22 Security Technical Implementation Guide (STIG) Compliance Standards

This section explains how to use the Security Technical Implementation Guide (STIG) based compliance standards, as well as how to customize them to meet environmental-specific requirements.

About Security Technical Implementation Guide

In keeping with Oracle's commitment to provide a secure environment, Enterprise Manager supports an implementation in the form of compliance standards of several Security Technical Implementation Guide (STIG). A STIG is a set of rules, checklists, and other best practices created by the Defense Information Systems Agency (DISA) to ensure compliance with Department of Defense (DOD)-mandated security requirements.

Table 22-1 Latest STIG Standards for Oracle Database and Oracle Cluster Database

Database Version	Latest STIG Version
19c	STIG - Version 2 Release 7 STIG - Version 2 Release 6
12c	STIG - Version 2 Release 7 STIG - Version 2 Release 6
11.2g	STIG - Version 2 Release 3 STIG - Version 1 Release 16
11g	STIG - Version 1 Release 16 STIG - Version 8 Release 1.11
10g	STIG - Version 8 Release 1.11

For detailed information on STIG, visit the Security Technical Implementation Guides (STIGs) website: https://public.cyber.mil/stigs/.

Associating STIG Compliance Standards Targets

To determine whether a database, WebLogic Domain satisfies STIG Compliance Standards, or other supported target type, you have to associate the database or WebLogic Domain target with the standards.

1. From the Enterprise menu, select Compliance, then select Library.
2. Select the Compliance Standards tab and search for the STIG standard.
3. Select the appropriate standard and click Associate Targets. There are four target types, Oracle Database, Oracle Cluster Database, Oracle WebLogic Domain, and Oracle HTTP Server. For an Oracle HTTP Server (OHS) target type, both managed OHS and standalone OHS are supported. You can associate the OHS STIG standard to managed OHS targets as well as standalone OHS targets. Also, the OHS STIG standard is applicable to OHS release 12.1.3 target.
4. Click Add and select the database or WebLogic Domain targets you want to monitor. The targets appear in the table after you close the selector dialog.

   Note: The WebLogic Server STIG is applicable to WebLogic 12.1.3 domains that are JRF enabled.

5. Click OK then confirm that you want to save the association. The association internally deploys the configuration extension "STIG Configuration" to the appropriate Management Agents.
6. After deployment and subsequent configuration collection occurs, you can view the results. From the Enterprise menu, select Compliance, then select either Dashboard or Results.

Handling STIG Compliance Standards Violations

Relationship between monitoring templates, configuration collections and compliance:

Compliance standard rules in the STIG for WLS and Oracle HTTP Server compliance standard are of the type "Repository Rule”. For those rules that are automated, this means that Enterprise Manager compares each rule against configuration items collected and stored in the management repository.

By default, WLS configuration items required for measuring compliance to this STIG for WLS compliance standard are enabled out of the box. However, administrators can choose to disable WLS configuration collection via the target's Metric and Collection Settings page or via Monitoring Templates. Disabling such collections could negatively impact Enterprise Manager’s ability to measure compliance with the STIG for WLS 12c.

There are four options for handling STIG Compliance Standards:

• Fixing the Violation per the STIG Check Recommendation

• Clearing Manual Rule Violations

• Suppressing the Violation

• Customizing the Compliance Standard and Configuration Extension

Fixing the Violation per the STIG Check Recommendation

Address the violation by fixing the security configuration on the supported target types according to the STIG check recommendation.

1. From the Enterprise menu, select Compliance, then select Results.

2. Select the STIG Compliance Standards row and click Manage Violations.

3. Locate the rule violation row in the table and note the recommended fix in the far right column.

After making the change per the recommendation, refresh the database or WebLogic Domain configuration in Enterprise Manager. For example, for the database target:

1. Go to the database target home page.
2. From the database menu, select Configuration, then select Last Collected.
3. From the Actions menu on the right, select Refresh.
4. From the Enterprise menu, select Compliance, then select Results. Verify that the violation no longer appears for the database target.

Clearing Manual Rule Violations

Checks that cannot be automated are implemented as Manual Rules. These checks must be performed by the administrator following the procedure described in the rule description or in the STIG guide itself.

When compliance standards containing manual rules are first associated to a target, each manual rule will generate one violation. Administrators can then clear the violation after successfully completing the check. The user performing the operation, as well as a description of the operation, are recorded during the process. Users can also set an expiration date at which time the violation will be re-generated. This provides for periodic reassessment of compliance.

1. From the Enterprise menu, select Compliance, then select Results.

2. Select the STIG compliance Standard row, and click Manage Violations.

3. Select the Manual Rule Violations tab.

4. Select one or more rules and click Clear Violations.

5. Enter a reason and optionally an expiration date and click OK.

Suppressing the Violation

Suppressing a violation removes it from the compliance score calculation, as well as the results. Although suppressed, you can still create reports using the management views showing the suppressed violations.

Violations can be permanently or temporarily suppressed allowing for permanent exceptions or grace periods. If you choose to enter a date, the violation will re-appear on that date unless it has been cleared as a result of the underlying condition being corrected.

1. From the Enterprise menu, select Compliance, then select Results.
2. Select the STIG Compliance Standards row and click Manage Violations.
3. Select Unsuppressed Violations.
4. Select the rows listing the violations you want to suppress and click the Suppress Violations button.
5. In the dialog that opens, select Indefinite or select an expiration date. Optionally provide a reason for the suppression. Click OK.

Customizing the Compliance Standard and Configuration Extension

In some cases, the rule detecting the violation, while desirable in its intent, needs some fine-tuning to work in your environment. The STIG Compliance Standard allows you to view and customize the query that evaluates the compliance standard violation. The process involves the following tasks:

• Customizing the Configuration Extension

• Customizing the Compliance Standard Rule

• Creating a Compliance Standard to Include the Customized Rule

To illustrate the process, assume a scenario where you want to update the query for the database rule DG0116 DBMS privileged role assignments.

Customizing the Configuration Extension

To customize the STIG Configuration extension:

1. From the Enterprise menu, select Configuration, then select Configuration Extensions.
2. Select the appropriate STIG Configuration table row (database instance or cluster database) and click the Create Like button.
3. Provide a new name for the extension; for example, Custom STIG Configuration.
4. On the Files & Commands tab, select all the command rows and click Delete.
5. On the SQL tab, locate the rule alias DG0116 DBMS privileged role assignments. Delete all other rows above and below it.
6. Modify the query for DG0116 and rename the alias; for example, Custom DG0116 DBMS privileged role assignments.
7. Preview the results: select the sample target and click Preview.
8. If the violation no longer appears, save the Custom STIG Configuration Extension.

Customizing the Compliance Standard Rule

To customize the Compliance Standard rule:

1. From the Enterprise menu, select Compliance, then select Library.
2. Select the Compliance Standard Rules tab and search for rule DG0116 DBMS privileged role assignments with agent-side rule type.
3. Select the rule and click the Create Like button.
4. Change the name; for example, Custom DG0116 DBMS privileged role assignments. Click Continue.
5. On the Check Definition page, click the magnifying glass icon to select a new STIG Configuration Extension (Custom STIG Configuration Extension) and alias (Custom DG0116 DBMS privileged role assignments).
6. Select the custom configuration extension and alias and click OK, then click Next to go the Test page.
7. Select a target and test the compliance rule.
8. Click Next, then click Finish to create the new compliance rule.

Creating a Compliance Standard to Include the Customized Rule

To create a Compliance Standard with a new rule:

1. From the Enterprise menu, select Compliance, then select Library.
2. Select the Compliance Standards tab and search for STIG for database instance with agent-side rule type.
3. Select the compliance standard and click the Create Like button.
4. Change the name; for example, Custom Security Technical Implementation Guide. Click Continue.
5. Open the Oracle Database Check Procedures folder in the left pane and scroll down to DG0116 DBMS privileged role assignments.
6. Right-click the rule and select Remove Rule Reference from the pop-up menu. Click OK to confirm removal.
7. Right-click the Oracle Database Check Procedures folder and select Add Rules from the pop-up menu.
8. Locate the Custom DG0116 DBMS privileged role assignments row in the table and click OK.
9. On the Compliance Standard Create Like page, click the Save button to create the new compliance standard.

You can now associate the custom compliance standard with target databases as described in Associating STIG Compliance Standards Targets.

STIG Compliance Standard Rules Exceptions

The Enterprise Manager implementation of Security Technical Implementation Guide has some exceptions. The following sections list these exceptions:

• Windows Databases

• Oracle WebLogic Domains

• Oracle HTTP Server

Windows Databases

The Enterprise Manager implementation of Security Technical Implementation Guide for Oracle Database does not fully support Windows databases. The following rules do not report violations on Windows databases:

• DG0009 DBMS software library permissions
• DG0019 DBMS software ownership
• DG0012 DBMS software storage location
• DG0102 DBMS services dedicated custom account
• DO0120 Oracle process account host system privileges
• DO0145 Oracle SYSDBA OS group membership
• DG0152 DBMS network port, protocol and services (PPS) use
• DG0179 DBMS warning banner
• DO0286 Oracle connection timeout parameter
• DO0287 Oracle SQLNET.EXPIRE_TIME parameter
• DO6740 Oracle listener ADMIN_RESTRICTIONS parameter
• DO6746 Oracle Listener host references
• DO6751 SQLNET.ALLOWED_LOGON_VERSION

Oracle WebLogic Domains

The Enterprise Manager implementation of Security Technical Implementation Guide (STIG Version 1.1) and Security Technical Implementation Guide (STIG Version 1.2) for Oracle WebLogic Server 12c is not fully automated.

The following rules will always report violations and need to be verified manually:

• WBLC-01-000013 WebLogic audit security-relevant information
• WBLC-01-000014 WebLogic disable network protocols
• WBLC-01-000018 WebLogic audit account creation
• WBLC-01-000019 WebLogic audit account modification
• WBLC-01-000030 WebLogic log privileged activity
• WBLC-01-000032 WebLogic invalid consecutive access attempts
• WBLC-01-000033 WebLogic user invalid access attempts
• WBLC-01-000034 WebLogic lock user account
• WBLC-02-000069 WebLogic log DoD-selected audit records
• WBLC-02-000073 WebLogic log HTTPD event
• WBLC-02-000074 WebLogic log JVM event
• WBLC-02-000075 WebLogic log severity level
• WBLC-02-000083 WebLogic alert audit failure events
• WBLC-02-000084 WebLogic alert audit processing failure
• WBLC-02-000086 WebLogic notify audit processing failure
• WBLC-02-000093 WebLogic use system clock for audit records
• WBLC-02-000094 WebLogic synchronize system clocks
• WBLC-02-000095 WebLogic protect unauthorized audit information read access
• WBLC-02-000098 WebLogic protect unauthorized audit tools access
• WBLC-02-000099 WebLogic protect unauthorized audit tools modification
• WBLC-02-000100 WebLogic protect unauthorized audit tools deletion
• WBLC-03-000125 WebLogic limit privileges to software libraries
• WBLC-03-000127 WebLogic enable essential capabilities
• WBLC-03-000128 WebLogic restrict use of unauthorized items
• WBLC-05-000150 WebLogic identify and authenticate users
• WBLC-05-000153 WebLogic authenticate users individually
• WBLC-05-000168 WebLogic encrypt password for authentication
• WBLC-05-000169 WebLogic LDAP encryption for authentication
• WBLC-05-000174 WebLogic PKI-based authentication for user accounts
• WBLC-05-000176 WebLogic FIPS-compliant encryption for configuration
• WBLC-05-000177 WebLogic FIPS-compliant encryption for users and processes
• WBLC-08-000214 WebLogic NSA-approved cryptography classified compartmentalized
• WBLC-08-000218 WebLogic public information protection
• WBLC-08-000222 WebLogic hosted application separation
• WBLC-08-000236 WebLogic Denial of Service
• WBLC-08-000237 WebLogic prioritize resources
• WBLC-08-000238 WebLogic secure failure
• WBLC-09-000252 WebLogic security-relevant error
• WBLC-09-000253 WebLogic log messages corrective action
• WBLC-09-000254 WebLogic log messages limited access
• WBLC-09-000257 WebLogic notifications to response personnel
• WBLC-10-000270 WebLogic audit subsystem failure notification
• WBLC-10-000271 WebLogic centralized enterprise tool
• WBLC-10-000272 WebLogic multi-factor user authentication

Oracle HTTP Server

The Enterprise Manager implementation of the Security Technical Implementation Guide (STIG Version 1) for Oracle HTTP Server 12.1.3 is not fully automated.

The following rules will always report violations and need to be verified manually:

• OH12-1X-000225 Symbolic links not used in web content directory tree
• OH12-1X-000226 OHS secure administration
• OH12-1X-000266 OHS Accounts Verification

Enterprise Manager's compliance standard for STIG Version 1 for OHS 12.1.3 includes CAT I level rules from the DISA published STIG Version 1 for OHS 12.1.3. CAT II and CAT III rules are not included in the compliance standard and must consequently be tracked outside of Enterprise Manager Cloud Control. For a complete list of all rules in the DISA published STIG Version 1 for OHS 12.1.3, refer to https://public.cyber.mil/stigs/downloads/.

Oracle Database STIG Compliance Standard Modifications from Guide

The Enterprise Manager implementations of the Oracle Database 11g STIG and 12c STIG deviate slightly from the checklist. These modifications include error corrections, enhancements to the check ( i.e. additional default users ) or automated scripts where manual checks may have been specified. It is important that you review and understand the modifications to ensure they are acceptable in your environment. If not, follow the previously discussed customization procedures in order to match your requirements. For detailed information on these changes, see STIG Rules Enhanced by Oracle.

Note:

There are no modifications or deviations for the Security Technical Implementation Guide (STIG Version 1.1) for Oracle WebLogic Server 12c, Security Technical Implementation Guide (STIG Version 1.2) for Oracle WebLogic Server 12c, and Security Technical Implementation Guide (STIG Version 1) for Oracle HTTP Server 12.1.3 compliance standard.

Table 22-2 Deviations from Oracle Database 12c, Version 1, Release 12 STIG

STIG ID	Oracle Modification
SV-75899r1_rule	Combined the rule queries to check if audit is enabled by means of either Traditional or Unified system. Need to manually check if audit data is retained for at least one year.
SV-75903r1_rule	Provided an even more specific query to check if instance name contains version number.
SV-75905r1_rule	Combined the rule queries to return db_link as violations only if dba_repcatalog has records.
SV-75907r1_rule	Need to manually check if each file is located on a separate RAID device.
SV-75909r1_rule	Used the more stricter query to get the violation. Need to manually check if a RAID device is used.
SV-75923r1_rule	Added default users/roles to the query - 'APEX_030200', 'APEX_040200', 'DVSYS', 'SYSKM', and 'DV_ACCTMGR'.
SV-75927r1_rule	Added default users/roles to the query: 'DBA', 'DV_ACCTMGR', 'DV_OWNER', 'RECOVERY_CATALOG_OWNER', 'SPATIAL_CSW_ADMIN_USR', and 'SPATIAL_WFS_ADMIN_USR'.
SV-75931r2_rule	Script provided by Oracle.
SV-75937r2_rule	Script provided by Oracle.
SV-75945r1_rule	Added a query to check whether privilege analysis policy is defined/run to analyze non-required application user privilege assignment.
SV-75947r1_rule	Combined the rule queries to check if audit is enabled by means of either Traditional or Unified system.
SV-75951r1_rule	Changed the query to include demo accounts - 'HR', 'OE', 'PM', 'IX', 'SH', and 'SCOTT'.
SV-75953r1_rule	Script provided by Oracle.
SV-75957r1_rule	Changed the query to include more default users/roles which are not in the list.
SV-76001r1_rule	Script provided by Oracle.
SV-76017r1_rule	Combined rule queries.
SV-76021r2_rule	Script provided by Oracle.
SV-76023r1_rule	Script provided by Oracle.
SV-76025r1_rule	Script provided by Oracle.
SV-76035r1_rule	Script provided by Oracle.
SV-76037r1_rule	Script provided by Oracle.
SV-76039r1_rule	Script provided by Oracle.
SV-76041r1_rule	Script provided by Oracle.
SV-76043r1_rule	Combined rule queries to check if audit is enabled by means of either Traditional or Unified system. Need to manually check if remote sessions that are accessing security information are being audited.
SV-76045r1_rule	Script provided by Oracle.
SV-76051r1_rule	A query added by Oracle.
SV-76053r1_rule	A query added by Oracle.
SV-76055r1_rule	Combined rule queries to check if audit is enabled by means of either Traditional or Unified system and to check if account creation is being audited.
SV-76059r1_rule	Combined rule queries to check if audit is enabled by means of either Traditional or Unified system and to check if account modification is being audited.
SV-76061r1_rule	Combined rule queries to check if audit is enabled by means of either Traditional or Unified system. Need to manually check if account disabling is being audited.
SV-76063r1_rule	Combined rule queries to check if audit is enabled by means of either Traditional or Unified system and to check if account termination is being audited.
SV-76081r1_rule	A query added by Oracle.
SV-76085r1_rule	Combined rule queries to check if audit is enabled by means of either Traditional or Unified system. Need to manually check if all use of privileged accounts are audited.
SV-76093r1_rule	A query added by Oracle.
SV-76095r1_rule	A query added by Oracle.
SV-76097r1_rule	A query added by Oracle.
SV-76099r1_rule	Script provided by Oracle.
SV-76101r1_rule	Script provided by Oracle.
SV-76103r1_rule	A query added by Oracle.
SV-76105r1_rule	A query added by Oracle.
SV-76111r1_rule	Combined rule queries to check if audit is enabled by means of either Traditional or Unified system.
SV-76115r1_rule	Combined rule queries to check if audit is enabled by means of either Traditional or Unified system.
SV-76117r1_rule	Combined rule queries to check if audit is enabled by means of either Traditional or Unified system.
SV-76121r1_rule	Combined rule queries to check if audit is enabled by means of either Traditional or Unified system.
SV-76123r1_rule	Combined rule queries to check if audit is enabled by means of either Traditional or Unified system.
SV-76125r1_rule	Combined rule queries to check if audit is enabled by means of either Traditional or Unified system.
SV-76127r1_rule	Combined rule queries to check if audit is enabled by means of either Traditional or Unified system.
SV-76129r1_rule	Combined rule queries to check if audit is enabled by means of either Traditional or Unified system.
SV-76131r1_rule	Combined rule queries to check if audit is enabled by means of either Traditional or Unified system.
SV-76143r2_rule	A query added by Oracle.
SV-76145r1_rule	A query added by Oracle.
SV-76147r1_rule	A query added by Oracle.
SV-76157r1_rule	A query added by Oracle.
SV-76159r1_rule	Combined rule queries to check if audit records are being protected.
SV-76161r1_rule	Script provided by Oracle.
SV-76163r1_rule	A query added by Oracle.
SV-76167r1_rule	A query added by Oracle.
SV-76173r1_rule	Made to be operated manually as query cannot be executed successfully because of special characters being added.
SV-76175r1_rule	Script provided by Oracle.
SV-76181r1_rule	A query added by Oracle.
SV-76193r1_rule	Script provided by Oracle.
SV-76195r1_rule	Script provided by Oracle.
SV-76197r1_rule	Script provided by Oracle.
SV-76199r1_rule	Script provided by Oracle.
SV-76203r1_rule	Script provided by Oracle.
SV-76205r1_rule	Script provided by Oracle.
SV-76207r1_rule	A query added by Oracle.
SV-76209r1_rule	A query added by Oracle.
SV-76211r2_rule	A query added by Oracle.
SV-76213r1_rule	A query added by Oracle.
SV-76215r1_rule	A query added by Oracle.
SV-76217r1_rule	A query added by Oracle.
SV-76219r1_rule	A query added by Oracle.
SV-76221r1_rule	A query added by Oracle.
SV-76229r1_rule	A query added by Oracle.
SV-76237r1_rule	Script provided by Oracle.
SV-76245r1_rule	A query added by Oracle.
SV-76247r2_rule	A query added by Oracle.
SV-76249r1_rule	Script provided by Oracle.
SV-76251r1_rule	A query added by Oracle.
SV-76253r1_rule	A query added by Oracle.
SV-76255r1_rule	A query added by Oracle.
SV-76257r1_rule	A query added by Oracle.
SV-76261r1_rule	Modified the query to exclude -'SYSTEM', 'SYSAUX', 'UD1', 'TEMP', 'SYSEXT', and 'UNDOTBS'.
SV-76263r1_rule	Modified the query to exclude -'SYSTEM', 'SYSAUX', 'UD1', 'TEMP', 'SYSEXT', and 'UNDOTBS'.
SV-76275r1_rule	A query added by Oracle.
SV-76287r2_rule	Combined to check if audit is enabled by means of either Traditional or Unified system and to check if account creation is being audited. Need to manually check if they are being notified.
SV-76289r2_rule	Combined to check if audit is enabled by means of either Traditional or Unified system and to check if account modification is being audited. Need to manually check if it is notified.
SV-76291r2_rule	Combined to check if audit is enabled by means of either Traditional or Unified system and to check if account disabling is being audited. Need to manually check if it is notified.
SV-76293r2_rule	Combined to check if audit is enabled by means of either Traditional or Unified system and to check if account termination is being audited. Need to manually check if it is notified.
SV-76299r1_rule	Changed query to exclude oracle default users/roles.
SV-76301r1_rule	Script provided by Oracle.
SV-76307r1_rule	A query added by Oracle.
SV-76309r1_rule	A query added by Oracle.
SV-76339r1_rule	A query added by Oracle.
SV-76365r1_rule	Script provided by Oracle.
SV-76377r1_rule	A query added by Oracle.
SV-76455r1_rule	Script provided by Oracle.
SV-76457r1_rule	A query added by Oracle.

Table 22-3 Deviations from Oracle Database 11g, V8, R8, and R11 STIG

STIG ID	Oracle Modification
DG0008	Added Default Users/Roles
DG0009	Script provided by Oracle
DG0012	Script provided by Oracle
DG0019	Script provided by Oracle
DG0077	Added Default Users/Roles
DG0079	Incorrect query. Replaced NULL with string 'NULL'.
DG0091	Added Default Users
DG0102	Script provided by Oracle
DG0116	Added Default Users
DG0117	Added Default Users
DG0119	Added Default Users
DG0121	Added Default Users
DG0123	Added Default Users
DG0152	Script Provided by Oracle
DG0179	Script Provided by Oracle
DO0120	Script Provided by Oracle
DO0145	Script Provided by Oracle
DO0155	Added Default Users
DO0221	Used default instance name as orcl.
DO0231	Added Default Users
DO0250	Combined the rule queries to return db_link as violations only if dba_repcatalog has records
DO0270	Used stricter query to get the violations
DO0286	Script Provided by Oracle
DO0287	Script Provided by Oracle
DO0340	Added Default Users
DO0350	Added Default Users/Roles
DO3536	Combined the queries. De-referenced the DEFAULT value for the limit.
DO3609	Added Default Users/Roles
DO3689	Added Default Users/Roles
DO6740	Script Provided by Oracle
DO6746	Script Provided by Oracle

Table 22-4 Deviations from Oracle Database 11gR2, V1, Release 14, 15 STIG

STIG ID	Oracle Modification
SV-66381r1_rule	Query implemented by Oracle. Discounted default users.
SV-66395r1_rule	Added 'SYSTEM' and 'DELETE_CATALOG_ROLE' as filters.
SV-66401r1_rule	Fixed table name in query. Added privilege to be checked. Discounted Default Users.
SV-66405r1_rule	Fixed table name in query. Added privilege to be checked. Discounted Default Users.
SV-66419r1_rule	STIG document has incorrect query. Prepared a new query for the rule. Discounted default users.
SV-66427r1_rule	Combined the 3 conditions into 1. The query raises a violation if: audit_trail parameter is set to none. audit_trail is not set to none and table_space is not encrypted.
SV-66439r1_rule	Discounted default users.
SV-66441r1_rule	Dereferenced default profile.
SV-66459r1_rule	Rule checks the database archive log mode from repository table instead of using the "archive log list" command.
SV-66485r1_rule	Query provided by Oracle. Used limit=35 from the Fix Text.
SV-66489r1_rule	Query provided by Oracle. Used limit=6 from the Fix Text.
SV-66507r1_rule	Dereferenced default profile.
SV-66553r1_rule	Query provided by Oracle.
SV-66571r1_rule	Query provided by Oracle. Used limit=35 from the Fix Text.
SV-66599r1_rule	Query provided by Oracle. Discounted default users.
SV-66623r1_rule	Query provided by Oracle. Discounted default users.
SV-66627r1_rule	Discounted default users.
SV-66647r1_rule	Joined queries from document. Discounted default users.
SV-66651r1_rule	Joined queries from document. Discounted default users.
SV-66657r1_rule	Script provided by Oracle
SV-66663r1_rule	Added check for SYSTEM tablespace.
SV-66665r1_rule	Added check for SYSTEM tablespace.
SV-66669r1_rule	This rule always passes for Oracle.
SV-66673r1_rule	This rule always passes for Oracle.
SV-68205r1_rule	User should manually discount db_links used for replication.
SV-68229r1_rule	Added default users.
SV-68233r1_rule	Additional column selected in query for better violation context.
SV-68235r1_rule	Added default users.
SV-68241r1_rule	Additional column selected in query for better violation context.
SV-68249r1_rule	Added default users.
SV-68257r1_rule	Added default users.
SV-68283r1_rule	Script provided by Oracle.
SV-66431r1_rule	Use v$parameter in query instead of sys.v$parameter.

Oracle WebLogic STIG Compliance Standard

The Enterprise Manager implementation of the Security Technical Implementation Guide (STIG Version 1.1) for Oracle WebLogic Server 12c and Security Technical Implementation Guide (STIG Version 1.2) for Oracle WebLogic Server 12c contains automated rules. These rules check for WebLogic configuration settings and generate violations. It is important that you review and understand implemented rules to ensure they are acceptable in your environment.

Enterprise Manager's compliance standard for STIG Version 1 for OHS 12.1.3 includes CAT I level rules from the DISA published STIG Version 1 for OHS 12.1.3. CAT II and CAT III rules are not included in the compliance standard and must consequently be tracked outside of Enterprise Manager Cloud Control. For a complete list of all rules in the DISA published STIG Version 1 for OHS 12.1.3, refer to https://public.cyber.mil/stigs/downloads/.

• WBLC-01-000009 WebLogic cryptography for remote management session
• WBLC-01-000010 WebLogic cryptography for remote session
• WBLC-01-000011 WebLogic monitor and control remote session
• WBLC-02-000062 WebLogic log particular user action
• WBLC-02-000065 WebLogic log multiple components audit records
• WBLC-02-000076 WebLogic log event time
• WBLC-02-000077 WebLogic log event cause
• WBLC-02-000078 WebLogic log process sources
• WBLC-02-000079 WebLogic log outcome indicators
• WBLC-02-000080 WebLogic log identity information
• WBLC-02-000081 WebLogic log audit record content
• WBLC-03-000129 WebLogic prevent program execution
• WBLC-05-000160 WebLogic password use minimum password length
• WBLC-05-000162 WebLogic password use upper case characters
• WBLC-05-000163 WebLogic password use lower case characters
• WBLC-05-000164 WebLogic password use numeric characters
• WBLC-05-000165 WebLogic password use special characters
• WBLC-05-000172 WebLogic PKI-based authentication with trust anchor
• WBLC-06-000190 WebLogic cryptographic maintenance and diagnostic communications
• WBLC-06-000191 WebLogic secure maintenance and diagnostic sessions
• WBLC-08-000210 WebLogic session inactivity timeout
• WBLC-08-000211 WebLogic trusted communications path
• WBLC-08-000223 WebLogic session authentication
• WBLC-08-000224 WebLogic session vulnerability
• WBLC-08-000229 WebLogic unsafe state
• WBLC-08-000231 WebLogic application confidentiality
• WBLC-08-000235 WebLogic application data integrity
• WBLC-08-000239 WebLogic secure cryptographic mechanism

Oracle HTTP Server STIG Compliance Standard

The Enterprise Manager implementation of the Security Technical Implementation Guide (STIG Version 1) for Oracle HTTP Server 12.1.3 contains automated rules. These rules check for Oracle HTTP Server configuration settings and generate violations. It is important that you review and understand implemented rules to ensure they are acceptable in your environment.

• OH12-1X-000007 LoadModule ossl_module directive enabled to encrypt remote connections
• OH12-1X-000008 SSLFIPS directive enabled to encrypt remote connections
• OH12-1X-000010 SSLCipherSuite directive enabled to encrypt remote connections
• OH12-1X-000011 LoadModule ossl_module directive enabled to protect the integrity of remote sessions
• OH12-1X-000012 SSLFIPS directive enabled to protect the integrity of remote sessions
• OH12-1X-000013 SSLEngine, SSLProtocol, and SSLWallet enabled and configured to protect the integrity of remote sessions
• OH12-1X-000014 SSLCipherSuite directive enabled to protect the integrity of remote sessions
• OH12-1X-000211 OHS version supported by vendor
• OH12-1X-000234 mod_plsql directive PlsqlDatabasePassword obfuscated
• OH12-1X-000240 LoadModule ossl_module directive enabled to encrypt passwords during transmission
• OH12-1X-000241 SSLFIPS directive enabled to encrypt passwords during transmission
• OH12-1X-000242 SSLEngine, SSLProtocol, and SSLWallet enabled and configured to encrypt passwords
• OH12-1X-000243 SSLCipherSuite directive enabled to encrypt passwords during transmission
• OH12-1X-000294 LoadModule ossl_module directive enabled to implement cryptographic protections
• OH12-1X-000295 SSLFIPS directive enabled to implement cryptographic protections
• OH12-1X-000296 SSLEngine, SSLProtocol, and SSLWallet enabled and configured to implement cryptographic protections
• OH12-1X-000297 SSLCipherSuite directive enabled to implement cryptographic protections
• OH12-1X-000308 LoadModule ossl_module directive enabled to prevent unauthorized disclosure of information
• OH12-1X-000309 SSLFIPS directive enabled to prevent unauthorized disclosure of information
• OH12-1X-000310 SSLEngine, SSLProtocol, and SSLWallet enabled and configured to prevent unauthorized disclosure of information.
• OH12-1X-000311 SSLCipherSuite directive enabled to prevent unauthorized disclosure of information during transmission

STIG Rules Enhanced by Oracle

Security Technical Implementation Guidelines (STIG) rules enhanced by Oracle.

Oracle 12c Database STIG Variations

The following STIG database rules are enhanced by Oracle for Oracle 12c Database. Bold text in the Collection Query denotes the change.

SV-75899r1_rule

Description: Audit trail data must be retained for at least one year.

Automation Logic:

SELECT * FROM ( SELECT CASE WHEN ((SELECT count(*) from V$OPTION WHERE PARAMETER='Unified Auditing' AND VALUE='FALSE')=1) THEN (SELECT name||' parameter is set to '||value||'.' value from v$parameter where name='audit_trail' and value='NONE')
    END AS VALUE FROM DUAL) WHERE VALUE IS NOT NULL

Change to STIG Rule: Combined the rule queries to check if audit is enabled by means of either Traditional or Unified system. Need to manually check if audit data is retained for at least one year.

SV-75903r1_rule

Description: Oracle instance names must not contain Oracle version numbers.

Automation Logic:

select 'Instance name contain version number' from v$instance where instance_name LIKE '%12%';

Change to STIG Rule: Provided an even more specific query to check if instance name contains version number.

SV-75905r1_rule

Description: Fixed user and public database links must be authorized for use.

Automation Logic:

select 'Fixed user database link '||db_link||' found for '||owner value from dba_db_links 
where db_link not in (select master from sys.dba_repcatlog) 

Change to STIG Rule: Combined the rule queries to return db_link as violations only if dba_repcatalog has records.

SV-75907r1_rule

Description: A minimum of two Oracle control files must be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device.

Automation Logic:

select 'A minimum of two oracle control files must be defined' value from v$controlfile having count(*) < 2

Change to STIG Rule: Need to manually check if each file is located on a separate RAID device.

SV-75909r1_rule

Description: A minimum of two Oracle redo log groups or files must be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device.

Automation Logic:

select 'A minimum of two Oracle redo log groups/files must be defined ' value from v$LOG where members > 1 having count(*) < 2

Change to STIG Rule: Used the more stricter query to get the violation. Need to manually check if a RAID device is used.

SV-75923r1_rule

Description: System privileges granted using the WITH ADMIN OPTION must not be granted to unauthorized user accounts.

Automation Logic:

select 'User '|| grantee||' granted system privilege ' ||privilege ||' WITH ADMIN option' value from dba_sys_privs
where grantee not in
('SYS', 'SYSTEM', 'AQ_ADMINISTRATOR_ROLE', 'DBA',
'MDSYS', 'LBACSYS', 'SCHEDULER_ADMIN',
'WMSYS', 'APEX_030200', 'APEX_040200','DVSYS','SYSKM','DV_ACCTMGR')
and admin_option = 'YES'
and grantee not in
(select grantee from dba_role_privs where granted_role = 'DBA')

Change to STIG Rule: Added default users/roles to the query - 'APEX_030200', 'APEX_040200', 'DVSYS', 'SYSKM', and 'DV_ACCTMGR'.

SV-75927r1_rule

Description: Oracle roles granted using the WITH ADMIN OPTION must not be granted to unauthorized accounts.

Automation Logic:

select 'Role ' ||grantee||' granted '||granted_role||' WITH ADMIN OPTION' value from dba_role_privs
where grantee not in
('ANONYMOUS','CTXSTS','EXFSYS','LBACSYS','MDSYS','OLAPSYS','OEDDATA','OWBSYS','ORDPLUGINS','ORDSYS','OUTLN','SI_INFORMTN_SCHEMA','WK_TEST','WK_SYS','WKPROXY','WMSYS','XDB','DBSNMP','MGMT_VIEW','SYS','SYSMAN','SYSTEM','DBA','DV_ACCTMGR','DV_OWNER','RECOVERY_CATALOG_OWNER','SPATIAL_CSW_ADMIN_USR','SPATIAL_WFS_ADMIN_USR')
and admin_option = 'YES' 
and grantee not in
(select distinct owner from dba_objects)
and grantee not in
(select grantee from dba_role_privs
where granted_role = 'DBA')
order by grantee

Change to STIG Rule: Added default users/roles to the query: 'DBA', 'DV_ACCTMGR', 'DV_OWNER', 'RECOVERY_CATALOG_OWNER', 'SPATIAL_CSW_ADMIN_USR', and 'SPATIAL_WFS_ADMIN_USR'.

SV-75931r2_rule

Description: Listener must be configured for administration authentication.

Automation Logic:

perl %scriptsDir%/lsnrSecStatus.pl {OracleHome} {MachineName} {Port} {Protocol}

Change to STIG Rule: Script provided by Oracle.

SV-75937r2_rule

Description: Connections by mid-tier web and application systems to the Oracle DBMS from a DMZ or external network must be encrypted.

Automation Logic:

perl %scriptsDir%/encryptedCommCheck.pl {OracleHome}

Change to STIG Rule: Script provided by Oracle.

SV-75945r1_rule

Description: Application user privilege assignment must be reviewed monthly, or more frequently to ensure compliance with least privilege, and documented policy.

Automation Logic:

select 'No privilege analysis policy is defined/run to analyze unrequired application user privilege assignment' value from SYS.DBA_UNUSED_SYSPRIVS having count(*)=0

Change to STIG Rule: Added a query to check whether privilege analysis policy is defined/run to analyze non-required application user privilege assignment.

SV-75947r1_rule

Description: Audit trail data must be reviewed daily or more frequently.

Automation Logic:

SELECT * FROM ( SELECT CASE WHEN ((SELECT count(*) from SYS.V$OPTION WHERE PARAMETER='Unified Auditing' AND VALUE='FALSE')=1) THEN 
   (SELECT name||' parameter is set to '||value||'.' value from sys.v$parameter where name='audit_trail' and value='NONE')
    END AS VALUE FROM DUAL) WHERE VALUE IS NOT NULL

Change to STIG Rule: Combined the rule queries to check if audit is enabled by means of either Traditional or Unified system.

SV-75953r1_rule

Description: The directories assigned to the LOG_ARCHIVE_DEST* parameters must be protected from unauthorized access.

Automation Logic:

perl %scriptsDir%/logArchiveDestPerm.pl {OracleHome} {MachineName} {Port} {Protocol} {SID} {UserName} {password} {Role}

Change to STIG Rule: Script provided by Oracle.

SV-75957r1_rule

Description: Application object owner accounts must be disabled when installation or maintenance actions are not performed.

Automation Logic:

select distinct 'Application object owner account '||owner||' found' value from dba_objects, dba_users 
where owner not in
('ANONYMOUS','AURORA$JIS$UTILITY$',
'AURORA$ORB$UNAUTHENTICATED','CTXSYS','DBSNMP','DIP','DVF',
'DVSYS','EXFSYS','LBACSYS','MDDATA','MDSYS','MGMT_VIEW','ODM', 'ODM_MTR','OLAPSYS','ORDPLUGINS','ORDSYS','OSE$HTTP$ADMIN', 'OUTLN','PERFSTAT','PUBLIC','REPADMIN','RMAN', 'SI_INFORMTN_SCHEMA','SYS','SYSMAN','SYSTEM','TRACESVR', 'TSMSYS','WK_TEST','WKPROXY','WKSYS','WKUSER','WMSYS','XDB', 'HR', 'OE', 'PM', 'IX', 'SH','OJVMSYS','ORDDATA','APPQOSSYS','ORACLE_OCM','SCOTT','APEX_040200','AUDSYS','GSMADMIN_INTERNAL','FLOWS_FILES') 
and owner in (select distinct owner from dba_objects
where object_type <> 'SYNONYM')
and owner = username
and upper(account_status) not like '%LOCKED%'

Change to STIG Rule: Changed the query to include more default users/roles which are not in the list.

SV-76001r1_rule

Description: Access to DBMS software files and directories must not be granted to unauthorized users.

Automation Logic:

perl %scriptsDir%/umaskCheck.pl {OracleHome} 022

Change to STIG Rule: Changed the query to include more default users/roles which are not in the list.

SV-76017r1_rule

Description: Changes to DBMS security labels must be audited.

Automation Logic:

 SELECT * FROM (
SELECT CASE UPPER(value) WHEN 'FALSE'
     THEN
      (SELECT CASE UPPER(value) WHEN 'NONE' 
            THEN
                name||' parameter is set to '||value||'.'
            ELSE
                (SELECT 'Changes to DBMS security labels must be audited.' value from dba_sa_audit_options having count(*)=0)
            END AS VALUE FROM  v$parameter where name='audit_trail' )        
     END AS value FROM v$option 
           WHERE parameter  ='Unified Auditing') where VALUE IS NOT NULL;

Change to STIG Rule: Combined rule queries.

SV-76021r2_rule

Description: The /diag subdirectory under the directory assigned to the DIAGNOSTIC_DEST parameter must be protected from unauthorized access.

Automation Logic:

perl %scriptsDir%/diagDestPerm.pl {OracleHome} {MachineName} {Port} {Protocol} {SID} {UserName} {password} {Role}

Change to STIG Rule: Script provided by Oracle.

SV-76023r1_rule

Description: Remote administration must be disabled for the Oracle connection manager.

Automation Logic:

perl %scriptsDir%/remoteAdminCheck.pl {OracleHome}

Change to STIG Rule: Script provided by Oracle.

SV-76025r1_rule

Description: Network client connections must be restricted to supported versions.

Automation Logic:

perl %scriptsDir%/allowedLogonVersion.pl {OracleHome} 11

Change to STIG Rule: Script provided by Oracle.

SV-76035r1_rule

Description: The DBMS must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission unless the transmitted data is otherwise protected by alternative physical measures.

Automation Logic:

perl %scriptsDir%/encryptionCheck.pl {OracleHome}

Change to STIG Rule: Script provided by Oracle.

SV-76037r1_rule

Description: The DBMS must utilize approved cryptography when passing authentication data for remote access sessions.

Automation Logic:

perl %scriptsDir%/encryptionCheck.pl {OracleHome}

Change to STIG Rule: Script provided by Oracle.

SV-76039r1_rule

Description: A DBMS providing remote access capabilities must utilize organization-defined cryptography to protect the confidentiality of data passing over remote access sessions.

Automation Logic:

perl %scriptsDir%/encryptionCheck.pl {OracleHome}

Change to STIG Rule: Script provided by Oracle.

SV-76041r1_rule

Description: A DBMS providing remote access capabilities must utilize approved cryptography to protect the integrity of remote access sessions.

Automation Logic:

perl %scriptsDir%/encryptionCheck.pl {OracleHome}

Change to STIG Rule: Script provided by Oracle.

SV-76043r1_rule

Description: The DBMS must ensure remote sessions that access an organization-defined list of security functions and security-relevant information are audited.

Automation Logic:

SELECT * FROM ( SELECT CASE WHEN ((SELECT count(*) from SYS.V$OPTION WHERE PARAMETER='Unified Auditing' AND VALUE='FALSE')=1) THEN 
   (SELECT name||' parameter is set to '||value||'.' value from sys.v$parameter where name='audit_trail' and value='NONE')
    END AS VALUE FROM DUAL) WHERE VALUE IS NOT NULL

Change to STIG Rule: Combined rule queries to check if audit is enabled by means of either Traditional or Unified system. Need to manually check if remote sessions that are accessing security information are being audited.

SV-76045r1_rule

Description: The DBMS must support the disabling of network protocols deemed as non-secure by the organization.

Automation Logic:

perl %scriptsDir%/secureProtocolCheck.pl {Protocol}

Change to STIG Rule: Script provided by Oracle.

SV-76051r1_rule

Description: The DBMS must provide a mechanism to automatically terminate accounts designated as temporary or emergency accounts after an organization-defined time period.

Automation Logic:

select 'User '||u.username||' is assigned profile '||p.profile||' with PASSWORD_LIFE_TIME='||p.limit||'.'
value from dba_profiles p, dba_users u,
(select limit as def_pwd_life_tm
from dba_profiles
where profile = 'DEFAULT'
and resource_name = 'PASSWORD_LIFE_TIME')
where p.resource_name = 'PASSWORD_LIFE_TIME'
and ((replace(p.limit, 'DEFAULT', def_pwd_life_tm) in
('UNLIMITED', 'NULL'))
or (lpad(replace(p.limit, 'DEFAULT', def_pwd_life_tm),40,'0') >
lpad('35',40,'0')))
  AND u.profile = p.profile

Change to STIG Rule: A query added by Oracle.

SV-76053r1_rule

Description: The DBMS must automatically disable accounts after a 35 day period of account inactivity.

Automation Logic:

select 'User '||u.username||' is assigned profile '||p.profile||' with PASSWORD_LIFE_TIME='||p.limit||'.'
value from dba_profiles p, dba_users u,
(select limit as def_pwd_life_tm
from dba_profiles
where profile = 'DEFAULT'
and resource_name = 'PASSWORD_LIFE_TIME')
where p.resource_name = 'PASSWORD_LIFE_TIME'
and ((replace(p.limit, 'DEFAULT', def_pwd_life_tm) in
('UNLIMITED', NULL))
or (lpad(replace(p.limit, 'DEFAULT', def_pwd_life_tm),40,'0') >
lpad('35',40,'0')))
  AND u.profile = p.profile
UNION ALL
select 'Table SYS.LOGIN_AUDIT_INFO_ALL is not used.' value FROM DUAL WHERE NOT EXISTS (select table_name from dba_tables where table_name='LOGIN_AUDIT_INFO_ALL')

Change to STIG Rule: A query added by Oracle.

SV-76055r1_rule

Description: The DBMS must automatically audit account creation.

Automation Logic:

  SELECT * FROM (
     SELECT CASE UPPER(value) WHEN 'FALSE'
     THEN
      (SELECT CASE UPPER(value) WHEN 'NONE' 
            THEN
                name||' parameter is set to '||value||'.'
            ELSE
                (SELECT 'Account creation is not being audited' value from sys.dba_stmt_audit_opts where AUDIT_OPTION='CREATE USER' having count(*)=0)
            END AS VALUE FROM  v$parameter where name='audit_trail' )
     ELSE
        (SELECT CASE UPPER(value) WHEN 'NONE' 
           THEN
        (SELECT 'Account creation is not being audited' from audit_unified_policies where AUDIT_OPTION='CREATE USER' AND AUDIT_OPTION_TYPE='STANDARD ACTION' AND AUDIT_CONDITION!='NONE' having count(*)=0)
     ELSE 
              (SELECT DISTINCT value FROM (SELECT 'Account creation is not being audited' value from audit_unified_policies where AUDIT_OPTION='CREATE USER' AND AUDIT_OPTION_TYPE='STANDARD ACTION' AND AUDIT_CONDITION!='NONE' having count(*)=0
          UNION 
      SELECT 'Account creation is not being audited' value from sys.dba_stmt_audit_opts where AUDIT_OPTION='CREATE USER' having count(*)=0  )) 
            END AS VALUE FROM  v$parameter where name='audit_trail' )      
     END AS value FROM v$option WHERE parameter  ='Unified Auditing') where VALUE IS NOT NULL;

Change to STIG Rule: Combined rule queries to check if audit is enabled by means of either Traditional or Unified system and to check if account creation is being audited.

SV-76059r1_rule

Description: The DBMS must automatically audit account modification.

Automation Logic:

  SELECT * FROM (
     SELECT CASE UPPER(value) WHEN 'FALSE'
     THEN
      (SELECT CASE UPPER(value) WHEN 'NONE' 
            THEN
                name||' parameter is set to '||value||'.'
            ELSE
                (SELECT 'Account modification is not being audited' value from sys.dba_stmt_audit_opts where AUDIT_OPTION='ALTER USER' having count(*)=0)
            END AS VALUE FROM  v$parameter where name='audit_trail' )
     ELSE
        (SELECT CASE UPPER(value) WHEN 'NONE' 
           THEN
        (SELECT 'Account modification is not being audited' from audit_unified_policies where AUDIT_OPTION='ALTER USER' AND AUDIT_OPTION_TYPE='STANDARD ACTION' AND AUDIT_CONDITION!='NONE' having count(*)=0)
     ELSE 
              (SELECT DISTINCT value FROM (SELECT 'Account modification is not being audited' value from audit_unified_policies where AUDIT_OPTION='ALTER USER' AND AUDIT_OPTION_TYPE='STANDARD ACTION' AND AUDIT_CONDITION!='NONE' having count(*)=0
          UNION 
      SELECT 'Account modification is not being audited' value from sys.dba_stmt_audit_opts where AUDIT_OPTION='ALTER USER' having count(*)=0  )) 
            END AS VALUE FROM  v$parameter where name='audit_trail' )      
     END AS value FROM v$option WHERE parameter  ='Unified Auditing') where VALUE IS NOT NULL;

Change to STIG Rule: Combined rule queries to check if audit is enabled by means of either Traditional or Unified system and to check if account modification is being audited.

SV-76061r1_rule

Description: The DBMS must automatically audit account disabling actions.

Automation Logic:

SELECT * FROM (
     SELECT CASE UPPER(value) WHEN 'FALSE'
     THEN
      (SELECT CASE UPPER(value) WHEN 'NONE' 
            THEN
                name||' parameter is set to '||value||'.'
            ELSE
                (SELECT 'Account disabling is not being audited' value from sys.dba_stmt_audit_opts where AUDIT_OPTION='ALTER USER' having count(*)=0)
            END AS VALUE FROM  v$parameter where name='audit_trail' )
     ELSE
        (SELECT CASE UPPER(value) WHEN 'NONE' 
           THEN
        (SELECT 'Account disabling is not being audited' from audit_unified_policies where AUDIT_OPTION='ALTER USER' AND AUDIT_OPTION_TYPE='STANDARD ACTION' AND AUDIT_CONDITION!='NONE' having count(*)=0)
     ELSE 
              (SELECT DISTINCT value FROM (SELECT 'Account disabling is not being audited' value from audit_unified_policies where AUDIT_OPTION='ALTER USER' AND AUDIT_OPTION_TYPE='STANDARD ACTION' AND AUDIT_CONDITION!='NONE' having count(*)=0
          UNION 
      SELECT 'Account disabling is not being audited' value from sys.dba_stmt_audit_opts where AUDIT_OPTION='ALTER USER' having count(*)=0  )) 
            END AS VALUE FROM  v$parameter where name='audit_trail' )      
     END AS value FROM v$option WHERE parameter  ='Unified Auditing') where VALUE IS NOT NULL;

Change to STIG Rule: Combined rule queries to check if audit is enabled by means of either Traditional or Unified system. Need to manually check if account disabling is being audited.

SV-76063r1_rule

Description: The DBMS must automatically audit account termination.

Automation Logic:

SELECT * FROM (
     SELECT CASE UPPER(value) WHEN 'FALSE'
     THEN
      (SELECT CASE UPPER(value) WHEN 'NONE' 
            THEN
                name||' parameter is set to '||value||'.'
            ELSE
                (SELECT 'Account termination is not being audited' value from sys.dba_stmt_audit_opts where AUDIT_OPTION='DROP USER' having count(*)=0)
            END AS VALUE FROM  v$parameter where name='audit_trail' )
     ELSE
        (SELECT CASE UPPER(value) WHEN 'NONE' 
           THEN
        (SELECT 'Account termination is not being audited' from audit_unified_policies where AUDIT_OPTION='DROP USER' AND AUDIT_OPTION_TYPE='STANDARD ACTION' AND AUDIT_CONDITION!='NONE' having count(*)=0)
     ELSE 
              (SELECT DISTINCT value FROM (SELECT 'Account termination is not being audited' value from audit_unified_policies where AUDIT_OPTION='DROP USER' AND AUDIT_OPTION_TYPE='STANDARD ACTION' AND AUDIT_CONDITION!='NONE' having count(*)=0
          UNION 
      SELECT 'Account termination is not being audited' value from sys.dba_stmt_audit_opts where AUDIT_OPTION='DROP USER' having count(*)=0  )) 
            END AS VALUE FROM  v$parameter where name='audit_trail' )      
     END AS value FROM v$option WHERE parameter  ='Unified Auditing') where VALUE IS NOT NULL;

Change to STIG Rule: Combined rule queries to check if audit is enabled by means of either Traditional or Unified system and to check if account termination is being audited.

SV-76081r1_rule

Description: Administrative privileges must be assigned to database accounts through database roles.

Automation Logic:

select 'User '|| dsp.grantee ||' is granted '|| dsp.privilege ||' privilege' value
     from dba_sys_privs dsp, dba_users du
     where dsp.grantee in (SELECT username
     FROM dba_users
     WHERE username NOT IN
     (
     'XDB', 'SYSTEM', 'SYS', 'LBACSYS',
     'DVSYS', 'DVF', 'SYSMAN_RO',
     'SYSMAN_BIPLATFORM', 'SYSMAN_MDS',
     'SYSMAN_OPSS', 'SYSMAN_STB', 'DBSNMP',
     'SYSMAN', 'APEX_040200', 'WMSYS',
     'SYSDG', 'SYSBACKUP', 'SPATIAL_WFS_ADMIN_USR',
     'SPATIAL_CSW_ADMIN_US', 'GSMCATUSER',
     'OLAPSYS', 'SI_INFORMTN_SCHEMA',
     'OUTLN', 'ORDSYS', 'ORDDATA', 'OJVMSYS',
     'ORACLE_OCM', 'MDSYS', 'ORDPLUGINS',
     'GSMADMIN_INTERNAL', 'MDDATA', 'FLOWS_FILES',
     'DIP', 'CTXSYS', 'AUDSYS',
     'APPQOSSYS', 'APEX_PUBLIC_USER', 'ANONYMOUS',
     'SPATIAL_CSW_ADMIN_USR', 'SYSKM',
     'SYSMAN_TYPES', 'MGMT_VIEW',
     'EUS_ENGINE_USER', 'EXFSYS', 'SYSMAN_APM'
     )
     ) AND dsp.privilege NOT IN ('UNLIMITED TABLESPACE', 'REFERENCES', 'INDEX', 'SYSDBA','SYSOPER') and dsp.grantee=du.username and du.account_status not like '%EXPIRED%LOCKED%' order by dsp.grantee

Change to STIG Rule: A query added by Oracle.

SV-76085r1_rule

Description: All usage of privileged accounts must be audited.

Automation Logic:

SELECT * FROM ( SELECT CASE WHEN ((SELECT count(*) from SYS.V$OPTION WHERE PARAMETER='Unified Auditing' AND VALUE='FALSE')=1) THEN    (select 'audit_trail parameter is set to '||value value from v$parameter where name='audit_trail' and value = 'NONE')
 END AS VALUE FROM DUAL) WHERE VALUE IS NOT NULL

Change to STIG Rule: Combined rule queries to check if audit is enabled by means of either Traditional or Unified system. Need to manually check if all use of privileged accounts are audited.

SV-76093r1_rule

Description: The DBMS must verify if account lock-outs persist until reset by an administrator.

Automation Logic:

select p.resource_name||' is not set to UNLIMITED for user '||u.username||' through profile '||p.profile AS value from dba_users u, dba_profiles p
where u.profile = p.profile
  and p.resource_name = 'PASSWORD_LOCK_TIME'
  and p.limit != 'UNLIMITED'
  and u.account_status not like '%EXPIRED%LOCKED%'

Change to STIG Rule: A query added by Oracle.

SV-76095r1_rule

Description: The DBMS must limit the number of consecutive failed logon attempts to 3.

Automation Logic:

select p.resource_name||' limit is set to '||p.limit||' for user '||u.username||' through profile '||p.profile AS value from dba_profiles p, dba_users u,
(select limit as def_fld_lgn_atmt from dba_profiles
where profile = 'DEFAULT'
and resource_name = 'FAILED_LOGIN_ATTEMPTS')
where p.resource_name = 'FAILED_LOGIN_ATTEMPTS'
and ((replace(p.limit, 'DEFAULT', def_fld_lgn_atmt) in
('UNLIMITED', NULL))
or (lpad(replace(p.limit, 'DEFAULT', def_fld_lgn_atmt),40,'0') > lpad('3',40,'0')))
  AND u.profile = p.profile
AND u.account_status not like '%EXPIRED%LOCKED%'

Change to STIG Rule: A query added by Oracle.

SV-76097r1_rule

Description: The DBMS, when the maximum number of unsuccessful logon attempts is exceeded, must automatically lock the account/node until released by an administrator.

Automation Logic:

select p.resource_name||' is set to '||p.limit||' for user '||u.username||' through profile '||p.profile AS
value from dba_profiles p, dba_users u,
(select limit as def_fld_lgn_atmt
from dba_profiles
where profile = 'DEFAULT'
and resource_name = 'FAILED_LOGIN_ATTEMPTS')
where p.resource_name = 'FAILED_LOGIN_ATTEMPTS'
and ((replace(p.limit, 'DEFAULT', def_fld_lgn_atmt) in
('UNLIMITED', NULL))
or (lpad(replace(p.limit, 'DEFAULT', def_fld_lgn_atmt),40,'0') >
lpad('3',40,'0')))
  AND u.profile = p.profile
AND u.account_status not like '%EXPIRED%LOCKED%'

Change to STIG Rule: A query added by Oracle.

SV-76099r1_rule

Description: The DBMS must retain the notification message or banner on the screen until users take explicit actions to log on to the database.

Automation Logic:

perl bannerText.pl {OracleHome}

Change to STIG Rule: Script provided by Oracle.

SV-76101r1_rule

Description: The DBMS must display the system use information when appropriate, before granting further access.

Automation Logic:

perl bannerText.pl {OracleHome}

Change to STIG Rule: Script provided by Oracle.

SV-76103r1_rule

Description: The DBMS must have its auditing configured to reduce the likelihood of storage capacity being exceeded.

Automation Logic:

select tablespace_name ||' tablespace used for logging '||table_name value from sys.dba_tables where table_name in ('AUD$', 'FGA_LOG$')
 AND tablespace_name = 'SYSTEM' UNION ALL select tablespace_name ||' tablespace used for unified adit '||table_name value from sys.dba_tables where owner='AUDSYS' and tablespace_name='USERS'

Change to STIG Rule: A query added by Oracle.

SV-76105r1_rule

Description: The DBMS must have allocated audit record storage capacity.

Automation Logic:

select tablespace_name ||' tablespace used for logging '||table_name value from sys.dba_tables where table_name in ('AUD$', 'FGA_LOG$')
 AND tablespace_name = 'SYSTEM' UNION ALL select tablespace_name ||' tablespace used for unified adit '||table_name value from sys.dba_tables where owner='AUDSYS' and tablespace_name='USERS'

Change to STIG Rule: A query added by Oracle.

SV-76111r1_rule

Description: The DBMS must provide audit record generation capability for organization-defined auditable events within the database.

Automation Logic:

SELECT * FROM ( SELECT CASE WHEN ((SELECT count(*) from SYS.V$OPTION WHERE PARAMETER='Unified Auditing' AND VALUE='FALSE')=1) THEN    (select 'audit_trail parameter is set to '||value value from v$parameter where name='audit_trail' and value = 'NONE')
 END AS VALUE FROM DUAL) WHERE VALUE IS NOT NULL

Change to STIG Rule: Combined rule queries to check if audit is enabled by means of either Traditional or Unified system.

SV-76115r1_rule

Description: The DBMS must generate audit records for the DoD-selected list of auditable events.

Automation Logic:

SELECT * FROM ( SELECT CASE WHEN ((SELECT count(*) from SYS.V$OPTION WHERE PARAMETER='Unified Auditing' AND VALUE='FALSE')=1) THEN (SELECT name||' parameter is set to '||value||'.' value from sys.v$parameter where name='audit_trail' and value='NONE')
    END AS VALUE FROM DUAL) WHERE VALUE IS NOT NULL

Change to STIG Rule: Combined rule queries to check if audit is enabled by means of either Traditional or Unified system.

SV-76117r1_rule

Description: The DBMS must produce audit records containing sufficient information to establish what type of events occurred.

Automation Logic:

SELECT * FROM ( SELECT CASE WHEN ((SELECT count(*) from SYS.V$OPTION WHERE PARAMETER='Unified Auditing' AND VALUE='FALSE')=1) THEN    (select 'audit_trail parameter is set to '||value value from v$parameter where name='audit_trail' and value = 'NONE')
 END AS VALUE FROM DUAL) WHERE VALUE IS NOT NULL

Change to STIG Rule: Combined rule queries to check if audit is enabled by means of either Traditional or Unified system.

SV-76121r1_rule

Description: The DBMS must produce audit records containing sufficient information to establish when (date and time) the events occurred.

Automation Logic:

SELECT * FROM ( SELECT CASE WHEN ((SELECT count(*) from SYS.V$OPTION WHERE PARAMETER='Unified Auditing' AND VALUE='FALSE')=1) THEN    (select 'audit_trail parameter is set to '||value value from v$parameter where name='audit_trail' and value = 'NONE')
 END AS VALUE FROM DUAL) WHERE VALUE IS NOT NULL

Change to STIG Rule: Combined rule queries to check if audit is enabled by means of either Traditional or Unified system.

SV-76123r1_rule

Description: The DBMS must produce audit records containing sufficient information to establish where the events occurred.

Automation Logic:

SELECT * FROM ( SELECT CASE WHEN ((SELECT count(*) from SYS.V$OPTION WHERE PARAMETER='Unified Auditing' AND VALUE='FALSE')=1) THEN    (select 'audit_trail parameter is set to '||value value from v$parameter where name='audit_trail' and value = 'NONE')
 END AS VALUE FROM DUAL) WHERE VALUE IS NOT NULL

Change to STIG Rule: Combined rule queries to check if audit is enabled by means of either Traditional or Unified system.

SV-76125r1_rule

Description: The DBMS must produce audit records containing sufficient information to establish the sources (origins) of the events.

Automation Logic:

SELECT * FROM ( SELECT CASE WHEN ((SELECT count(*) from SYS.V$OPTION WHERE PARAMETER='Unified Auditing' AND VALUE='FALSE')=1) THEN    (select 'audit_trail parameter is set to '||value value from v$parameter where name='audit_trail' and value = 'NONE')
 END AS VALUE FROM DUAL) WHERE VALUE IS NOT NULL

Change to STIG Rule: Combined rule queries to check if audit is enabled by means of either Traditional or Unified system.

SV-76127r1_rule

Description: The DBMS must produce audit records containing sufficient information to establish the outcome (success or failure) of the events.

Automation Logic:

SELECT * FROM ( SELECT CASE WHEN ((SELECT count(*) from SYS.V$OPTION WHERE PARAMETER='Unified Auditing' AND VALUE='FALSE')=1) THEN    (select 'audit_trail parameter is set to '||value value from v$parameter where name='audit_trail' and value = 'NONE')
 END AS VALUE FROM DUAL) WHERE VALUE IS NOT NULL

Change to STIG Rule: Combined rule queries to check if audit is enabled by means of either Traditional or Unified system.

SV-76129r1_rule

Description: The DBMS must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event.

Automation Logic:

SELECT * FROM ( SELECT CASE WHEN ((SELECT count(*) from SYS.V$OPTION WHERE PARAMETER='Unified Auditing' AND VALUE='FALSE')=1) THEN    (select 'audit_trail parameter is set to '||value value from v$parameter where name='audit_trail' and value = 'NONE')
 END AS VALUE FROM DUAL) WHERE VALUE IS NOT NULL

Change to STIG Rule: Combined rule queries to check if audit is enabled by means of either Traditional or Unified system.

SV-76131r1_rule

Description: The DBMS must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject.

Automation Logic:

SELECT * FROM ( SELECT CASE WHEN ((SELECT count(*) from SYS.V$OPTION WHERE PARAMETER='Unified Auditing' AND VALUE='FALSE')=1) THEN    (select 'audit_trail parameter is set to '||value value from v$parameter where name='audit_trail' and value = 'NONE')
 END AS VALUE FROM DUAL) WHERE VALUE IS NOT NULL

Change to STIG Rule: Combined rule queries to check if audit is enabled by means of either Traditional or Unified system.

SV-76143r2_rule

Description: The system must protect audit information from any type of unauthorized access.

Automation Logic:

SELECT GRANTEE||' has '||PRIVILEGE||' on '|| TABLE_NAME AS VALUE FROM sys.DBA_TAB_PRIVS where (table_name = 'AUD$' or table_name='FGA_LOG$') AND grantee not in ('SYS','SYSTEM', 'DELETE_CATALOG_ROLE') UNION ALL  SELECT GRANTEE|| ' has '||PRIVILEGE|| ' on '||TABLE_NAME AS VALUE FROM sys.DBA_TAB_PRIVS where owner='AUDSYS' AND grantee not in ('SYS', 'SYSTEM', 'DELETE_CATALOG_ROLE')

Change to STIG Rule: A query added by Oracle.

SV-76145r1_rule

Description: The system must protect audit information from unauthorized modification.

Automation Logic:

SELECT GRANTEE||' has '||PRIVILEGE||' on '|| TABLE_NAME AS VALUE FROM sys.DBA_TAB_PRIVS where (table_name = 'AUD$' or table_name='FGA_LOG$') AND PRIVILEGE IN ('DELETE','INSERT','UPDATE') AND grantee not in ('SYS','SYSTEM', 'DELETE_CATALOG_ROLE') UNION ALL  SELECT GRANTEE|| ' has '||PRIVILEGE|| ' on '||TABLE_NAME AS VALUE FROM sys.DBA_TAB_PRIVS where owner='AUDSYS' AND PRIVILEGE IN ('DELETE','INSERT','UPDATE') AND grantee not in ('SYS','SYSTEM', 'DELETE_CATALOG_ROLE') 

Change to STIG Rule: A query added by Oracle.

SV-76147r1_rule

Description: The system must protect audit information from unauthorized deletion.

Automation Logic:

SELECT GRANTEE||' has '||PRIVILEGE||' on '|| TABLE_NAME AS VALUE FROM sys.DBA_TAB_PRIVS where (table_name = 'AUD$' or table_name='FGA_LOG$') AND PRIVILEGE='DELETE' AND grantee not in ('SYS','SYSTEM', 'DELETE_CATALOG_ROLE') UNION ALL  SELECT GRANTEE|| ' has '||PRIVILEGE|| ' on '||TABLE_NAME AS VALUE FROM sys.DBA_TAB_PRIVS where owner='AUDSYS' AND PRIVILEGE='DELETE' AND grantee not in ('SYS','SYSTEM', 'DELETE_CATALOG_ROLE')

Change to STIG Rule: A query added by Oracle.

SV-76157r1_rule

Description: The DBMS must protect audit data records and integrity by using cryptographic mechanisms.

Automation Logic:

SELECT 'Tablespace '||t.tablespace_name ||' holding audit data in '||t.table_name||' is not encrypted.' value
      FROM dba_tables t, dba_tablespaces ts
   WHERE (t.table_name ='AUD$' OR t.table_name='FGA_LOG$' OR t.owner= 'AUDSYS')
         AND t.tablespace_name = ts.tablespace_name
         AND ts.encrypted = 'NO'
        AND EXISTS (SELECT PARAMETER as value1 from SYS.V$OPTION WHERE PARAMETER='Unified Auditing' AND VALUE='TRUE' UNION select name as value1 from v$parameter where name='audit_trail' and UPPER(value) != 'NONE')

Change to STIG Rule: A query added by Oracle.

SV-76159r1_rule

Description: The DBMS must protect the audit records generated, as a result of remote access to privileged accounts, and the execution of privileged functions.

Automation Logic:

SELECT GRANTEE||' has '||PRIVILEGE||' on '|| TABLE_NAME AS VALUE FROM sys.DBA_TAB_PRIVS where (table_name = 'AUD$' or table_name='FGA_LOG$') AND grantee not in ('SYS','SYSTEM', 'DELETE_CATALOG_ROLE') UNION ALL  SELECT GRANTEE|| ' has '||PRIVILEGE|| ' on '||TABLE_NAME AS VALUE FROM sys.DBA_TAB_PRIVS where owner='AUDSYS' AND grantee not in ('SYS','SYSTEM', 'DELETE_CATALOG_ROLE') UNION ALL  SELECT GRANTEE || ' has been granted with '||GRANTED_ROLE AS VALUE FROM sys.DBA_ROLE_PRIVS WHERE GRANTED_ROLE IN ('AUDIT_ADMIN','AUDIT_VIEWER','DELETE_CATALOG_ROLE') AND GRANTEE NOT IN ('SYS','SYSTEM','DBA')

Change to STIG Rule: Combined rule queries to check if audit records are being protected.

SV-76161r1_rule

Description: The DBMS must support enforcement of logical access restrictions associated with changes to the DBMS configuration and to the database itself.

Automation Logic:

perl %scriptsDir%/umaskCheck.pl {OracleHome} 022

Change to STIG Rule: Script provided by Oracle.

SV-76163r1_rule

Description: Database objects must be owned by accounts authorized for ownership.

Automation Logic:

SELECT 'Database objects are owned by unauthorized user '||OWNER value FROM ( SELECT OWNER, COUNT(*)  FROM DBA_OBJECTS
WHERE OWNER NOT IN ('PUBLIC', 'OUTLN', 'CTXSYS', 'SYSTEM', 'EXFSYS', 'DBSNMP', 'ORDSYS', 'ORDPLUGINS', 'APPQOSYS', 'XDB', 'IX', 'ORDDATA', 'SYS', 'WMSYS', 'MDSYS', 'OLAPSYS', 'SYSMAN', 'APEX_030200', 'FLOWS_FILES', 'SI_INFORMTN_SCHEMA', 'ORACLE_OCM', 'APPQOSSYS', 'PM', 'OE', 'SH', 'HR', 'ORACLE_OCM', 'SCOTT', 'OWBSYS_AUDIT', 'OWBSYS', 'BI','APEX_040200','DVF','DVSYS','LBACSYS','AUDSYS','GSMADMIN_INTERNAL','OJVMSYS') GROUP BY OWNER )

Change to STIG Rule: A query added by Oracle.

SV-76167r1_rule

Description: Default demonstration and sample databases, database objects, and applications must be removed.

Automation Logic:

select distinct 'Demonstration account '||username||' found in database' value from dba_users where username in ('BI', 'HR', 'OE', 'PM', 'IX', 'SH', 'SCOTT')

Change to STIG Rule: A query added by Oracle.

SV-76173r1_rule

Description: Use of external executables must be authorized.

Automation Logic:

SELECT owner||'.'||library_name||' is a library containing external procedure.' AS VALUE FROM ( select library_name,owner, '' grantee, '' privilege
from dba_libraries where file_spec is not null
minus
(
select library_name,o.name owner, '' grantee, '' privilege
 from dba_libraries l,
 sys.user$ o,
 sys.user$ ge,
 sys.obj$ obj,
 sys.objauth$ oa
 where l.owner=o.name
 and obj.owner#=o.user#
 and obj.name=l.library_name
 and oa.obj#=obj.obj#
 and ge.user#=oa.grantee#
 and l.file_spec is not null
))
union all

SELECT grantee||' has been granted with '||privilege||' on '||owner||'.'||library_name||' the library containing external procedures.' AS VALUE FROM (
select library_name,o.name owner, --obj.obj#,oa.privilege#,
 ge.name grantee,
 tpm.name privilege
 from dba_libraries l,
 sys.user$ o,
 sys.user$ ge,
 sys.obj$ obj,
 sys.objauth$ oa,
 sys.table_privilege_map tpm
 where l.owner=o.name
 and obj.owner#=o.user#
 and obj.name=l.library_name
 and oa.obj#=obj.obj#
 and ge.user#=oa.grantee#
 and tpm.privilege=oa.privilege#
 and l.file_spec is not null
 )

Change to STIG Rule: Made to be operated manually as query cannot be executed successfully because of special characters being added.

SV-76175r1_rule

Description: Access to external executables must be disabled or restricted.

Automation Logic:

perl %scriptsDir%/externalExecs.pl {OracleHome}

Change to STIG Rule: Script provided by Oracle.

SV-76181r1_rule

Description: The DBMS must have transaction journaling enabled.

Automation Logic:

select 'Database is in NOARCHIVELOG mode' value from v$database where log_mode != 'ARCHIVELOG' 

Change to STIG Rule: A query added by Oracle.

SV-76193r1_rule

Description: The DBMS must use multifactor authentication for network access to privileged accounts.

Automation Logic:

perl %scriptsDir%/multiFactorAuth.pl {OracleHome}

Change to STIG Rule: Script provided by Oracle.

SV-76195r1_rule

Description: The DBMS must use multifactor authentication for network access to non-privileged accounts.

Automation Logic:

perl %scriptsDir%/multiFactorAuth.pl {OracleHome}

Change to STIG Rule: Script provided by Oracle.

SV-76197r1_rule

Description: The DBMS must use multifactor authentication for local access to privileged accounts.

Automation Logic:

perl %scriptsDir%/multiFactorAuth.pl {OracleHome}

Change to STIG Rule: Script provided by Oracle.

SV-76199r1_rule

Description: The DBMS must use multifactor authentication for local access to non-privileged accounts.

Automation Logic:

perl %scriptsDir%/multiFactorAuth.pl {OracleHome}

Change to STIG Rule: Script provided by Oracle.

SV-76203r1_rule

Description: The DBMS must use organization-defined replay-resistant authentication mechanisms for network access to privileged accounts.

Automation Logic:

perl %scriptsDir%/replayResistantAuthCheck.pl {OracleHome}

Change to STIG Rule: Script provided by Oracle.

SV-76205r1_rule

Description: The DBMS must use organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts.

Automation Logic:

perl %scriptsDir%/replayResistantAuthCheck.pl {OracleHome}

Change to STIG Rule: Script provided by Oracle.

SV-76207r1_rule

Description: The DBMS must support organizational requirements to disable user accounts after an organization-defined time period of inactivity.

Automation Logic:

select p.resource_name||' limit is set to '||p.limit||' for user '||u.username||' through profile '||p.profile AS
value from dba_profiles p, dba_users u,
(select limit as def_pwd_life_tm
from dba_profiles
where profile = 'DEFAULT'
and resource_name = 'PASSWORD_LIFE_TIME')
where p.resource_name = 'PASSWORD_LIFE_TIME'
and ((replace(p.limit, 'DEFAULT', def_pwd_life_tm) in
('UNLIMITED', 'NULL'))
or (lpad(replace(p.limit, 'DEFAULT', def_pwd_life_tm),40,'0') >
lpad('35',40,'0')))
  AND u.profile = p.profile
  AND u.account_status not like '%EXPIRED%LOCKED%' AND u.AUTHENTICATION_TYPE NOT IN ('GLOBAL','EXTERNAL')
UNION ALL
select 'Table SYS.LOGIN_AUDIT_INFO_ALL is not used' value FROM DUAL WHERE NOT EXISTS (select table_name from dba_tables where table_name='LOGIN_AUDIT_INFO_ALL')

Change to STIG Rule: A query added by Oracle.

SV-76209r1_rule

Description: The DBMS must support organizational requirements to enforce minimum password length.

Automation Logic:

select p.resource_name||' is not set for user '||u.username||' through profile '||p.profile||' to check minimum password length' AS
value from sys.dba_profiles p, sys.dba_users u,
(select limit as def_pwd_verify_func
from sys.dba_profiles
where profile = 'DEFAULT'
and resource_name = 'PASSWORD_VERIFY_FUNCTION')
where p.resource_name = 'PASSWORD_VERIFY_FUNCTION'
and ((replace(p.limit, 'DEFAULT', def_pwd_verify_func) in ('', 'NULL'))) AND u.profile = p.profile
AND u.account_status not like '%EXPIRED%LOCKED%' and u.AUTHENTICATION_TYPE NOT IN ('EXTERNAL', 'GLOBAL')

Change to STIG Rule: A query added by Oracle.

SV-76211r2_rule

Description: The DBMS must support organizational requirements to prohibit password reuse for the organization-defined number of generations.

Automation Logic:

elect profile|| ' profile has PASSWORD_REUSE_TIME set to '||limit
value from dba_profiles p,
(select limit as def_pwd_reuse_tm
from dba_profiles
where profile = 'DEFAULT'
and resource_name = 'PASSWORD_REUSE_TIME')
where p.resource_name = 'PASSWORD_REUSE_TIME'
and ((replace(p.limit, 'DEFAULT', def_pwd_reuse_tm) in
('UNLIMITED', NULL))
or (lpad(replace(p.limit, 'DEFAULT', def_pwd_reuse_tm),40,'0') <
lpad('6',40,'0')))
UNION
SELECT profile|| ' profile has PASSWORD_REUSE_MAX set to '||limit value FROM dba_profiles
 WHERE resource_name = 'PASSWORD_REUSE_MAX'
   AND (limit IS NULL 
        OR limit = 'UNLIMITED') 

Change to STIG Rule: A query added by Oracle.

SV-76213r1_rule

Description: The DBMS must support organizational requirements to enforce password complexity by the number of upper-case characters used.

Automation Logic:

select p.resource_name||' is not set for user '||u.username||' through profile '||p.profile||' to check number of upper-case characters used' AS value from sys.dba_profiles p, sys.dba_users u, (select limit as def_pwd_verify_func from sys.dba_profiles where profile = 'DEFAULT' and resource_name = 'PASSWORD_VERIFY_FUNCTION') where p.resource_name = 'PASSWORD_VERIFY_FUNCTION' and ((replace(p.limit, 'DEFAULT', def_pwd_verify_func) in ('', 'NULL'))) AND u.profile = p.profile AND u.account_status not like '%EXPIRED%LOCKED%' and u.AUTHENTICATION_TYPE NOT IN ('EXTERNAL', 'GLOBAL')

Change to STIG Rule: A query added by Oracle.

SV-76215r1_rule

Description: The DBMS must support organizational requirements to enforce password complexity by the number of lower-case characters used.

Automation Logic:

select p.resource_name||' is not set for user '||u.username||' through profile '||p.profile||' to check number of lower-case characters used' AS
value from sys.dba_profiles p, sys.dba_users u,
(select limit as def_pwd_verify_func
from sys.dba_profiles
where profile = 'DEFAULT'
and resource_name = 'PASSWORD_VERIFY_FUNCTION')
where p.resource_name = 'PASSWORD_VERIFY_FUNCTION'
and ((replace(p.limit, 'DEFAULT', def_pwd_verify_func) in ('', 'NULL'))) AND u.profile = p.profile
AND u.account_status not like '%EXPIRED%LOCKED%' and u.AUTHENTICATION_TYPE NOT IN ('EXTERNAL', 'GLOBAL')

Change to STIG Rule: A query added by Oracle.

SV-76217r1_rule

Description: The DBMS must support organizational requirements to enforce password complexity by the number of numeric characters used.

Automation Logic:

select p.resource_name||' is not set for user '||u.username||' through profile '||p.profile||' to check number of numeric characters used' AS
value from sys.dba_profiles p, sys.dba_users u,
(select limit as def_pwd_verify_func
from sys.dba_profiles
where profile = 'DEFAULT'
and resource_name = 'PASSWORD_VERIFY_FUNCTION')
where p.resource_name = 'PASSWORD_VERIFY_FUNCTION'
and ((replace(p.limit, 'DEFAULT', def_pwd_verify_func) in ('', 'NULL'))) AND u.profile = p.profile
AND u.account_status not like '%EXPIRED%LOCKED%' and u.AUTHENTICATION_TYPE NOT IN ('EXTERNAL', 'GLOBAL')

Change to STIG Rule: A query added by Oracle.

SV-76219r1_rule

Description: The DBMS must support organizational requirements to enforce password complexity by the number of special characters used.

Automation Logic:

select p.resource_name||' is not set for user '||u.username||' through profile '||p.profile||' to check number of special characters used' AS
value from sys.dba_profiles p, sys.dba_users u,
(select limit as def_pwd_verify_func
from sys.dba_profiles
where profile = 'DEFAULT'
and resource_name = 'PASSWORD_VERIFY_FUNCTION')
where p.resource_name = 'PASSWORD_VERIFY_FUNCTION'
and ((replace(p.limit, 'DEFAULT', def_pwd_verify_func) in ('', 'NULL'))) AND u.profile = p.profile
AND u.account_status not like '%EXPIRED%LOCKED%' and u.AUTHENTICATION_TYPE NOT IN ('EXTERNAL', 'GLOBAL')

Change to STIG Rule: A query added by Oracle.

SV-76221r1_rule

Description: The DBMS must support organizational requirements to enforce the number of characters that get changed when passwords are changed.

Automation Logic:

select p.resource_name||' is not set for user '||u.username||' through profile '||p.profile||' to check number of characters changed on password reset' AS
value from sys.dba_profiles p, sys.dba_users u,
(select limit as def_pwd_verify_func
from sys.dba_profiles
where profile = 'DEFAULT'
and resource_name = 'PASSWORD_VERIFY_FUNCTION')
where p.resource_name = 'PASSWORD_VERIFY_FUNCTION'
and ((replace(p.limit, 'DEFAULT', def_pwd_verify_func) in ('', 'NULL'))) AND u.profile = p.profile
AND u.account_status not like '%EXPIRED%LOCKED%' and u.AUTHENTICATION_TYPE NOT IN ('EXTERNAL', 'GLOBAL')

Change to STIG Rule: A query added by Oracle.

SV-76229r1_rule

Description: The DBMS must enforce maximum lifetime restrictions on password.

Automation Logic:

select p.profile||' has PASSWORD_LIFE_TIME set to '||p.limit||'.'
value from dba_profiles p,
(select limit as def_pwd_life_tm
from dba_profiles
where profile = 'DEFAULT'
and resource_name = 'PASSWORD_LIFE_TIME')
where p.resource_name = 'PASSWORD_LIFE_TIME'
and ((replace(p.limit, 'DEFAULT', def_pwd_life_tm) in
('UNLIMITED', NULL))
or (lpad(replace(p.limit, 'DEFAULT', def_pwd_life_tm),40,'0') >
lpad('35',40,'0')))

Change to STIG Rule: A query added by Oracle.

SV-76237r1_rule

Description: The DBMS must use NIST-validated FIPS 140-2-compliant cryptography for authentication mechanisms.

Automation Logic:

perl %scriptsDir%/fipsCompliantCheck.pl {OracleHome}

Change to STIG Rule: Script provided by Oracle.

SV-76245r1_rule

Description: The DBMS must support organizational requirements to encrypt information stored in the database and information extracted or derived from the database and stored on digital media.

Automation Logic:

select 'Parameter '||name||' is set to '||value  AS VALUE from  SYS.V$PARAMETER where name='DBFIPS_140' and value='FALSE'
UNION SELECT 'DBMS must support organizational requirements to encrypt information stored in the database and information extracted or derived from the database' as value FROM DUAL WHERE NOT EXISTS(SELECT NAME FROM SYS.V$PARAMETER where name='DBFIPS_140')

Change to STIG Rule: A query added by Oracle.

SV-76247r2_rule

Description: The DBMS must terminate the network connection associated with a communications session at the end of the session or 15 minutes of inactivity.

Automation Logic:

select p.resource_name||' is set to '||p.limit||' for user '||u.username||' through profile '||p.profile AS value from sys.DBA_PROFILES p, sys.dba_users u,(SELECT limit as def_idle_time FROM sys.DBA_PROFILES where profile='DEFAULT' AND RESOURCE_NAME='IDLE_TIME') d where p.resource_name ='IDLE_TIME' and (DECODE (p.limit, 'DEFAULT', d.def_idle_time, limit) = 'UNLIMITED' OR (lpad(replace(p.limit, 'DEFAULT', d.def_idle_time),40,'0') > lpad('15',40,'0'))) and u.profile = p.profile and u.account_status not like '%EXPIRED%LOCKED%'

Change to STIG Rule: A query added by Oracle.

SV-76249r1_rule

Description: The DBMS must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance.

Automation Logic:

perl %scriptsDir%/cryptoProtectionCheck.pl {OracleHome} {MachineName} {Port} {Protocol} {SID} {UserName} {password} {Role}

Change to STIG Rule: Script provided by Oracle.

SV-76251r1_rule

Description: Database data files containing sensitive information must be encrypted.

Automation Logic:

select 'Parameter '||name||' is set to '||value  AS VALUE from  SYS.V$PARAMETER where name='DBFIPS_140' and value='FALSE'
UNION SELECT 'Database data files containing sensitive information must be encrypted.' as value FROM DUAL WHERE NOT EXISTS(SELECT NAME FROM SYS.V$PARAMETER where name='DBFIPS_140')

Change to STIG Rule: A query added by Oracle.

SV-76253r1_rule

Description: The DBMS must protect the integrity of publicly available information and applications.

Automation Logic:

SELECT TABLESPACE_NAME||' tablespace is not READ ONLY. ' AS VALUE FROM sys.DBA_TABLESPACES WHERE STATUS != 'READ ONLY' AND TABLESPACE_NAME NOT IN ('SYSTEM','SYSAUX','UD1','TEMP','SYSEXT','UNDOTBS')

Change to STIG Rule: A query added by Oracle.

SV-76255r1_rule

Description: The DBMS must terminate user sessions upon user logoff or any other organization or policy-defined session termination events, such as exceeding idle time limit.

Automation Logic:

SELECT resource_name||' is set to '||limit||' for user '||username||' through profile '||profile AS value FROM (select u.username,p.profile,p.resource_name,p.limit,u.account_status from sys.DBA_PROFILES p, sys.dba_users u,(SELECT limit as def_idle_time FROM sys.DBA_PROFILES where profile='DEFAULT' AND RESOURCE_NAME='IDLE_TIME') d where p.resource_name ='IDLE_TIME' and (DECODE (p.limit, 'DEFAULT', d.def_idle_time, limit) = 'UNLIMITED' OR (lpad(replace(p.limit, 'DEFAULT', d.def_idle_time),40,'0') > lpad('15',40,'0'))) and u.profile = p.profile
UNION ALL
select u.username,p.profile, p.resource_name, p.limit,u.account_status from sys.DBA_PROFILES p, sys.dba_users u where p.resource_name='CONNECT_TIME' and DECODE (limit, 'DEFAULT', (SELECT limit from DBA_PROFILES d where d.resource_name=p.resource_name and profile='DEFAULT'), limit) = 'UNLIMITED' and u.profile = p.profile) where account_status not like '%EXPIRED%LOCKED%' 

Change to STIG Rule: A query added by Oracle.

SV-76257r1_rule

Description: The DBMS must fail to a known safe state for defined types of failures.

Automation Logic:

select 'Database is in NOARCHIVELOG mode' value from v$database where log_mode != 'ARCHIVELOG'

Change to STIG Rule: A query added by Oracle.

SV-76261r1_rule

Description: The DBMS must take needed steps to protect data at rest and ensure confidentiality and integrity of application data.

Automation Logic:

SELECT 'Table '||a.owner||'.'||a.table_name||' in tablespace '||a.tablespace_name||' is not protected by means of encryption.' AS VALUE
 FROM dba_tables a WHERE a.tablespace_name NOT IN (select t.name from v$tablespace t, v$encrypted_tablespaces e where t.ts# = e.ts# ) AND a.tablespace_name NOT IN ('SYSTEM','SYSAUX','UD1','TEMP','SYSEXT','UNDOTBS') AND ROWNUM < 200

Change to STIG Rule: Modified the query to exclude -'SYSTEM', 'SYSAUX', 'UD1', 'TEMP', 'SYSEXT', and 'UNDOTBS'.

SV-76263r1_rule

Description: The DBMS must employ cryptographic mechanisms preventing the unauthorized disclosure of information at rest unless the data is otherwise protected by alternative physical measures.

Automation Logic:

SELECT 'Table '||a.owner||'.'||a.table_name||' in tablespace '||a.tablespace_name||' is not protected by means of encryption.' AS VALUE
 FROM dba_tables a WHERE a.tablespace_name NOT IN (select t.name from v$tablespace t, v$encrypted_tablespaces e where t.ts# = e.ts# ) AND a.tablespace_name NOT IN ('SYSTEM','SYSAUX','UD1','TEMP','SYSEXT','UNDOTBS') AND ROWNUM < 200

Change to STIG Rule: Modified the query to exclude -'SYSTEM', 'SYSAUX', 'UD1', 'TEMP', 'SYSEXT', and 'UNDOTBS'.

SV-76275r1_rule

Description: The DBMS must check the validity of data inputs.

Automation Logic:

select owner, 'Constraint '||owner ||'.'||constraint_name || ' is '|| status||' '|| validated value from dba_constraints where (status='DISABLED' or validated='NOT VALIDATED') and owner not in ('SYS', 'SYSMAN', 'SH', 'SYSTEM', 'PM', 'OE', 'SH', 'HR', 'IX', 'OLAPSYS', 'ORDDATA', 'CTXSYS', 'WMSYS')

Change to STIG Rule: A query added by Oracle.

SV-76287r2_rule

Description: The DBMS must notify appropriate individuals when accounts are created.

Automation Logic:

SELECT * FROM (
     SELECT CASE UPPER(value) WHEN 'FALSE'
     THEN
      (SELECT CASE UPPER(value) WHEN 'NONE' 
            THEN
                name||' parameter is set to '||value||'.'
            ELSE
                (SELECT 'Account creation is not being audited' value from sys.dba_stmt_audit_opts where AUDIT_OPTION='CREATE USER' having count(*)=0)
            END AS VALUE FROM  v$parameter where name='audit_trail' )
     ELSE
        (SELECT CASE UPPER(value) WHEN 'NONE' 
           THEN
        (SELECT 'Account creation is not being audited' from audit_unified_policies where AUDIT_OPTION='CREATE USER' AND AUDIT_OPTION_TYPE='STANDARD ACTION' AND AUDIT_CONDITION!='NONE' having count(*)=0)
     ELSE 
              (SELECT DISTINCT value FROM (SELECT 'Account creation is not being audited' value from audit_unified_policies where AUDIT_OPTION='CREATE USER' AND AUDIT_OPTION_TYPE='STANDARD ACTION' AND AUDIT_CONDITION!='NONE' having count(*)=0
          UNION 
      SELECT 'Account creation is not being audited' value from sys.dba_stmt_audit_opts where AUDIT_OPTION='CREATE USER' having count(*)=0  )) 
            END AS VALUE FROM  v$parameter where name='audit_trail' )      
     END AS value FROM v$option WHERE parameter  ='Unified Auditing') where VALUE IS NOT NULL;

Change to STIG Rule: Combined to check if audit is enabled by means of either Traditional or Unified system and to check if account creation is being audited. Need to manually check if they are being notified.

SV-76289r2_rule

Description: The DBMS must notify appropriate individuals when accounts are modified.

Automation Logic:

SELECT * FROM (
     SELECT CASE UPPER(value) WHEN 'FALSE'
     THEN
      (SELECT CASE UPPER(value) WHEN 'NONE' 
            THEN
                name||' parameter is set to '||value||'.'
            ELSE
                (SELECT 'Account modification is not being audited' value from sys.dba_stmt_audit_opts where AUDIT_OPTION='ALTER USER' having count(*)=0)
            END AS VALUE FROM  v$parameter where name='audit_trail' )
     ELSE
        (SELECT CASE UPPER(value) WHEN 'NONE' 
           THEN
        (SELECT 'Account modification is not being audited' from audit_unified_policies where AUDIT_OPTION='ALTER USER' AND AUDIT_OPTION_TYPE='STANDARD ACTION' AND AUDIT_CONDITION!='NONE' having count(*)=0)
     ELSE 
              (SELECT DISTINCT value FROM (SELECT 'Account modification is not being audited' value from audit_unified_policies where AUDIT_OPTION='ALTER USER' AND AUDIT_OPTION_TYPE='STANDARD ACTION' AND AUDIT_CONDITION!='NONE' having count(*)=0
          UNION 
      SELECT 'Account modification is not being audited' value from sys.dba_stmt_audit_opts where AUDIT_OPTION='ALTER USER' having count(*)=0  )) 
            END AS VALUE FROM  v$parameter where name='audit_trail' )      
     END AS value FROM v$option WHERE parameter  ='Unified Auditing') where VALUE IS NOT NULL;

Change to STIG Rule: Combined to check if audit is enabled by means of either Traditional or Unified system and to check if account modification is being audited. Need to manually check if it is notified.

SV-76291r2_rule

Description: The DBMS must notify appropriate individuals when account disabling actions are taken.

Automation Logic:

SELECT * FROM (
     SELECT CASE UPPER(value) WHEN 'FALSE'
     THEN
      (SELECT CASE UPPER(value) WHEN 'NONE' 
            THEN
                name||' parameter is set to '||value||'.'
            ELSE
                (SELECT 'Account disabling is not being audited' value from sys.dba_stmt_audit_opts where AUDIT_OPTION='ALTER USER' having count(*)=0)
            END AS VALUE FROM  v$parameter where name='audit_trail' )
     ELSE
        (SELECT CASE UPPER(value) WHEN 'NONE' 
           THEN
        (SELECT 'Account disabling is not being audited' from audit_unified_policies where AUDIT_OPTION='ALTER USER' AND AUDIT_OPTION_TYPE='STANDARD ACTION' AND AUDIT_CONDITION!='NONE' having count(*)=0)
     ELSE 
              (SELECT DISTINCT value FROM (SELECT 'Account disabling is not being audited' value from audit_unified_policies where AUDIT_OPTION='ALTER USER' AND AUDIT_OPTION_TYPE='STANDARD ACTION' AND AUDIT_CONDITION!='NONE' having count(*)=0
          UNION 
      SELECT 'Account disabling is not being audited' value from sys.dba_stmt_audit_opts where AUDIT_OPTION='ALTER USER' having count(*)=0  )) 
            END AS VALUE FROM  v$parameter where name='audit_trail' )      
     END AS value FROM v$option WHERE parameter  ='Unified Auditing') where VALUE IS NOT NULL;

Change to STIG Rule: Combined to check if audit is enabled by means of either Traditional or Unified system and to check if account disabling is being audited. Need to manually check if it is notified.

SV-76293r2_rule

Description: The DBMS must notify appropriate individuals when accounts are terminated.

Automation Logic:

SELECT * FROM (
     SELECT CASE UPPER(value) WHEN 'FALSE'
     THEN
      (SELECT CASE UPPER(value) WHEN 'NONE' 
            THEN
                name||' parameter is set to '||value||'.'
            ELSE
                (SELECT 'Account termination is not being audited' value from sys.dba_stmt_audit_opts where AUDIT_OPTION='DROP USER' having count(*)=0)
            END AS VALUE FROM  v$parameter where name='audit_trail' )
     ELSE
        (SELECT CASE UPPER(value) WHEN 'NONE' 
           THEN
        (SELECT 'Account termination is not being audited' from audit_unified_policies where AUDIT_OPTION='DROP USER' AND AUDIT_OPTION_TYPE='STANDARD ACTION' AND AUDIT_CONDITION!='NONE' having count(*)=0)
     ELSE 
              (SELECT DISTINCT value FROM (SELECT 'Account termination is not being audited' value from audit_unified_policies where AUDIT_OPTION='DROP USER' AND AUDIT_OPTION_TYPE='STANDARD ACTION' AND AUDIT_CONDITION!='NONE' having count(*)=0
          UNION 
      SELECT 'Account termination is not being audited' value from sys.dba_stmt_audit_opts where AUDIT_OPTION='DROP USER' having count(*)=0  )) 
            END AS VALUE FROM  v$parameter where name='audit_trail' )      
     END AS value FROM v$option WHERE parameter  ='Unified Auditing') where VALUE IS NOT NULL;

Change to STIG Rule: Combined to check if audit is enabled by means of either Traditional or Unified system and to check if account termination is being audited. Need to manually check if it is notified.

SV-76299r1_rule

Description: The DBMS must support organizational requirements to implement separation of duties through assigned information access authorizations.

Automation Logic:

select grantee ||' has '||privilege||' privilege on '|| table_name value
FROM dba_tab_privs
WHERE grantee NOT IN (
SELECT role
FROM dba_roles)
  and grantee not in ('SYSKM', 'PUBLIC', 'SYSBACKUP', 'CTXSYS', 'EXFSYS', 'DVSYS', 'SYSTEM', 'AUDSYS', 'DBSNMP', 'ORDSYS',
                      'XDB', 'SYSDG', 'ORDDATA', 'APPQOSSYS', 'SYS', 'WMSYS', 'LBACSYS', 'MDSYS', 'ORACLE_OCM', 'OWBSYS_AUDIT' ,'DIP' ,'SPATIAL_WFS_ADMIN_USR' ,'FLOWS_FILES' ,'HR' ,'MGMT_VIEW' ,'OLAPSYS' ,'OUTLN' ,'OWBSYS' ,'SPATIAL_CSW_ADMIN_USR' ,'APEX_030200' ,'SCOTT' ,'APEX_PUBLIC_USER' ,'MDDATA' ,'OE' ,'ORDPLUGINS' ,'PM' ,'SH' ,'SYSMAN' ,'BI' ,'IX' ,'ANONYMOUS' ,'SI_INFORMTN_SCHEMA','DVF','GSMADMIN_INTERNAL','APEX_040200','OJVMSYS','GSMCATUSER')
UNION
select 'User '|| grantee ||' is granted '||privilege||' privilege ' value
 from dba_sys_privs
where grantee not in ( select role from dba_roles)
  and grantee not in ('SYSKM', 'PUBLIC', 'SYSBACKUP', 'CTXSYS', 'EXFSYS', 'DVSYS', 'SYSTEM', 'AUDSYS', 'DBSNMP', 'ORDSYS',
                      'XDB', 'SYSDG', 'ORDDATA', 'APPQOSSYS', 'SYS', 'WMSYS', 'LBACSYS', 'MDSYS', 'ORACLE_OCM', 'OWBSYS_AUDIT' ,'DIP' ,'SPATIAL_WFS_ADMIN_USR' ,'FLOWS_FILES' ,'HR' ,'MGMT_VIEW' ,'OLAPSYS' ,'OUTLN' ,'OWBSYS' ,'SPATIAL_CSW_ADMIN_USR' ,'APEX_030200' ,'SCOTT' ,'APEX_PUBLIC_USER' ,'MDDATA' ,'OE' ,'ORDPLUGINS' ,'PM' ,'SH' ,'SYSMAN' ,'BI' ,'IX' ,'ANONYMOUS' ,'SI_INFORMTN_SCHEMA','DVF','GSMADMIN_INTERNAL','APEX_040200','OJVMSYS','GSMCATUSER')

Change to STIG Rule: Changed query to exclude oracle default users/roles.

SV-76301r1_rule

Description: The DBMS must display an approved system use notification message or banner before granting access to the database.

Automation Logic:

perl %scriptsDir%/bannerText.pl {OracleHome}

Change to STIG Rule: Script provided by Oracle.

SV-76307r1_rule

Description: The DBMS must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.

Automation Logic:

select p.resource_name||' is set to '||p.limit||' for user '||u.username||' through profile '||p.profile AS value from sys.DBA_PROFILES p, sys.dba_users u,(SELECT limit as def_limit, resource_name FROM sys.DBA_PROFILES where profile='DEFAULT' ) d where p.resource_name IN ('CPU_PER_SESSION','LOGICAL_READS_PER_SESSION','CONNECT_TIME','PRIVATE_SGA') and (DECODE (p.limit, 'DEFAULT', d.def_limit, limit) = 'UNLIMITED' OR (p.resource_name='CPU_PER_SESSION' AND (lpad(replace(p.limit, 'DEFAULT', d.def_limit),40,'0') > lpad('6000',40,'0'))) OR (p.resource_name='LOGICAL_READS_PER_SESSION' AND (lpad(replace(p.limit, 'DEFAULT', d.def_limit),40,'0') > lpad('1000',40,'0'))) OR (p.resource_name='CONNECT_TIME' AND (lpad(replace(p.limit, 'DEFAULT', d.def_limit),40,'0') > lpad('30',40,'0'))) OR (p.resource_name='PRIVATE_SGA' AND (lpad(replace(p.limit, 'DEFAULT', d.def_limit),40,'0') > lpad('102400',40,'0'))) and u.profile = p.profile AND d.RESOURCE_NAME=p.resource_name AND u.account_status not like '%EXPIRED%LOCKED%'

Change to STIG Rule: A query added by Oracle.

SV-76309r1_rule

Description: The DBMS must limit the use of resources by priority and not impede the host from servicing processes designated as a higher-priority.

Automation Logic:

select p.resource_name||' is set to '||p.limit||' for user '||u.username||' through profile '||p.profile AS value from DBA_PROFILES p, dba_users u
where p.resource_name IN ('SESSIONS_PER_USER', 'CPU_PER_SESSION', 'CPU_PER_CALL', 'CONNECT_TIME', 'IDLE_TIME', 'LOGICAL_READS_PER_SESSION', 'LOGICAL_READS_PER_CALL', 'PRIVATE_SGA', 'COMPOSITE_LIMIT')
  and DECODE (p.limit, 'DEFAULT', (SELECT d.limit from DBA_PROFILES d where d.resource_name=p.resource_name and d.profile='DEFAULT'), p.limit) = 'UNLIMITED' and u.profile = p.profile and u.account_status not like '%EXPIRED%LOCKED%'

Change to STIG Rule: A query added by Oracle.

SV-76339r1_rule

Description: DBMS default accounts must be protected from misuse.

Automation Logic:

SELECT 'Account '||username||' is OPEN.' as value FROM sys.dba_users where ACCOUNT_STATUS NOT LIKE '%LOCKED%' AND USERNAME NOT IN ('SYS','SYSTEM','SYSMAN') AND ROWNUM < 200

Change to STIG Rule: A query added by Oracle.

SV-76365r1_rule

Description: Database software directories, including DBMS configuration files, must be stored in dedicated directories, or DASD pools, separate from the host OS and other applications.

Automation Logic:

perl %scriptsDir%/oracleFiles.pl {OracleHome}

Change to STIG Rule: Script provided by Oracle.

SV-76377r1_rule

Description: The DBMS must protect against an individual who uses a shared account falsely denying having performed a particular action.

Automation Logic:

SELECT * FROM ( SELECT CASE WHEN ((SELECT count(*) from SYS.V$OPTION WHERE PARAMETER='Unified Auditing' AND VALUE='FALSE')=1) THEN (SELECT name||' parameter is set to '||value||'.' value from sys.v$parameter where name='audit_trail' and value='NONE')
    END AS VALUE FROM DUAL) WHERE VALUE IS NOT NULL

Change to STIG Rule: A query added by Oracle.

SV-76455r1_rule

Description: The directory assigned to the AUDIT_FILE_DEST parameter must be protected from unauthorized access and must be stored in a dedicated directory or disk partition separate from software or other application files.

Automation Logic:

perl %scriptsDir%/auditFileDestPerm.pl {OracleHome} {MachineName} {Port} {Protocol} {SID} {UserName} {password} {Role}

Change to STIG Rule: Script provided by Oracle.

SV-76457r1_rule

Description: The DBMS must limit the number of concurrent sessions for each system account to an organization-defined number of sessions.

Automation Logic:

select p.resource_name||' is set to '||p.limit||' for user '||u.username||' through profile '||p.profile AS value from sys.DBA_PROFILES p, sys.dba_users u,(SELECT limit as def_limit FROM sys.DBA_PROFILES where profile='DEFAULT' AND RESOURCE_NAME='SESSIONS_PER_USER') d where p.resource_name ='SESSIONS_PER_USER' and DECODE (p.limit, 'DEFAULT', d.def_limit, limit) = 'UNLIMITED' and u.profile = p.profile and u.account_status not like '%EXPIRED%LOCKED%'

Change to STIG Rule: A query added by Oracle.

STIG Database Checks

The following STIG database rules are enhanced by Oracle. Bold text in the Collection Query denotes the change.

DG0008

Name: Application objects should be owned by accounts authorized for ownership

Collection Query:

(select distinct 'Unauthorized user '||owner||' owns application objects in the database.'  from dba_objects
where owner not in
('ANONYMOUS','AURORA$JIS$UTILITY$',
'AURORA$ORB$UNAUTHENTICATED',
'CTXSYS','DBSNMP','DIP','DVF','DVSYS','EXFSYS','LBACSYS','MDDATA',
'MDSYS','MGMT_VIEW','ODM','ODM_MTR',
'OLAPSYS','ORDPLUGINS', 'ORDSYS',
'OSE$HTTP$ADMIN','OUTLN','PERFSTAT',
'PUBLIC','REPADMIN','RMAN','SI_INFORMTN_SCHEMA',
'SYS','SYSMAN','SYSTEM','TRACESVR',
'TSMSYSWK_TEST','WKPROXY','WKSYS',
'WKUSER','WMSYS','XDB', 'OWBSYS', 'SCOTT', 'ORACLE_OCM', 'ORDDATA', 'APEX_030200', 'OWBSYS_AUDIT', 'APPQOSSYS', 'FLOWS_FILES')
and owner not in
(select grantee from dba_role_privs where granted_role='DBA'))

Change to STIG Rule: Added Default Users/Roles

DG0077

Name: Production databases should be protected from unauthorized access by developers on shared production/development host systems.

Collection Query:

select 'User/Role '||grantee||' granted '||privilege||' on production system' from dba_sys_privs
where (privilege like 'CREATE%' or privilege like 'ALTER%'
or privilege like 'DROP%')
and privilege <> 'CREATE SESSION'
and grantee not in
('ANONYMOUS','AURORA$JIS$UTILITY$',
'AURORA$ORB$UNAUTHENTICATED','CTXSYS','DBSNMP','DIP',
'DVF','DVSYS','EXFSYS','LBACSYS','MDDATA','MDSYS','MGMT_VIEW',
'ODM','ODM_MTR','OLAPSYS','ORDPLUGINS','ORDSYS',
'OSE$HTTP$ADMIN','OUTLN','PERFSTAT','PUBLIC','REPADMIN',
'RMAN','SI_INFORMTN_SCHEMA','SYS','SYSMAN','SYSTEM',
'TRACESVR','TSMSYSWK_TEST','WKPROXY','WKSYS','WKUSER',
'WMSYS','XDB', 'APEX_030200', 'APPQOSSYS', 'AQ_ADMINISTRATOR_ROLE','DATAPUMP_EXP_FULL_DATABASE', 
'DBA', 'EXP_FULL_DATABASE', 'FLOWS_FILES', 'IMP_FULL_DATABASE', 
'DATAPUMP_IMP_FULL_DATABASE', 'OEM_ADVISOR', 'OEM_MONITOR', 'OLAP_DBA', 
'OLAP_USER', 'OWB$CLIENT', 'OWBSYS', 'OWBSYS_AUDIT', 'RECOVERY_CATALOG_OWNER',
'RESOURCE', 'SCHEDULER_ADMIN', 'SPATIAL_CSW_ADMIN_USR', 'SPATIAL_WFS_ADMIN_USR')
order by 1;

Change to STIG Rule: Added Default Users/Roles.

DG0079

Name: DBMS login accounts require passwords to meet complexity requirements.

Collection Query:

select profile||': '||limit
from dba_profiles,
(select limit as def_pwd_verify_func
from dba_profiles
where resource_name='PASSWORD_VERIFY_FUNCTION'
and profile='DEFAULT')
where resource_name='PASSWORD_VERIFY_FUNCTION'
and replace(limit, 'DEFAULT', def_pwd_verify_func) in
('UNLIMITED', 'NULL')

Change to STIG Rule: Incorrect query. Replaced NULL with string 'NULL'.

DG0091

Name: Custom and GOTS application source code stored in the database should be protected with encryption or encoding.

Collection Query:

(select 'Application source code of '||owner||'.'||name||' is not encrypted.' 
from dba_source
where line=1 and owner not in('SYS', 'CTXSYS', 'MDSYS', 'ODM', 'OE', 'OLAPSYS', 'ORDPLUGINS',
'ORDSYS', 'OUTLN', 'PM', 'QS_ADM', 'RMAN', 'SYSTEM', 'WKSYS',
'WMSYS', 'XDB', 'APEX_030200', 'SYSMAN', 'ORACLE_OCM', 'DBSNMP', 'EXFSYS' )
and owner not like 'OEM%'
and text not like '%wrapped%'
and type in ('PROCEDURE', 'FUNCTION', 'PACKAGE BODY'))

Change to STIG Rule: Added default users.

DG0116

Name: Database privileged role assignments should be restricted to IAO-authorized DBMS accounts.

Collection Query:

select 'Privileged role '||granted_role||' is assigned to user '||grantee details
from dba_role_privs
where grantee not in
('ANONYMOUS','AURORA$JIS$UTILITY$',
'AURORA$ORB$UNAUTHENTICATED','CTXSYS','DBSNMP','DIP',
'DMSYS','DVF','DVSYS','EXFSYS','LBACSYS','MDDATA','MDSYS',
'MGMT_VIEW','ODM','ODM_MTR','OLAPSYS','ORDPLUGINS','ORDSYS',
'OSE$HTTP$ADMIN','OUTLN','PERFSTAT','REPADMIN','RMAN',
'SI_INFORMTN_SCHEMA','SYS','SYSMAN','SYSTEM','TRACESVR',
'TSMSYS','WK_TEST','WKPROXY','WKSYS','WKUSER','WMSYS','XDB', 'OEM_MONITOR')
and grantee not in
('DBA', 'OLAP_USER', 'IP', 'ORASSO_PUBLIC',
'PORTAL_PUBLIC', 'DATAPUMP_EXP_FULL_DATABASE',
'DATAPUMP_IMP_FULL_DATABASE', 'EXP_FULL_DATABASE',
'IMP_FULL_DATABASE', 'OLAP_DBA', 'EXECUTE_CATALOG_ROLE',
'SELECT_CATALOG_ROLE', 'JAVASYSPRIV')
and grantee not in
(select grantee from dba_role_privs where granted_role = 'DBA')
and grantee not in (select distinct owner from dba_objects)
and granted_role in
('AQ_ADMINISTRATOR_ROLE','AQ_USER_ROLE',
'CTXAPP',
'DELETE_CATALOG_ROLE','EJBCLIENT','EXECUTE_CATALOG_ROLE',
'EXP_FULL_DATABASE','GATHER_SYSTEM_STATISTICS',
'GLOBAL_AQ_USER_ROLE','HS_ADMIN_ROLE', 'IMP_FULL
DATABASE','JAVADEBUGPRIV','JAVAIDPRIV',
'JAVASYSPRIV','JAVAUSERPRIV','JAVA_ADMIN','JAVA_DEPLOY',
'LOGSTDBY_ADMINISTRATOR','OEM_MONITOR','OLAP_DBA',
'RECOVERY_CATALOG_OWNER',
'SALES_HISTORY_ROLE','SELECT_CATALOG_ROLE','WKUSER',
'WM_ADMIN_ROLE','XDBADMIN')
and granted_role not in ('CONNECT', 'RESOURCE', 'AUTHENTICATEDUSER')
order by 1;

Change to STIG Rule: Added default users.

DG0117

Name: Administrative privileges should be assigned to database accounts via database roles.

Collection Query:

select 'Grantee '||grantee||' is directly granted '||privilege||' privilege. The privilege should be granted via a role.'
from dba_sys_privs
where grantee not in
('SYS', 'SYSTEM', 'SYSMAN', 'CTXSYS', 'MDSYS', 'WKSYS', 'ANONYMOUS', 'APEX_030200',
'APEX_PUBLIC_USER', 'FLOWS_FILES', 'OUTLN', 'DIP', 'APPQOSSYS', 'WMSYS',
'OLAPSYS', 'ORACLE_OCM', 'OWBSYS_AUDIT', 'DBSNMP', 'XDB', 'EXFSYS', 
'SPATIAL_WFS_ADMIN_USR', 'SPATIAL_CSW_ADMIN_USR', 'OWBSYS', 'OWBSYS_AUDIT')
and grantee not in
(select distinct granted_role from dba_role_privs)
and privilege <> 'UNLIMITED TABLESPACE'
order by 1

Change to STIG Rule: Added Default Users.

DG0119

Name: DBMS application users should not be granted administrative privileges to the DBMS.

Collection Query:

select 'Application user '||grantee||' has administrative privilege  '||privilege||' on '||owner||'.'|| table_name from dba_tab_privs
where privilege in ('ALTER', 'REFERENCES', 'INDEX')
and grantee not in ('DBA', 'SYS', 'SYSTEM', 'LBACSYS', 'XDBADMIN', 'ANONYMOUS',
'APEX_PUBLIC_USER', 'CSW_USR_ROLE', 'WFS_USR_ROLE', 'SPATIAL_WFS_ADMIN', 
'SPATIAL_WFS_ADMIN_USR', 'SPATIAL_CSW_ADMIN', 'SPATIAL_CSW_ADMIN_USR')
and table_name not in
('SDO_IDX_TAB_SEQUENCE', 'XDB$ACL', 'XDB_ADMIN')
and grantee not in
(select grantee from dba_role_privs where granted_role = 'DBA')
and grantee not in (select distinct owner from dba_objects) order by 1

Change to STIG Rule: Added default users.

DG0121

Name: Application users privileges should be restricted to assignment using application user roles.

Collection Query:

select 'User '||grantee||' has direct privilege '||privilege||' on the table '||owner||'.'||table_name||'. The privilege should be granted via a role.'
from dba_tab_privs where grantee not in
(select role from dba_roles)
and grantee not in
('APEX_PUBLIC_USER', 'AURORA$JIS$UTILITY$', 'CTXSYS',
'DBSNMP', 'EXFSYS', 'FLOWS_030000', 'FLOWS_FILES',
'LBACSYS', 'MDSYS', 'MGMT_VIEW', 'ODM', 'OLAPSYS',
'ORACLE_OCM', 'ORDPLUGINS', 'ORDSYS',
'OSE$HTTP$ADMIN', 'OUTLN', 'OWBSYS', 'PERFSTAT',
'PUBLIC', 'REPADMIN', 'SYS', 'SYSMAN', 'SYSTEM',
'WKSYS', 'WMSYS', 'XDB', 'ANONYMOUS', 'APEX_030200', 'APEX_PUBLIC_USER',
'APPQOSSYS', 'CSW_USR_ROLE', 'WFS_USR_ROLE', 'SPATIAL_WFS_ADMIN', 
'SPATIAL_WFS_ADMIN_USR', 'SPATIAL_CSW_ADMIN', 'SPATIAL_CSW_ADMIN_USR')
and table_name<>'DBMS_REPCAT_INTERNAL_PACKAGE'
and table_name not like '%RP'
and grantee not in
(select grantee from dba_tab_privs
where table_name in ('DBMS_DEFER', 'DEFLOB'))

Change to STIG Rule: Added default users.

DG0123

Name: Access to DBMS system tables and other configuration or metadata should be restricted to DBAs.

Collection Query:

select 'Application user '|| grantee||' is granted '||privilege||' on system table '|| owner||'.'|| table_name from dba_tab_privs
where (owner='SYS' or table_name like 'DBA_%')
and privilege <> 'EXECUTE'
and grantee not in
('PUBLIC', 'AQ_ADMINISTRATOR_ROLE', 'AQ_USER_ROLE',
'AURORA$JIS$UTILITY$', 'OSE$HTTP$ADMIN', 'TRACESVR',
'CTXSYS', 'DBA', 'DELETE_CATALOG_ROLE',
'EXECUTE_CATALOG_ROLE', 'EXP_FULL_DATABASE',
'GATHER_SYSTEM_STATISTICS', 'HS_ADMIN_ROLE',
'IMP_FULL_DATABASE', 'LOGSTDBY_ADMINISTRATOR', 'MDSYS',
'ODM', 'OEM_MONITOR', 'OLAPSYS', 'ORDSYS', 'OUTLN',
'RECOVERY_CATALOG_OWNER', 'SELECT_CATALOG_ROLE',
'SNMPAGENT', 'SYSTEM', 'WKSYS', 'WKUSER', 'WMSYS', 'WM_ADMIN_ROLE', 'XDB',
'LBACSYS', 'PERFSTAT', 'XDBADMIN', 'ADM_PARALLEL_EXECUTE_TASK', 'APEX_030200',
'APPQOSSYS', 'DBFS_ROLE', 'EXFSYS', 'HS_ADMIN_SELECT_ROLE', 'OLAP_XS_ADMIN',
'ORACLE_OCM', 'OWB$CLIENT', 'OWBSYS', 'SYSMAN')
and grantee not in
(select grantee from dba_role_privs where granted_role='DBA')
order by 1

Change to STIG Rule: Added default users.

DO0155

Name: Only authorized system accounts should have the SYSTEM tablespace specified as the default tablespace.

Collection Query:

(select 'User '||username||' is using SYSTEM as temporary or default tablespace.' from dba_users
where (default_tablespace = 'SYSTEM' or temporary_tablespace = 'SYSTEM')
and username not in
('AURORA$JIS$UTILITY$','AURORA$ORB$UNAUTHENTICATED',
'DBSNMP','MDSYS','ORDPLUGINS','ORDSYS','OSE$HTTP$ADMIN',
'OUTLN','REPADMIN','SYS','SYSTEM','TRACESVR','MTSSYS','DIP', 'MGMT_VIEW'))

Change to STIG Rule: Added default users.

DO0231

Name: Application owner accounts should have a dedicated application tablespace.

Collection Query:

select distinct tablespace_name||' tablespace used by '||owner||' is not a dedicated tablespace.' from (
select distinct owner, tablespace_name
from dba_tables
where owner not in
('SYS','SYSTEM','OUTLN','OLAPSYS','CTXSYS','WKSYS','ODM','ODM_MTR'
'MDSYS','ORDSYS','WMSYS','RMAN','XDB', 'APEX_030200', 'APPQOSSYS', 'DBSNMP', 
'EXFSYS', 'FLOWS_FILES', 'ORDDATA', 'OWBSYS', 'SYSMAN', 'SCOTT')
and tablespace_name is not NULL
and (owner, table_name) not in
(select owner, table_name from dba_external_tables)
order by 1)

Change to STIG Rule: Added default users.

DO0250

Name: Fixed user and public database links should be authorized for use.

Collection Query:

select 'Fixed user database link '||db_link||' found for '||owner value from dba_db_links 
where db_link not in (select master from sys.dba_repcatlog)

Comment: Combined the rule queries to return db_link as violations only if dba_repcatalog has records

DO0270

Name: A minimum of two Oracle redo log groups/files should be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device.

Collection Query:

select 'redo_logs_count', log_count from
(select count(*) log_count from  V$LOG where members > 1)
where log_count < 2 

Comment: Used the more strict query to get the violation. Need to manually check if a RAID device is used.

DO0340

Name: Oracle application administration roles should be disabled if not required and authorized.

Collection Query:

select 'Oracle Administration role '||granted_role||' granted to '||grantee||'.'
from dba_role_privs
where default_role='YES'
and granted_role in
(select grantee from dba_sys_privs where upper(privilege) like '%USER%')
and grantee not in
('DBA', 'SYS', 'SYSTEM', 'CTXSYS', 'DBA', 'IMP_FULL_DATABASE', 'DATAPUMP_IMP_FULL_DATABASE','MDSYS', 'SYS', 'WKSYS')
and grantee not in (select distinct owner from dba_tables)
and grantee not in
(select distinct username from dba_users where upper(account_status) like
'%LOCKED%')

Change to STIG Rule: Added default users.

DO0350

Name: Oracle system privileges should not be directly assigned to unauthorized accounts.

Collection Query:

select 'User/Role '||grantee||' granted system privilege '||PRIVILEGE from dba_sys_privs
where privilege<>'CREATE SESSION' and grantee not in
('PUBLIC', 'AQ_ADMINISTRATOR_ROLE', 'AQ_USER_ROLE', 'CTXSYS',
'DBA', 'DELETE_CATALOG_ROLE', 'EXECUTE_CATALOG_ROLE',
'EXP_FULL_DATABASE', 'GATHER_SYSTEM_STATISTICS',
'HS_ADMIN_ROLE', 'IMP_FULL_DATABASE',
'LOGSTDBY_ADMINISTRATOR', 'MDSYS', 'ODM', 'OEM_MONITOR',
'OLAPSYS', 'ORDSYS', 'OUTLN', 'MTSSYS',
'RECOVERY_CATALOG_OWNER', 'SELECT_CATALOG_ROLE',
'SNMPAGENT', 'SYSTEM', 'WKSYS', 'WKUSER', 'WMSYS',
'WM_ADMIN_ROLE', 'XDB', 'ANONYMOUS', 'CONNECT', 'DBSNMP',
'JAVADEBUGPRIV', 'ODM_MTR', 'OLAP_DBA', 'ORDPLUGINS',
'RESOURCE', 'RMAN', 'SYS', 'WKPROXY', 'AURORA$JIS$UTILITY$',
'AURORA$ORB$UNAUTHENTICATED', 'OSE$HTTP$ADMIN',
'TIMESERIES_DBA', 'TIMESERIES_DEVELOPER', 'OLAP_USER', 'DATAPUMP_EXP_FULL_DATABASE',
'DATAPUMP_IMP_FULL_DATABASE', 'OEM_ADVISOR', 'OWB$CLIENT', 'SCHEDULER_ADMIN', 'SYSMAN')
and grantee not in
(select grantee from dba_role_privs where granted_role='DBA')
and grantee not in
(select username from dba_users where upper(account_status) like
'%LOCKED%') order by 1

Change to STIG Rule: Added default users and roles.

DO3536

Name: The IDLE_TIME profile parameter should be set for Oracle profiles IAW DoD policy.

Collection Query:

select 'IDLE_TIME set to '||limit||' for profile '||profile||'.' from (
select profile, limit from DBA_PROFILES
where profile = 'DEFAULT'
and resource_name = 'IDLE_TIME')
where TO_NUMBER(DECODE (limit, 'UNLIMITED', 1000, limit)) > 15
UNION
select profile, limit from (
select profile, limit from DBA_PROFILES
where profile <> 'DEFAULT'
and resource_name = 'IDLE_TIME')
where TO_NUMBER(DECODE (limit, 'UNLIMITED', 1000, 'DEFAULT', (SELECT DECODE(limit, 'UNLIMITED', 1000, limit)
 from DBA_PROFILES where resource_name='IDLE_TIME' and profile='DEFAULT'), limit))
> 60

Comment: Combined the queries. De-referenced the DEFAULT value for the limit.

DO3609

Name: System privileges granted using the WITH ADMIN OPTION should not be granted to unauthorized user accounts.

Collection Query:

select 'User '||grantee||' granted '||privilege||' privilege WITH ADMIN OPTION.'
from dba_sys_privs
where grantee not in
('SYS', 'SYSTEM', 'AQ_ADMINISTRATOR_ROLE', 'DBA',
'MDSYS', 'LBACSYS', 'SCHEDULER_ADMIN',
'WMSYS', 'APEX_030200', 'OWBSYS')
and admin_option = 'YES'
and grantee not in
(select grantee from dba_role_privs where granted_role = 'DBA') order by 1

Change to STIG Rule: Added default users and roles.

DO3689

Name: Object permissions granted to PUBLIC should be restricted.

Collection Query:

select privilege||' on '||owner ||'.'|| table_name ||' is granted to PUBLIC.' from dba_tab_privs
where grantee = 'PUBLIC'
and owner not in
('SYS', 'CTXSYS', 'MDSYS', 'ODM', 'OLAPSYS', 'MTSSYS',
'ORDPLUGINS', 'ORDSYS', 'SYSTEM', 'WKSYS', 'WMSYS',
'XDB', 'LBACSYS', 'PERFSTAT', 'SYSMAN', 'DMSYS',
'EXFSYS','APEX_030200', 'DBSNMP', 'ORDDATA')

Change to STIG Rule: Added default users and roles.

STIG Installation Checks

Oracle provides scripts for the following STIG installation checks.

DG0009

Name: Access to DBMS software files and directories should not be granted to unauthorized users.

Comment: Script provided by Oracle

DG0012

Name: Database software directories including DBMS configuration files are stored in dedicated directories separate from the host OS and other applications.

Comment: Script provided by Oracle

DG0019

Name: Application software should be owned by a Software Application account.

Comment: Script provided by Oracle

DG0102

Name: DBMS processes or services should run under custom, dedicated OS accounts.

Comment: Script provided by Oracle

DG0152

Name: DBMS network communications should comply with PPS usage restrictions.

Comment: Script provided by Oracle

DG0179

Name: The DBMS warning banner should meet Department of Defense (DoD) policy requirements.

Comment: Script provided by Oracle

DO0120

Name: The Oracle software installation account should not be granted excessive host system privileges.

Comment: Script provided by Oracle

DO0145

Name: OS DBA group membership should be restricted to authorized accounts.

Comment: Script provided by Oracle

DO0286

Name: The Oracle INBOUND_CONNECT_TIMEOUT and SQLNET.INBOUND_CONNECT_TIMEOUT parameters should be set to a value greater than 0.

Comment: Script provided by Oracle

DO0287

Name: The Oracle SQLNET.EXPIRE_TIME parameter should be set to a value greater than 0.

Comment: Script provided by Oracle

DO6740

Name: The Oracle Listener ADMIN_RESTRICTIONS parameter if present should be set to ON.

Comment: Script provided by Oracle

DO6746

Name: The Oracle listener.ora file should specify IP addresses rather than host names to identify hosts.

Comment: Script provided by Oracle

DO6751

Name: The SQLNet SQLNET.ALLOWED_LOGON_VERSION parameter should be set to a value of 10 or higher.

Comment: Script provided by Oracle.