STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Oracle Database 19c Security Technical Implementation Guide

Version

V1R5

Benchmark ID

Oracle_Database_19c_STIG

Total Checks

96

Tags

database

CAT I: 15CAT II: 80CAT III: 1

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (96)

V-270495MEDIUMOracle Database must limit the number of concurrent sessions for each system account to an organization-defined number of sessions.V-270496MEDIUMOracle Database must protect against or limit the effects of organization-defined types of denial-of-service (DoS) attacks.V-270497MEDIUMOracle Database must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect.V-270498MEDIUMOracle Database must associate organization-defined types of security labels having organization-defined security label values with information in storage.V-270499HIGHOracle Database must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.V-270500HIGHOracle Database must enforce approved authorizations for logical access to the system in accordance with applicable policy.V-270501LOWOracle Database must protect against an individual who uses a shared account falsely denying having performed a particular action.V-270502MEDIUMOracle Database must provide audit record generation capability for organization-defined auditable events within the database.V-270503MEDIUMOracle Database must allow designated organizational personnel to select which auditable events are to be audited by the database.V-270504MEDIUMOracle Database must generate audit records for the DOD-selected list of auditable events, when successfully accessed, added, modified, or deleted, to the extent such information is available.V-270505MEDIUMOracle Database must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject.V-270506MEDIUMOracle Database must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.V-270507MEDIUMOracle Database must off-load audit data to a separate log management facility; this must be continuous and in near-real-time for systems with a network connection to the storage facility, and weekly or more often for stand-alone systems.V-270508MEDIUMThe Oracle Database, or the logging or alerting mechanism the application uses, must provide a warning when allocated audit record storage volume record storage volume reaches 75 percent of maximum audit record storage capacity.V-270509MEDIUMOracle Database must provide an immediate real-time alert to appropriate support staff of all audit log failures.V-270510MEDIUMThe audit information produced by the Oracle Database must be protected from unauthorized access, modification, or deletion.V-270511MEDIUMThe system must protect audit tools from unauthorized access, modification, or deletion.V-270512MEDIUMOracle Database must support enforcement of logical access restrictions associated with changes to the database management system (DBMS) configuration and to the database itself.V-270513HIGHOracle Database products must be a version supported by the vendor.V-270514MEDIUMDatabase software, applications, and configuration files must be monitored to discover unauthorized changes.V-270515MEDIUMThe OS must limit privileges to change the database management system (DBMS) software resident within software libraries (including privileged programs).V-270516HIGHThe Oracle Database software installation account must be restricted to authorized users.V-270517MEDIUMDatabase software directories, including database management system (DBMS) configuration files, must be stored in dedicated directories, or DASD pools, separate from the host OS and other applications.V-270518MEDIUMDatabase objects must be owned by accounts authorized for ownership.V-270519MEDIUMThe role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to the DBMS, etc.) must be restricted to authorized users.V-270520MEDIUMOracle Database must be configured in accordance with the security configuration settings based on DOD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, DTMs, and IAVMs.V-270521MEDIUMOracle instance names must not contain Oracle version numbers.V-270522MEDIUMFixed user and PUBLIC Database links must be authorized for use.V-270523MEDIUMThe Oracle WITH GRANT OPTION privilege must be limited when granted to nondatabase administrator (DBA) or nonapplication administrator user accounts.V-270524MEDIUMThe Oracle REMOTE_OS_ROLES parameter must be set to FALSE.V-270525MEDIUMThe Oracle SQL92_SECURITY parameter must be set to TRUE.V-270526MEDIUMThe Oracle password file ownership and permissions should be limited and the REMOTE_LOGIN_PASSWORDFILE parameter must be set to EXCLUSIVE or NONE.V-270527MEDIUMSystem privileges granted using the WITH ADMIN OPTION must not be granted to unauthorized user accounts.V-270528MEDIUMSystem Privileges must not be granted to PUBLIC.V-270529MEDIUMOracle roles granted using the WITH ADMIN OPTION must not be granted to unauthorized accounts.V-270530MEDIUMObject permissions granted to PUBLIC must be restricted.V-270531HIGHThe Oracle Listener must be configured to require administration authentication.V-270532MEDIUMApplication role permissions must not be assigned to the Oracle PUBLIC role.V-270533MEDIUMOracle application administration roles must be disabled if not required and authorized.V-270534MEDIUMThe directories assigned to the LOG_ARCHIVE_DEST* parameters must be protected from unauthorized access.V-270535MEDIUMThe Oracle _TRACE_FILES_PUBLIC parameter if present must be set to FALSE.V-270536MEDIUMOracle Database production application and data directories must be protected from developers on shared production/development database management system (DBMS) host systems.V-270537MEDIUMUse of the Oracle Database installation account must be logged.V-270538MEDIUMThe Oracle Database data files, transaction logs and audit files must be stored in dedicated directories or disk partitions separate from software or other application files.V-270539MEDIUMNetwork access to Oracle Database must be restricted to authorized personnel.V-270540MEDIUMChanges to configuration options must be audited.V-270541MEDIUMThe /diag subdirectory under the directory assigned to the DIAGNOSTIC_DEST parameter must be protected from unauthorized access.V-270542MEDIUMRemote administration must be disabled for the Oracle connection manager.V-270543MEDIUMNetwork client connections must be restricted to supported versions.V-270544HIGHDatabase administrator (DBA) OS accounts must be granted only those host system privileges necessary for the administration of the Oracle Database.V-270545HIGHOracle Database default accounts must be assigned custom passwords.V-270546MEDIUMOracle Database must provide a mechanism to automatically identify accounts designated as temporary or emergency accounts.V-270547MEDIUMOracle Database must provide a mechanism to automatically remove or disable temporary user accounts after 72 hours.V-270548MEDIUMOracle Database must be protected from unauthorized access by developers on shared production/development host systems.V-270549MEDIUMOracle Database must verify account lockouts persist until reset by an administrator.V-270550MEDIUMOracle Database must set the maximum number of consecutive invalid logon attempts to three.V-270551MEDIUMOracle Database must disable user accounts after 35 days of inactivity.V-270552MEDIUMOracle Database default demonstration and sample databases, database objects, and applications must be removed.V-270553MEDIUMUnused database components, database management system (DBMS) software, and database objects must be removed.V-270554MEDIUMUnused database components that are integrated in the database management system (DBMS) and cannot be uninstalled must be disabled.V-270555MEDIUMOS accounts used to run external procedures called by Oracle Database must have limited privileges.V-270556MEDIUMUse of external executables must be authorized.V-270557MEDIUMAccess to external executables must be disabled or restricted.V-270558MEDIUMOracle Database must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL) and vulnerability assessments.V-270559MEDIUMOracle Database must ensure users are authenticated with an individual authenticator prior to using a shared authenticator.V-270560MEDIUMOracle Database must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).V-270561MEDIUMOracle Database must enforce the DOD standards for password complexity.V-270562MEDIUMProcedures for establishing temporary passwords that meet DOD password requirements for new accounts must be defined, documented, and implemented.V-270563MEDIUMOracle Database must enforce password maximum lifetime restrictions.V-270564HIGHOracle Database must, for password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash.V-270565MEDIUMIf passwords are used for authentication, the Oracle Database must transmit only encrypted representations of passwords.V-270566HIGHOracle Database, when using public key infrastructure (PKI)-based authentication, must enforce authorized access to the corresponding private key.V-270567MEDIUMOracle Database must map the authenticated identity to the user account using public key infrastructure (PKI)-based authentication.V-270568HIGHWhen using command-line tools such as Oracle SQL*Plus, which can accept a plain-text password, users must use an alternative logon method that does not expose the password.V-270569HIGHOracle Database must use NIST-validated FIPS 140-2/140-3 compliant cryptography for authentication mechanisms.V-270570MEDIUMOracle Database must uniquely identify and authenticate nonorganizational users (or processes acting on behalf of nonorganizational users).V-270571HIGHOracle Database must implement NIST FIPS 140-2/140-3 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owner's requirements.V-270572MEDIUMOracle Database must separate user functionality (including user interface services) from database management functionality.V-270573MEDIUMOracle Database must preserve any organization-defined system state information in the event of a system failure.V-270574HIGHOracle Database must take steps to protect data at rest and ensure confidentiality and integrity of application data.V-270575MEDIUMOracle Database must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.V-270576MEDIUMOracle Database must isolate security functions from nonsecurity functions by means of separate security domains.V-270577MEDIUMOracle Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy.V-270578MEDIUMAccess to Oracle Database files must be limited to relevant processes and to authorized, administrative users.V-270579HIGHOracle Database must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission unless the transmitted data is otherwise protected by alternative physical measures.V-270580MEDIUMOracle Database must check the validity of data inputs.V-270581MEDIUMThe database management system (DBMS) and associated applications must reserve the use of dynamic code execution for situations that require it.V-270582MEDIUMThe database management system (DBMS) and associated applications, when making use of dynamic code execution, must take steps against invalid values that may be used in a SQL injection attack, therefore resulting in steps to prevent a SQL injection attack.V-270583MEDIUMOracle Database must only generate error messages that provide information necessary for corrective actions without revealing organization-defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.V-270584MEDIUMOracle Database must restrict error messages so only authorized personnel may view them.V-270585HIGHOracle Database software must be evaluated and patched against newly found vulnerabilities.V-270587MEDIUMOracle Database must, for password-based authentication, verify that when users create or update passwords, the passwords are not found on the list of commonly used, expected, or compromised passwords in IA-5 (1) (a).V-270588MEDIUMOracle Database must, for password-based authentication, require immediate selection of a new password upon account recovery.V-270589MEDIUMOracle Database must include only approved trust anchors in trust stores or certificate stores managed by the organization.V-275999MEDIUMA minimum of three Oracle Control Files must be created and each stored on a separate physical and logical device.V-276000MEDIUMA minimum of three Oracle redo log groups/files must be defined and configured to be stored on separate, archived physical disks or archived directories on a RAID device. In addition, each Oracle redo log group must have a minimum of two Oracle redo log members (files).