementation Guide (STIG Version 8 Release 1.11) for Oracle Cluster Database
-
Oracle 12c Database STIG - Version 1, Release 3 for Oracle Database
-
Oracle 12c Database STIG - Version 1, Release 3 for Oracle Cluster Database
-
Oracle 11.2g Database STIG - Version 1, Release 6 for Oracle Database
-
Oracle 11.2g Database STIG - Version 1, Release 6 for Oracle Cluster Database
-
Security Technical Implementation Guide (STIG Version 1.1) for Oracle WebLogic Server 12c
-
Security Technical Implementation Guide (STIG Version 1.2) for Oracle WebLogic Server 12c
-
Security Technical Implementation Guide (STIG Version 1) for Oracle HTTP Server 12.1.3
For detailed information on STIGs, visit the Information Assurance Support Environment website: http://iase.disa.mil/stigs/Pages/index.aspx
.
Associating STIG Compliance Standards Targets
To determine whether a database, WebLogic Domain satisfies STIG Compliance Standards, or other supported target type, you have to associate the database or WebLogic Domain target with the standards.
Handling STIG Compliance Standards Violations
Relationship between monitoring templates, configuration collections and compliance:
Compliance standard rules in the STIG for WLS and Oracle HTTP Server compliance standard are of the type "Repository Rule”. For those rules that are automated, this means that Enterprise Manager compares each rule against configuration items collected and stored in the management repository.
By default, WLS configuration items required for measuring compliance to this STIG for WLS compliance standard are enabled out of the box. However, administrators can choose to disable WLS configuration collection via the target's Metric and Collection Settings page or via Monitoring Templates. Disabling such collections could negatively impact Enterprise Manager’s ability to measure compliance with the STIG for WLS 12c.
There are four options for handling STIG Compliance Standards:
Fixing the Violation per the STIG Check Recommendation
Address the violation by fixing the security configuration on the supported target types according to the STIG check recommendation.
-
From the Enterprise menu, select Compliance, then select Results.
-
Select the STIG Compliance Standards row and click Manage Violations.
-
Locate the rule violation row in the table and note the recommended fix in the far right column.
After making the change per the recommendation, refresh the database or WebLogic Domain configuration in Enterprise Manager. For example, for the database target:
- Go to the database target home page.
- From the database menu, select Configuration, then select Last Collected.
- From the Actions menu on the right, select Refresh.
- From the Enterprise menu, select Compliance, then select Results. Verify that the violation no longer appears for the database target.
Clearing Manual Rule Violations
Checks that cannot be automated are implemented as Manual Rules. These checks must be performed by the administrator following the procedure described in the rule description or in the STIG guide itself.
When compliance standards containing manual rules are first associated to a target, each manual rule will generate one violation. Administrators can then clear the violation after successfully completing the check. The user performing the operation, as well as a description of the operation, are recorded during the process. Users can also set an expiration date at which time the violation will be re-generated. This provides for periodic reassessment of compliance.
-
From the Enterprise menu, select Compliance, then select Results.
-
Select the STIG compliance Standard row, and click Manage Violations.
-
Select the Manual Rule Violations tab.
-
Select one or more rules and click Clear Violations.
-
Enter a reason and optionally an expiration date and click OK.
Suppressing the Violation
Suppressing a violation removes it from the compliance score calculation, as well as the results. Although suppressed, you can still create reports using the management views showing the suppressed violations.
Violations can be permanently or temporarily suppressed allowing for permanent exceptions or grace periods. If you choose to enter a date, the violation will re-appear on that date unless it has been cleared as a result of the underlying condition being corrected.
- From the Enterprise menu, select Compliance, then select Results.
- Select the STIG Compliance Standards row and click Manage Violations.
- Select Unsuppressed Violations.
- Select the rows listing the violations you want to suppress and click the Suppress Violations button.
- In the dialog that opens, select Indefinite or select an expiration date. Optionally provide a reason for the suppression. Click OK.
Customizing the Compliance Standard and Configuration Extension
In some cases, the rule detecting the violation, while desirable in its intent, needs some fine-tuning to work in your environment. The STIG Compliance Standard allows you to view and customize the query that evaluates the compliance standard violation. The process involves the following tasks:
To illustrate the process, assume a scenario where you want to update the query for the database rule DG0116 DBMS privileged role assignments
.
Customizing the Configuration Extension
To customize the STIG Configuration extension:
- From the Enterprise menu, select Configuration, then select Configuration Extensions.
- Select the appropriate STIG Configuration table row (database instance or cluster database) and click the Create Like button.
- Provide a new name for the extension; for example, Custom STIG Configuration.
- On the Files & Commands tab, select all the command rows and click Delete.
- On the SQL tab, locate the rule alias DG0116 DBMS privileged role assignments. Delete all other rows above and below it.
- Modify the query for DG0116 and rename the alias; for example, Custom DG0116 DBMS privileged role assignments.
- Preview the results: select the sample target and click Preview.
- If the violation no longer appears, save the Custom STIG Configuration Extension.
Customizing the Compliance Standard Rule
To customize the Compliance Standard rule:
- From the Enterprise menu, select Compliance, then select Library.
- Select the Compliance Standard Rules tab and search for rule
DG0116 DBMS privileged role assignments
with agent-side rule type. - Select the rule and click the Create Like button.
- Change the name; for example, Custom DG0116 DBMS privileged role assignments. Click Continue.
- On the Check Definition page, click the magnifying glass icon to select a new STIG Configuration Extension (Custom STIG Configuration Extension) and alias (Custom DG0116 DBMS privileged role assignments).
- Select the custom configuration extension and alias and click OK, then click Next to go the Test page.
- Select a target and test the compliance rule.
- Click Next, then click Finish to create the new compliance rule.
Creating a Compliance Standard to Include the Customized Rule
To create a Compliance Standard with a new rule:
- From the Enterprise menu, select Compliance, then select Library.
- Select the Compliance Standards tab and search for STIG for database instance with agent-side rule type.
- Select the compliance standard and click the Create Like button.
- Change the name; for example, Custom Security Technical Implementation Guide. Click Continue.
- Open the Oracle Database Check Procedures folder in the left pane and scroll down to DG0116 DBMS privileged role assignments.
- Right-click the rule and select Remove Rule Reference from the pop-up menu. Click OK to confirm removal.
- Right-click the Oracle Database Check Procedures folder and select Add Rules from the pop-up menu.
- Locate the Custom DG0116 DBMS privileged role assignments row in the table and click OK.
- On the Compliance Standard Create Like page, click the Save button to create the new compliance standard.
You can now associate the custom compliance standard with target databases as described in Associating STIG Compliance Standards Targets.
STIG Compliance Standard Rules Exceptions
The Enterprise Manager implementation of Security Technical Implementation Guide has some exceptions. The following sections list these exceptions:
Windows Databases
The Enterprise Manager implementation of Security Technical Implementation Guide for Oracle Database does not fully support Windows databases. The following rules do not report violations on Windows databases:
- DG0009 DBMS software library permissions
- DG0019 DBMS software ownership
- DG0012 DBMS software storage location
- DG0102 DBMS services dedicated custom account
- DO0120 Oracle process account host system privileges
- DO0145 Oracle SYSDBA OS group membership
- DG0152 DBMS network port, protocol and services (PPS) use
- DG0179 DBMS warning banner
- DO0286 Oracle connection timeout parameter
- DO0287 Oracle SQLNET.EXPIRE_TIME parameter
- DO6740 Oracle listener ADMIN_RESTRICTIONS parameter
- DO6746 Oracle Listener host references
- DO6751 SQLNET.ALLOWED_LOGON_VERSION
Oracle WebLogic Domains
The Enterprise Manager implementation of Security Technical Implementation Guide (STIG Version 1.1) and Security Technical Implementation Guide (STIG Version 1.2) for Oracle WebLogic Server 12c is not fully automated.
The following rules will always report violations and need to be verified manually:
- WBLC-01-000013 WebLogic audit security-relevant information
- WBLC-01-000014 WebLogic disable network protocols
- WBLC-01-000018 WebLogic audit account creation
- WBLC-01-000019 WebLogic audit account modification
- WBLC-01-000030 WebLogic log privileged activity
- WBLC-01-000032 WebLogic invalid consecutive access attempts
- WBLC-01-000033 WebLogic user invalid access attempts
- WBLC-01-000034 WebLogic lock user account
- WBLC-02-000069 WebLogic log DoD-selected audit records
- WBLC-02-000073 WebLogic log HTTPD event
- WBLC-02-000074 WebLogic log JVM event
- WBLC-02-000075 WebLogic log severity level
- WBLC-02-000083 WebLogic alert audit failure events
- WBLC-02-000084 WebLogic alert audit processing failure
- WBLC-02-000086 WebLogic notify audit processing failure
- WBLC-02-000093 WebLogic use system clock for audit records
- WBLC-02-000094 WebLogic synchronize system clocks
- WBLC-02-000095 WebLogic protect unauthorized audit information read access
- WBLC-02-000098 WebLogic protect unauthorized audit tools access
- WBLC-02-000099 WebLogic protect unauthorized audit tools modification
- WBLC-02-000100 WebLogic protect unauthorized audit tools deletion
- WBLC-03-000125 WebLogic limit privileges to software libraries
- WBLC-03-000127 WebLogic enable essential capabilities
- WBLC-03-000128 WebLogic restrict use of unauthorized items
- WBLC-05-000150 WebLogic identify and authenticate users
- WBLC-05-000153 WebLogic authenticate users individually
- WBLC-05-000168 WebLogic encrypt password for authentication
- WBLC-05-000169 WebLogic LDAP encryption for authentication
- WBLC-05-000174 WebLogic PKI-based authentication for user accounts
- WBLC-05-000176 WebLogic FIPS-compliant encryption for configuration
- WBLC-05-000177 WebLogic FIPS-compliant encryption for users and processes
- WBLC-08-000214 WebLogic NSA-approved cryptography classified compartmentalized
- WBLC-08-000218 WebLogic public information protection
- WBLC-08-000222 WebLogic hosted application separation
- WBLC-08-000236 WebLogic Denial of Service
- WBLC-08-000237 WebLogic prioritize resources
- WBLC-08-000238 WebLogic secure failure
- WBLC-09-000252 WebLogic security-relevant error
- WBLC-09-000253 WebLogic log messages corrective action
- WBLC-09-000254 WebLogic log messages limited access
- WBLC-09-000257 WebLogic notifications to response personnel
- WBLC-10-000270 WebLogic audit subsystem failure notification
- WBLC-10-000271 WebLogic centralized enterprise tool
- WBLC-10-000272 WebLogic multi-factor user authentication
Oracle HTTP Server
The Enterprise Manager implementation of the Security Technical Implementation Guide (STIG Version 1) for Oracle HTTP Server 12.1.3 is not fully automated.
The following rules will always report violations and need to be verified manually:
- OH12-1X-000225 Symbolic links not used in web content directory tree
- OH12-1X-000226 OHS secure administration
- OH12-1X-000266 OHS Accounts Verification
Enterprise Manager's compliance standard for STIG Version 1 for OHS 12.1.3 includes CAT I level rules from the DISA published STIG Version 1 for OHS 12.1.3. CAT II and CAT III rules are not included in the compliance standard and must consequently be tracked outside of Enterprise Manager Cloud Control. For a complete list of all rules in the DISA published STIG Version 1 for OHS 12.1.3, refer to http://iase.disa.mil/stigs/app-security/web-servers/Pages/index.aspx.
Oracle Database STIG Compliance Standard Modifications from Guide
The Enterprise Manager implementations of the Oracle Database 11g STIGs and 12c STIGs deviate slightly from the checklist. These modifications include error corrections, enhancements to the check ( i.e. additional default users ) or automated scripts where manual checks may have been specified. It is important that you review and understand the modifications to ensure they are acceptable in your environment. If not, follow the previously discussed customization procedures in order to match your requirements. For detailed information on these changes, see Security Technical Implementation Guidelines (STIG) Rules Enhanced by Oracle.
Note:
There are no modifications or deviations for the Security Technical Implementation Guide (STIG Version 1.1) for Oracle WebLogic Server 12c, Security Technical Implementation Guide (STIG Version 1.2) for Oracle WebLogic Server 12c, and Security Technical Implementation Guide (STIG Version 1) for Oracle HTTP Server 12.1.3 compliance standard.
Table 22-1 Deviations from Oracle Database 12c, Version 1, Release 3 STIGS
STIG ID | Oracle Modification |
---|---|
SV-75899r1_rule |
Combined the rule queries to check if audit is enabled by means of either Traditional or Unified system. Need to manually check if audit data is retained for at least one year. |
SV-75903r1_rule |
Provided an even more specific query to check if instance name contains version number. |
SV-75905r1_rule |
Combined the rule queries to return db_link as violations only if dba_repcatalog has records. |
SV-75907r1_rule |
Need to manually check if each file is located on a separate RAID device. |
SV-75909r1_rule |
Used the more stricter query to get the violation. Need to manually check if a RAID device is used. |
SV-75923r1_rule |
Added default users/roles to the query - 'APEX_030200', 'APEX_040200', 'DVSYS', 'SYSKM', and 'DV_ACCTMGR'. |
SV-75927r1_rule |
Added default users/roles to the query: 'DBA', 'DV_ACCTMGR', 'DV_OWNER', 'RECOVERY_CATALOG_OWNER', 'SPATIAL_CSW_ADMIN_USR', and 'SPATIAL_WFS_ADMIN_USR'. |
SV-75931r2_rule |
Script provided by Oracle. |
SV-75937r2_rule |
Script provided by Oracle. |
SV-75945r1_rule |
Added a query to check whether privilege analysis policy is defined/run to analyze non-required application user privilege assignment. |
SV-75947r1_rule |
Combined the rule queries to check if audit is enabled by means of either Traditional or Unified system. |
SV-75951r1_rule |
Changed the query to include demo accounts - 'HR', 'OE', 'PM', 'IX', 'SH', and 'SCOTT'. |
SV-75953r1_rule |
Script provided by Oracle. |
SV-75957r1_rule |
Changed the query to include more default users/roles which are not in the list. |
SV-76001r1_rule |
Script provided by Oracle. |
SV-76017r1_rule |
Combined rule queries. |
SV-76021r2_rule |
Script provided by Oracle. |
SV-76023r1_rule |
Script provided by Oracle. |
SV-76025r1_rule |
Script provided by Oracle. |
SV-76035r1_rule |
Script provided by Oracle. |
SV-76037r1_rule |
Script provided by Oracle. |
SV-76039r1_rule |
Script provided by Oracle. |
SV-76041r1_rule |
Script provided by Oracle. |
SV-76043r1_rule |
Combined rule queries to check if audit is enabled by means of either Traditional or Unified system. Need to manually check if remote sessions that are accessing security information are being audited. |
SV-76045r1_rule |
Script provided by Oracle. |
SV-76051r1_rule |
A query added by Oracle. |
SV-76053r1_rule |
A query added by Oracle. |
SV-76055r1_rule |
Combined rule queries to check if audit is enabled by means of either Traditional or Unified system and to check if account creation is being audited. |
SV-76059r1_rule |
Combined rule queries to check if audit is enabled by means of either Traditional or Unified system and to check if account modification is being audited. |
SV-76061r1_rule |
Combined rule queries to check if audit is enabled by means of either Traditional or Unified system. Need to manually check if account disabling is being audited. |
SV-76063r1_rule |
Combined rule queries to check if audit is enabled by means of either Traditional or Unified system and to check if account termination is being audited. |
SV-76081r1_rule |
A query added by Oracle. |
SV-76085r1_rule |
Combined rule queries to check if audit is enabled by means of either Traditional or Unified system. Need to manually check if all use of privileged accounts are audited. |
SV-76093r1_rule |
A query added by Oracle. |
SV-76095r1_rule |
A query added by Oracle. |
SV-76097r1_rule |
A query added by Oracle. |
SV-76099r1_rule |
Script provided by Oracle. |
SV-76101r1_rule |
Script provided by Oracle. |
SV-76103r1_rule |
A query added by Oracle. |
SV-76105r1_rule |
A query added by Oracle. |
SV-76111r1_rule |
Combined rule queries to check if audit is enabled by means of either Traditional or Unified system. |
SV-76115r1_rule |
Combined rule queries to check if audit is enabled by means of either Traditional or Unified system. |
SV-76117r1_rule |
Combined rule queries to check if audit is enabled by means of either Traditional or Unified system. |
SV-76121r1_rule |
Combined rule queries to check if audit is enabled by means of either Traditional or Unified system. |
SV-76123r1_rule |
Combined rule queries to check if audit is enabled by means of either Traditional or Unified system. |
SV-76125r1_rule |
Combined rule queries to check if audit is enabled by means of either Traditional or Unified system. |
SV-76127r1_rule |
Combined rule queries to check if audit is enabled by means of either Traditional or Unified system. |
SV-76129r1_rule |
Combined rule queries to check if audit is enabled by means of either Traditional or Unified system. |
SV-76131r1_rule |
Combined rule queries to check if audit is enabled by means of either Traditional or Unified system. |
SV-76143r2_rule |
A query added by Oracle. |
SV-76145r1_rule |
A query added by Oracle. |
SV-76147r1_rule |
A query added by Oracle. |
SV-76157r1_rule |
A query added by Oracle. |
SV-76159r1_rule |
Combined rule queries to check if audit records are being protected. |
SV-76161r1_rule |
Script provided by Oracle. |
SV-76163r1_rule |
A query added by Oracle. |
SV-76167r1_rule |
A query added by Oracle. |
SV-76173r1_rule |
Made to be operated manually as query cannot be executed successfully because of special characters being added. |
SV-76175r1_rule |
Script provided by Oracle. |
SV-76181r1_rule |
A query added by Oracle. |
SV-76193r1_rule |
Script provided by Oracle. |
SV-76195r1_rule |
Script provided by Oracle. |
SV-76197r1_rule |
Script provided by Oracle. |
SV-76199r1_rule |
Script provided by Oracle. |
SV-76203r1_rule |
Script provided by Oracle. |
SV-76205r1_rule |
Script provided by Oracle. |
SV-76207r1_rule |
A query added by Oracle. |
SV-76209r1_rule |
A query added by Oracle. |
SV-76211r2_rule |
A query added by Oracle. |
SV-76213r1_rule |
A query added by Oracle. |
SV-76215r1_rule |
A query added by Oracle. |
SV-76217r1_rule |
A query added by Oracle. |
SV-76219r1_rule |
A query added by Oracle. |
SV-76221r1_rule |
A query added by Oracle. |
SV-76229r1_rule |
A query added by Oracle. |
SV-76237r1_rule |
Script provided by Oracle. |
SV-76245r1_rule |
A query added by Oracle. |
SV-76247r2_rule |
A query added by Oracle. |
SV-76249r1_rule |
Script provided by Oracle. |
SV-76251r1_rule |
A query added by Oracle. |
SV-76253r1_rule |
A query added by Oracle. |
SV-76255r1_rule |
A query added by Oracle. |
SV-76257r1_rule |
A query added by Oracle. |
SV-76261r1_rule |
Modified the query to exclude -'SYSTEM', 'SYSAUX', 'UD1', 'TEMP', 'SYSEXT', and 'UNDOTBS'. |
SV-76263r1_rule |
Modified the query to exclude -'SYSTEM', 'SYSAUX', 'UD1', 'TEMP', 'SYSEXT', and 'UNDOTBS'. |
SV-76275r1_rule |
A query added by Oracle. |
SV-76287r2_rule |
Combined to check if audit is enabled by means of either Traditional or Unified system and to check if account creation is being audited. Need to manually check if they are being notified. |
SV-76289r2_rule |
Combined to check if audit is enabled by means of either Traditional or Unified system and to check if account modification is being audited. Need to manually check if it is notified. |
SV-76291r2_rule |
Combined to check if audit is enabled by means of either Traditional or Unified system and to check if account disabling is being audited. Need to manually check if it is notified. |
SV-76293r2_rule |
Combined to check if audit is enabled by means of either Traditional or Unified system and to check if account termination is being audited. Need to manually check if it is notified. |
SV-76299r1_rule |
Changed query to exclude oracle default users/roles. |
SV-76301r1_rule |
Script provided by Oracle. |
SV-76307r1_rule |
A query added by Oracle. |
SV-76309r1_rule |
A query added by Oracle. |
SV-76339r1_rule |
A query added by Oracle. |
SV-76365r1_rule |
Script provided by Oracle. |
SV-76377r1_rule |
A query added by Oracle. |
SV-76455r1_rule |
Script provided by Oracle. |
SV-76457r1_rule |
A query added by Oracle. |
Table 22-2 Deviations from Oracle Database 11g, V8, R8, and R11 STIGS
STIG ID | Oracle Modification |
---|---|
DG0008 |
Added Default Users/Roles |
DG0009 |
Script provided by Oracle |
DG0012 |
Script provided by Oracle |
DG0019 |
Script provided by Oracle |
DG0077 |
Added Default Users/Roles |
DG0079 |
Incorrect query. Replaced NULL with string 'NULL'. |
DG0091 |
Added Default Users |
DG0102 |
Script provided by Oracle |
DG0116 |
Added Default Users |
DG0117 |
Added Default Users |
DG0119 |
Added Default Users |
DG0121 |
Added Default Users |
DG0123 |
Added Default Users |
DG0152 |
Script Provided by Oracle |
DG0179 |
Script Provided by Oracle |
DO0120 |
Script Provided by Oracle |
DO0145 |
Script Provided by Oracle |
DO0155 |
Added Default Users |
DO0221 |
Used default instance name as orcl. |
DO0231 |
Added Default Users |
DO0250 |
Combined the rule queries to return db_link as violations only if dba_repcatalog has records |
DO0270 |
Used stricter query to get the violations |
DO0286 |
Script Provided by Oracle |
DO0287 |
Script Provided by Oracle |
DO0340 |
Added Default Users |
DO0350 |
Added Default Users/Roles |
DO3536 |
Combined the queries. De-referenced the DEFAULT value for the limit. |
DO3609 |
Added Default Users/Roles |
DO3689 |
Added Default Users/Roles |
DO6740 |
Script Provided by Oracle |
DO6746 |
Script Provided by Oracle |
Table 22-3 Deviations from Oracle Database 11gR2, V1, Release 2 STIG
STIG ID | Oracle Modification |
---|---|
SV-66381r1_rule |
Query implemented by Oracle. Discounted default users. |
SV-66395r1_rule |
Added 'SYSTEM' and 'DELETE_CATALOG_ROLE' as filters. |
SV-66401r1_rule |
Fixed table name in query. Added privilege to be checked. Discounted Default Users. |
SV-66405r1_rule |
Fixed table name in query. Added privilege to be checked. Discounted Default Users. |
SV-66419r1_rule |
STIG document has incorrect query. Prepared a new query for the rule. Discounted default users. |
SV-66427r1_rule |
Combined the 3 conditions into 1. The query raises a violation if:
|
SV-66439r1_rule |
Discounted default users. |
SV-66441r1_rule |
Dereferenced default profile. |
SV-66459r1_rule |
Rule checks the database archive log mode from repository table instead of using the "archive log list" command. |
SV-66485r1_rule |
Query provided by Oracle. Used limit=35 from the Fix Text. |
SV-66489r1_rule |
Query provided by Oracle. Used limit=6 from the Fix Text. |
SV-66507r1_rule |
Dereferenced default profile. |
SV-66553r1_rule |
Query provided by Oracle. |
SV-66571r1_rule |
Query provided by Oracle. Used limit=35 from the Fix Text. |
SV-66599r1_rule |
Query provided by Oracle. Discounted default users. |
SV-66623r1_rule |
Query provided by Oracle. Discounted default users. |
SV-66627r1_rule |
Discounted default users. |
SV-66647r1_rule |
Joined queries from document. Discounted default users. |
SV-66651r1_rule |
Joined queries from document. Discounted default users. |
SV-66657r1_rule |
Script provided by Oracle |
SV-66663r1_rule |
Added check for SYSTEM tablespace. |
SV-66665r1_rule |
Added check for SYSTEM tablespace. |
SV-66669r1_rule |
This rule always passes for Oracle. |
SV-66673r1_rule |
This rule always passes for Oracle. |
SV-68205r1_rule |
User should manually discount db_links used for replication. |
SV-68229r1_rule |
Added default users. |
SV-68233r1_rule |
Additional column selected in query for better violation context. |
SV-68235r1_rule |
Added default users. |
SV-68241r1_rule |
Additional column selected in query for better violation context. |
SV-68249r1_rule |
Added default users. |
SV-68257r1_rule |
Added default users. |
SV-68283r1_rule |
Script provided by Oracle. |
SV-66431r1_rule |
Use v$parameter in query instead of sys.v$parameter. |
Oracle WebLogic STIG Compliance Standard
The Enterprise Manager implementation of the Security Technical Implementation Guide (STIG Version 1.1) for Oracle WebLogic Server 12c and Security Technical Implementation Guide (STIG Version 1.2) for Oracle WebLogic Server 12c contains automated rules. These rules check for WebLogic configuration settings and generate violations. It is important that you review and understand implemented rules to ensure they are acceptable in your environment.
Enterprise Manager's compliance standard for STIG Version 1 for OHS 12.1.3 includes CAT I level rules from the DISA published STIG Version 1 for OHS 12.1.3. CAT II and CAT III rules are not included in the compliance standard and must consequently be tracked outside of Enterprise Manager Cloud Control. For a complete list of all rules in the DISA published STIG Version 1 for OHS 12.1.3, refer to http://iase.disa.mil/stigs/app-security/web-servers/Pages/index.aspx.
- WBLC-01-000009 WebLogic cryptography for remote management session
- WBLC-01-000010 WebLogic cryptography for remote session
- WBLC-01-000011 WebLogic monitor and control remote session
- WBLC-02-000062 WebLogic log particular user action
- WBLC-02-000065 WebLogic log multiple components audit records
- WBLC-02-000076 WebLogic log event time
- WBLC-02-000077 WebLogic log event cause
- WBLC-02-000078 WebLogic log process sources
- WBLC-02-000079 WebLogic log outcome indicators
- WBLC-02-000080 WebLogic log identity information
- WBLC-02-000081 WebLogic log audit record content
- WBLC-03-000129 WebLogic prevent program execution
- WBLC-05-000160 WebLogic password use minimum password length
- WBLC-05-000162 WebLogic password use upper case characters
- WBLC-05-000163 WebLogic password use lower case characters
- WBLC-05-000164 WebLogic password use numeric characters
- WBLC-05-000165 WebLogic password use special characters
- WBLC-05-000172 WebLogic PKI-based authentication with trust anchor
- WBLC-06-000190 WebLogic cryptographic maintenance and diagnostic communications
- WBLC-06-000191 WebLogic secure maintenance and diagnostic sessions
- WBLC-08-000210 WebLogic session inactivity timeout
- WBLC-08-000211 WebLogic trusted communications path
- WBLC-08-000223 WebLogic session authentication
- WBLC-08-000224 WebLogic session vulnerability
- WBLC-08-000229 WebLogic unsafe state
- WBLC-08-000231 WebLogic application confidentiality
- WBLC-08-000235 WebLogic application data integrity
- WBLC-08-000239 WebLogic secure cryptographic mechanism
Oracle HTTP Server STIG Compliance Standard
The Enterprise Manager implementation of the Security Technical Implementation Guide (STIG Version 1) for Oracle HTTP Server 12.1.3 contains automated rules. These rules check for Oracle HTTP Server configuration settings and generate violations. It is important that you review and understand implemented rules to ensure they are acceptable in your environment.
- OH12-1X-000007 LoadModule ossl_module directive enabled to encrypt remote connections
- OH12-1X-000008 SSLFIPS directive enabled to encrypt remote connections
- OH12-1X-000010 SSLCipherSuite directive enabled to encrypt remote connections
- OH12-1X-000011 LoadModule ossl_module directive enabled to protect the integrity of remote sessions
- OH12-1X-000012 SSLFIPS directive enabled to protect the integrity of remote sessions
- OH12-1X-000013 SSLEngine, SSLProtocol, and SSLWallet enabled and configured to protect the integrity of remote sessions
- OH12-1X-000014 SSLCipherSuite directive enabled to protect the integrity of remote sessions
- OH12-1X-000211 OHS version supported by vendor
- OH12-1X-000234 mod_plsql directive PlsqlDatabasePassword obfuscated
- OH12-1X-000240 LoadModule ossl_module directive enabled to encrypt passwords during transmission
- OH12-1X-000241 SSLFIPS directive enabled to encrypt passwords during transmission
- OH12-1X-000242 SSLEngine, SSLProtocol, and SSLWallet enabled and configured to encrypt passwords
- OH12-1X-000243 SSLCipherSuite directive enabled to encrypt passwords during transmission
- OH12-1X-000294 LoadModule ossl_module directive enabled to implement cryptographic protections
- OH12-1X-000295 SSLFIPS directive enabled to implement cryptographic protections
- OH12-1X-000296 SSLEngine, SSLProtocol, and SSLWallet enabled and configured to implement cryptographic protections
- OH12-1X-000297 SSLCipherSuite directive enabled to implement cryptographic protections
- OH12-1X-000308 LoadModule ossl_module directive enabled to prevent unauthorized disclosure of information
- OH12-1X-000309 SSLFIPS directive enabled to prevent unauthorized disclosure of information
- OH12-1X-000310 SSLEngine, SSLProtocol, and SSLWallet enabled and configured to prevent unauthorized disclosure of information.
- OH12-1X-000311 SSLCipherSuite directive enabled to prevent unauthorized disclosure of information during transmission