1

3
4
5

9
10
11
12
13

14

15

16

17
18

19
20
21
22
23

24
25

26
27
28
29

30
31

32

33

34
35
36

37

38

39
40
41
42

43
44
45
46
47

48
49
50
51
52
53

54
55
56
57
58
59
60

61
62
63
64
65
66
67
68
69

70

71

72
73

74

Rule Title
The DBMS must limit the number of concurrent sessions for each system account to an
organization defined number of sessions.
A DBMS providing remote access capabilities must utilize approved cryptography to protect
the confidentiality and integrity of data passing over remote access sessions.

The DBMS must allow all remote access to be routed through managed access control points.
The DBMS must ensure remote sessions that access an organization defined list of security
functions and security-relevant information are audited.
The DBMS must support the requirement to automatically audit account creation.

The DBMS must support the requirement to automatically audit account modification.

The DBMS must automatically audit account disabling actions.

The DBMS must automatically audit account termination.

The DBMS must support the organizational requirements for automatically monitoring,
auditing, and alerting on abnormal usage of accounts.
The DBMS must enforce organization defined limitations on the embedding of data types
within other data types.
The DBMS must support organizational requirements to implement separation of duties
through assigned information access authorizations.
DBMS processes or services must run under custom, dedicated OS accounts.
The DBMS must restrict grants to sensitive information to authorized user roles.

The DBMS must be protected from unauthorized access by developers.

The DBMS must restrict access to system tables and other configuration information or
metadata to DBAs or other authorized users.

Administrators must utilize a separate, distinct administrative account when performing

administrative activities, accessing database security functions, or accessing securityrelevant information.
Non-privileged accounts must be utilized when accessing non-administrative functions.
The DBA role must not be assigned excessive or unauthorized privileges.

OS accounts utilized to run external procedures called by the DBMS must have limited
privileges.
DBA OS accounts must be granted only those host system privileges necessary for the
administration of the DBMS.
DBMS default account names must be changed if allowed.
The DBMS must specify account lockout duration that is greater than or equal to the
organization approved minimum.
The DBMS must have the capability to limit the number of failed login attempts based upon
an organization defined number of consecutive invalid attempts occurring within an
organization defined time period.
The DBMS must enforce the organization defined time period during which the limit of
consecutive failed login attempts by a user is counted.
The DBMS, when the maximum numbers of unsuccessful attempts is exceeded, must
automatically lock the account/node for an organization defined time period or lock the
account/node until released by an administrator IAW organizational policy.
The DBMS must have allocated audit record storage capacity, and its auditing configured to
reduce the likelihood of storage capacity being exceeded.
The DBMS must provide audit record generation capability for organization defined auditable
events within the database.
The DBMS must allow designated organizational personnel to select which auditable events
are to be audited by the database.
The DBMS must generate audit records for the selected list of auditable events.

The DBMS must initiate session auditing upon startup of the database.

The DBMS must provide the capability to capture, record, and log all content related to a user
session.

The DBMS must produce audit records containing sufficient information to establish details of
the event (type of events, when, where, origin, outcome,identity of implicated user)
The DBMS must be capable of taking organization defined actions upon audit failure or a
component failure is detected (e.g., overwrite oldest audit records, stop generating audit
records, cease processing, notify of audit failure).

The DBMS must provide the capability to automatically process audit records for events of
interest based upon selectable event criteria.
Attempts to bypass access controls must be audited.
The DBMS must synchronize with internal operating system clocks which in turn, are
synchronized on an organization defined frequency with an organization defined authoritative
time source.
The DBMS must protect audit information and audit tools from any type of unauthorized
access, modification, or deletion.

The DBMS must support the requirement to back up audit data and records onto a different
system or media than the system being audited on an organization defined frequency.
Database software directories, including DBMS configuration files, must be stored in
dedicated directories, separate from the host OS and other applications.
Vendor supported software must be evaluated and patched against newly found
vulnerabilities.
The OS must limit privileges to change the DBMS software resident within software libraries
(including privileged programs).
The DBMS must enforce requirements for remote connections to the information system.

Default demonstration and sample databases, database objects, and applications must be
removed.
Unused database components, DBMS software, and database objects must be removed.

Unused database components which are integrated in the DBMS and cannot be uninstalled
must be disabled.
Access to external executables must be disabled or restricted.
The DBMS must support the organizational requirements to specifically prohibit or restrict the
use of unauthorized/non-secure functions, ports, protocols, and/or services.
Recovery procedures and technical system features must exist to ensure recovery is done in
a secure and verifiable manner.
The DBMS must be capable of backing up user-level information per a defined frequency.
Database backup procedures must be defined, documented, and implemented.
Database recovery procedures must be developed, documented, implemented, and
periodically tested.
DBMS backup and restoration files must be protected from unauthorized access.
DBMS must conduct backups of system-level information per organization defined frequency
that is consistent with recovery time and recovery point objectives.

The DBMS software libraries must be periodically backed up.

The DBMS must use multifactor authentication for remote network access (originating
outside) to privileged/non-privilged accounts.
The DBMS must use organization defined replay-resistant authentication mechanisms for
network access to privileged/non-privileged accounts.
The DBMS must support organizational requirements to disable user accounts after an
organization defined time period of inactivity.
The DBMS must support organizational requirements to enforce minimum password length.
The DBMS must support organizational requirements to prohibit password reuse for the
organization defined number of generations.
The DBMS must support organizational requirements to enforce password complexity by the
number of upper case, lower case, numeric, and special characters used.
The DBMS must support organizational requirements to enforce the number of characters
that get changed when passwords are changed.
The DBMS must support organizational requirements to enforce password encryption for
storage and transmission.
The DBMS must enforce password minimum lifetime restrictions.
DBMS default accounts must be assigned custom passwords.

DBMS passwords must not be stored in compiled, encoded, or encrypted batch jobs or
compiled, encoded, or encrypted application source code.
The DBMS must enforce password maximum lifetime restrictions.
The DBMS must use approved cryptography for authentication mechanisms.
The DBMS must support organizational requirements to encrypt information stored in the
database.
The DBMS must terminate the network connection associated with a communications session
at the end of the session or after an organization defined time period of inactivity.

The DBMS must protect against or limit the effects of the organization defined types of Denia
of Service (DoS) attacks.

The DBMS must only generate error messages that provide information necessary for
corrective actions without revealing organization defined sensitive or potentially harmful
information in error logs and administrative messages that could be exploited.
The DBMS must restrict error messages, so only authorized personnel may view them.
The DBMS must support organizational requirements to employ automated patch
management tools to facilitate flaw remediation to organization defined information system
components.

The DBMS must notify appropriate individuals when accounts are

created/modified/disabled/terminated.

DISA Reference
SRG-APP-000001-DB-000031

CIS benchmark Oracle 11g

3.9

SRG-APP-000014-DB-000036

SRG-APP-000017-DB-000037
SRG-APP-000019-DB-000197
SRG-APP-000026-DB-000005

5.2
5.7
5.18
5.19
5.22
5.24

SRG-APP-000027-DB-000186

5.3
5.8
5.20
5.25
5.28

SRG-APP-000028-DB-000187

5.4
5.9
5.21
5.23
5.26

SRG-APP-000029-DB-000188

5.4
5.9
5.21
5.23
5.26

SRG-APP-000030-DB-000173
SRG-APP-000057-DB-000127
SRG-APP-000062-DB-000009
SRG-APP-000062-DB-000010
SRG-APP-000062-DB-000011

SRG-APP-000062-DB-000014

4.3.9
4.3.10
4.3.11

SRG-APP-000062-DB-000016

2.7
2.8
2.13
2.20

SRG-APP-000063-DB-000017

SRG-APP-000063-DB-000018
SRG-APP-000063-DB-000019

2.19
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
4.10

SRG-APP-000063-DB-000020
SRG-APP-000063-DB-000021
SRG-APP-000063-DB-000023
SRG-APP-000065-DB-000024
SRG-APP-000065-DB-000025

3.2
3.6
3.1

SRG-APP-000066-DB-000195

2.15

SRG-APP-000067-DB-000026

3.1

SRG-APP-000071-DB-000047
SRG-APP-000089-DB-000064
SRG-APP-000090-DB-000065
SRG-APP-000091-DB-000066

SRG-APP-000092-DB-000208

5.1

SRG-APP-000093-DB-000052

2.3
2.4
5.1
5.2
5.3
5.4
5.5
5.6
5.7
5.8
5.9
5.10
5.11
5.12
5.13
5.14
5.15
5.16
5.17
5.18
5.19
5.20
5.21
5.22
5.23
5.24
5.25
5.26
5.27

SRG-APP-000095-DB-000039

SRG-APP-000109-DB-000049

SRG-APP-000115-DB-000055
SRG-APP-000115-DB-000056
SRG-APP-000117-DB-000058

SRG-APP-000118-DB-000059

SRG-APP-000125-DB-000170

SRG-APP-000133-DB-000199
SRG-APP-000133-DB-000205
SRG-APP-000133-DB-000207
SRG-APP-000140-DB-000033

2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.9
2.10
2.11
2.12
2.16
2.17
2.5
2.6
3.7

SRG-APP-000141-DB-000090

1.2

SRG-APP-000141-DB-000091
SRG-APP-000141-DB-000092
SRG-APP-000141-DB-000093
SRG-APP-000142-DB-000094

SRG-APP-000144-DB-000101
SRG-APP-000145-DB-000095
SRG-APP-000145-DB-000096
SRG-APP-000145-DB-000097
SRG-APP-000145-DB-000098
SRG-APP-000146-DB-000099

SRG-APP-000146-DB-000100
SRG-APP-000149-DB-000104
SRG-APP-000156-DB-000111
SRG-APP-000163-DB-000113
SRG-APP-000164-DB-000082

3.8

SRG-APP-000165-DB-000081

3.4
3.5
2.14
3.8

SRG-APP-000166-DB-000070

SRG-APP-000170-DB-000073

3.8

SRG-APP-000171-DB-000074
SRG-APP-000173-DB-000076
SRG-APP-000174-DB-000078

3.3
1.1

SRG-APP-000174-DB-000079
SRG-APP-000174-DB-000080

3.3

SRG-APP-000179-DB-000114
SRG-APP-000188-DB-000121
SRG-APP-000190-DB-000137

SRG-APP-000245-DB-000132

2.15
2.16
3.9
4.1.17

SRG-APP-000266-DB-000162

2.18

SRG-APP-000267-DB-000163

2.18

SRG-APP-000271-DB-000156

1.3

SRG-APP-000292-DB-000138

5.2
5.3
5.4