Embed Size (px)
DESCRIPTION
PCI to DISA to CIS
Citation preview
1
2
3
4
5
6
7
8
9
10
11
12
Confidentiality – a DBMS may provide data encryption for stored and communicated data.
Audit – a DBMS may provide privileged operations data change audit logging.
The host operating system – provides protection of the database and its configuration data.
The Network – provides protections via network devices and applications.
Authentication – a DBMS may provide its own authentication mechanism or use the host operating system or another external authentication system such as a directory service to identify and authenticate users.
Authorization – the DBMS provides three types: 1) privileges that protect data and objects definitions; 2) privileges that control access to the data stored within the database objects; and 3) privileges to administer the database configuration and operation behaviors.
Integrity – a DBMS may provide data validation mechanisms, data relationship integrity, transaction logging and rollback, and session lock mechanisms to control multiple update requests against the same data.
Backup and Recovery – a DBMS may provide backup and recovery features to mitigate hardware or software failure losses.
Replication – part or all of the database data objects may be copied and maintained in a separate remote database.
Federated or distributed databases – these provide access to data stored in remote databases to local database users and applications. Database clustering – database clustering provides high-availability to data by providing instant access to duplicate databases in the event of access failure to a primary database.
The application – provides access to the data. If the application does not contribute to the security model, it can provide fully-privileged, un-audited access to the database and data to which it connects.
Web and/or application servers – provide the security framework for all hosted web applications may control access to other served applications.
Sub # PCI Req.
2.1
2.2
2.2.4 Configure system security parameters to prevent misuse.2.2.5
2.3
PCI Req. #
App'x #
Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, simple network management protocol (SNMP), community strings, etc.
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardening standards may include, but are not limited to:• Center for Internet Security (CIS)• International Organization for Standardization (ISO)• SysAdmin Audit Network Security (SANS) Institute• National Institute of Standards Technology (NIST).
Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers
Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access
2.6
A.1.1
A.1.2
A.1.3
A.1.4
3.3
3.4
3.5
Shared hosting providers must protect each entity's hosted environment and cardholder data. These providers must meet specific requirements as detailed in Appendix A: "Additional PCI DSS Requirements for Shared Hosting Providers"
Ensure that each entity only runs processes that have access to that entity’s cardholder data environment.
Restrict each entity's access and privileges to its own cardholder data environment only.
Ensure logging and audit trails are enabled and unique to each entity's cardholder data environment and consistent with PCI DSS Requirement 10.
Enable processes to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider.
Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need to see the full PANNote: This requirement does not supersede stricter requirements in place for displays of cardholder data—for example legal or payment card brand requirements for point-of-sale (POS) receipts
Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:• One-way hashes based on strong cryptography, (hash must be of the entire PAN)• Truncation (hashing cannot be used to replace the truncated segment of PAN)• Index tokens and pads (pads must be securely stored)• Strong cryptography with associated key-management processes and proceduresNote: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity’s environment, additional controls should be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN.
Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse:Note: This requirement applies to keys used to encrypt stored cardholder data, and also applies to key-encrypting keys used to protect data-encrypting keys—such key-encrypting keys must be at least as strong as the data-encrypting key.
3.5.1
3.5.2
3.6 3.6.1 Generation of strong cryptographic keys3.6.2 Secure cryptographic key distribution3.6.3 Secure cryptographic key storage3.6.4
6.1
6.2
6.4 6.4.1
6.4.3 Production data (live PANs) are not used for testing or development6.4.5
Restrict access to cryptographic keys to the fewest number of custodians necessary.
Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times:• Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key• Within a secure cryptographic device (such as a hardware security module (HSM) or PTS-approved point of interaction device)• As at least two full-length key components or key shares, in accordance with an industry-accepted methodNote: It is not required that public keys be stored in one of these forms.
Cryptographic key changes for keys that have reached the end of their cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines (for example, NIST Special Publication 800-57).
Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” medium,” or “low”) to newly discovered security vulnerabilities.Note: Risk rankings should be based on industry best practices as well as consideration of potential impact.
Ensure that all system components and software are protected from known vulnerabilities by installing all vendor-supplied security patches. Install critical security patches within one month of release.
Separate development/test environments from production environments, and enforce the separation with access controls
Change control procedures for the implementation of security patches and software modifications must include the following:6.4.1 Documentation of impact6.4.2 Documented change approval by authorized parties6.4.3 Functionality testing to verify that the change does not adversely impact the security of the system6.4.4 Back-out procedures
6.5
6.5.1
6.5.3 Insecure cryptographic storage6.5.4 Insecure communications
7.1 7.1.1
7.1.2
7.1.3 Assign access based on individual personnel's job classification and function.
7.2
7.2.1 Coverage of all system components
7.2.2 Assignment of privileges to individuals based on job classification and function
7.2.3 Default “deny-all” setting
8.1
8.1.1
8.1.2
8.1.3 Immediately revoke access for any terminated users8.1.4 Remove/disable inactive user accounts at least every 90 days
6.5 Address common coding vulnerabilities in software-development processes as follows:• Train developers in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory.• Develop applications based on secure coding guidelines.Note: The vulnerabilities listed at 6.5.1 through 6.5.10 were current with industry best practices when this version of PCI DSS was published. However, as industry best practices for vulnerability management are updated (for example, the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.), the current best practices must be used for these requirements
Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws
Define access needs for each role, including:• System components and data resources that each role needs to access for their job function• Level of privilege required (for example, user, administrator, etc.) for accessing resources.
Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.
Establish an access control system for systems components with multiple users that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed.This access control system must include the following:
Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators on all system components as follows:
Assign all users a unique ID before allowing them to access system components or cardholder data.
Control addition, deletion, and modification of user IDs, credentials, and other identifier objects
8.1.5
8.1.6
8.1.7
8.1.8
8.2
8.2.2
8.2.3
8.2.4 Change user passwords/passphrases at least every 90 days.8.2.5
8.3
8.5
Manage IDs used by vendors to access, support, or maintain system components via remote access as follows:• Enabled only during the time period needed and disabled when not in use.• Monitored when in use.
Limit repeated access attempts by locking out the user ID after not more than six attempts.
Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID.
If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal session.
In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users:• Something you know, such as a password or passphrase• Something you have, such as a token device or smart card• Something you are, such as a biometric
Use strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components.
Passwords/phrases must meet the following:• Require a minimum length of at least seven characters• Contain both numeric and alphabetic characters.Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above.
Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used.
Incorporate two-factor authentication for remote network access originating from outside the network by personnel (including users and administrators) and all third parties, (including vendor access for support or maintenance).Note: Two-factor authentication requires that two of the three authentication methods (see Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered two-factor authentication.Examples of two-factor technologies include remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control systems (TACACS) with tokens; and other technologies that facilitate two-factor authentication.
Do not use group, shared, or generic IDs, passwords, or other authentication methods as follows:• Generic user IDs are disabled or removed.• Shared user IDs do not exist for system administration and other critical functions.Shared and generic user IDs are not used to administer any system components.
8.7
10.1
10.2
10.2.1 All individual user accesses to cardholder data10.2.2 All actions taken by any individual with root or administrative privileges10.2.3 Access to all audit trails10.2.4 Invalid logical access attempts10.2.5
10.2.7 Creation and deletion of system-level objects10.3
10.3.1 User identification10.3.2 Type of event10.3.3 Date and Time10.3.4 Success or failure indication10.3.5 Origination of event10.3.6 Identity or name of affected data, system component, or resource
10.5 Secure audit trails so they cannot be altered.10.5.1 Limit viewing of audit trails to those with a job-related need.10.5.2 Protect audit trail files from unauthorized modifications.10.5.3
10.5.5
10.6
10.7
All access to any database containing cardholder data (Including access by applications, administrators, and all other users) Is restricted as follows:• All user access to, user queries of, and user actions on databases are through programmatic methods.• Only database administrators have the ability to directly access or query databases.• Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes).
Implement audit trails to link all access to system components to each individual user.
Implement automated audit trails for all system components to reconstruct the following events:
Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges.
Record at least the following audit trail entries for all system components for each event:
Promptly back-up audit trail files to a centralized log server or media that is difficult to alter.
Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)
Review logs and security events for all system components to identify anomalies or suspicious activity.Note: Log harvesting, parsing, and alerting tools may be used to meet this Requirement.
Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from back-up)
DISA Equivalent
SRG-APP-000063-DB-000023SRG-APP-000141-DB-000090SRG-APP-000174-DB-000078
SRG-APP-000001-DB-000031SRG-APP-000026-DB-000005SRG-APP-000027-DB-000186SRG-APP-000028-DB-000187SRG-APP-000029-DB-000188SRG-APP-000062-DB-000011SRG-APP-000062-DB-000016SRG-APP-000063-DB-000019SRG-APP-000065-DB-000024SRG-APP-000065-DB-000025SRG-APP-000066-DB-000195SRG-APP-000067-DB-000026SRG-APP-000092-DB-000208SRG-APP-000093-DB-000052SRG-APP-000140-DB-000033SRG-APP-000141-DB-000090SRG-APP-000164-DB-000082SRG-APP-000165-DB-000081SRG-APP-000166-DB-000070SRG-APP-000170-DB-000073SRG-APP-000174-DB-000078SRG-APP-000174-DB-000080SRG-APP-000245-DB-000132SRG-APP-000266-DB-000162SRG-APP-000267-DB-000163SRG-APP-000271-DB-000156SRG-APP-000292-DB-000138
SRG-APP-000014-DB-000036SRG-APP-000171-DB-000074SRG-APP-000174-DB-000079SRG-APP-000179-DB-000114SRG-APP-000188-DB-000121
SRG-APP-000062-DB-000011SRG-APP-000063-DB-000018SRG-APP-000063-DB-000019SRG-APP-000063-DB-000020SRG-APP-000063-DB-000021SRG-APP-000133-DB-000207SRG-APP-000149-DB-000104SRG-APP-000156-DB-000111
SRG-APP-000019-DB-000197SRG-APP-000026-DB-000005SRG-APP-000027-DB-000186SRG-APP-000028-DB-000187SRG-APP-000029-DB-000188SRG-APP-000030-DB-000173SRG-APP-000071-DB-000047
No. Rule Title1
2
3
4
5 The DBMS must support the requirement to automatically audit account creation.
6 The DBMS must support the requirement to automatically audit account modification.
7 The DBMS must automatically audit account disabling actions.
8 The DBMS must automatically audit account termination.
9
10
11
12 DBMS processes or services must run under custom, dedicated OS accounts.13 The DBMS must restrict grants to sensitive information to authorized user roles.
14 The DBMS must be protected from unauthorized access by developers.
The DBMS must limit the number of concurrent sessions for each system account to an organization defined number of sessions.
A DBMS providing remote access capabilities must utilize approved cryptography to protect the confidentiality and integrity of data passing over remote access sessions.
The DBMS must allow all remote access to be routed through managed access control points.
The DBMS must ensure remote sessions that access an organization defined list of security functions and security-relevant information are audited.
The DBMS must support the organizational requirements for automatically monitoring, auditing, and alerting on abnormal usage of accounts.
The DBMS must enforce organization defined limitations on the embedding of data types within other data types.
The DBMS must support organizational requirements to implement separation of duties through assigned information access authorizations.
15
16
17 Non-privileged accounts must be utilized when accessing non-administrative functions.
18 The DBA role must not be assigned excessive or unauthorized privileges.
19
20
21 DBMS default account names must be changed if allowed.22
23
24
25
26
27
28
29 The DBMS must generate audit records for the selected list of auditable events.
The DBMS must restrict access to system tables and other configuration information or metadata to DBAs or other authorized users.
Administrators must utilize a separate, distinct administrative account when performing administrative activities, accessing database security functions, or accessing security-relevant information.
OS accounts utilized to run external procedures called by the DBMS must have limited privileges.
DBA OS accounts must be granted only those host system privileges necessary for the administration of the DBMS.
The DBMS must specify account lockout duration that is greater than or equal to the organization approved minimum.
The DBMS must have the capability to limit the number of failed login attempts based upon an organization defined number of consecutive invalid attempts occurring within an organization defined time period.
The DBMS must enforce the organization defined time period during which the limit of consecutive failed login attempts by a user is counted.
The DBMS, when the maximum numbers of unsuccessful attempts is exceeded, must automatically lock the account/node for an organization defined time period or lock the account/node until released by an administrator IAW organizational policy.
The DBMS must have allocated audit record storage capacity, and its auditing configured to reduce the likelihood of storage capacity being exceeded.
The DBMS must provide audit record generation capability for organization defined auditable events within the database.
The DBMS must allow designated organizational personnel to select which auditable events are to be audited by the database.
30 The DBMS must initiate session auditing upon startup of the database.
31
32
33
34
35 Attempts to bypass access controls must be audited.
36
The DBMS must provide the capability to capture, record, and log all content related to a user session.
The DBMS must produce audit records containing sufficient information to establish details of the event (type of events, when, where, origin, outcome,identity of implicated user)
The DBMS must be capable of taking organization defined actions upon audit failure or a component failure is detected (e.g., overwrite oldest audit records, stop generating audit records, cease processing, notify of audit failure).
The DBMS must provide the capability to automatically process audit records for events of interest based upon selectable event criteria.
The DBMS must synchronize with internal operating system clocks which in turn, are synchronized on an organization defined frequency with an organization defined authoritative time source.
37
38
39
40
41
42 The DBMS must enforce requirements for remote connections to the information system.
43
44 Unused database components, DBMS software, and database objects must be removed.
45
46 Access to external executables must be disabled or restricted.47
48
49 The DBMS must be capable of backing up user-level information per a defined frequency.
50 Database backup procedures must be defined, documented, and implemented.51
52 DBMS backup and restoration files must be protected from unauthorized access.
The DBMS must protect audit information and audit tools from any type of unauthorized access, modification, or deletion.
The DBMS must support the requirement to back up audit data and records onto a different system or media than the system being audited on an organization defined frequency.
Database software directories, including DBMS configuration files, must be stored in dedicated directories, separate from the host OS and other applications.
Vendor supported software must be evaluated and patched against newly found vulnerabilities.
The OS must limit privileges to change the DBMS software resident within software libraries (including privileged programs).
Default demonstration and sample databases, database objects, and applications must be removed.
Unused database components which are integrated in the DBMS and cannot be uninstalled must be disabled.
The DBMS must support the organizational requirements to specifically prohibit or restrict the use of unauthorized/non-secure functions, ports, protocols, and/or services.
Recovery procedures and technical system features must exist to ensure recovery is done in a secure and verifiable manner.
Database recovery procedures must be developed, documented, implemented, and periodically tested.
53
54 The DBMS software libraries must be periodically backed up.55
56
57
58
59
60
61
62
63 The DBMS must enforce password minimum lifetime restrictions.64 DBMS default accounts must be assigned custom passwords.
65
66 The DBMS must enforce password maximum lifetime restrictions.67 The DBMS must use approved cryptography for authentication mechanisms.68
69
70
71
72 The DBMS must restrict error messages, so only authorized personnel may view them.
DBMS must conduct backups of system-level information per organization defined frequency that is consistent with recovery time and recovery point objectives.
The DBMS must use multifactor authentication for remote network access (originating outside) to privileged/non-privilged accounts.
The DBMS must use organization defined replay-resistant authentication mechanisms for network access to privileged/non-privileged accounts.
The DBMS must support organizational requirements to disable user accounts after an organization defined time period of inactivity.
The DBMS must support organizational requirements to enforce minimum password length.
The DBMS must support organizational requirements to prohibit password reuse for the organization defined number of generations.
The DBMS must support organizational requirements to enforce password complexity by the number of upper case, lower case, numeric, and special characters used.
The DBMS must support organizational requirements to enforce the number of characters that get changed when passwords are changed.
The DBMS must support organizational requirements to enforce password encryption for storage and transmission.
DBMS passwords must not be stored in compiled, encoded, or encrypted batch jobs or compiled, encoded, or encrypted application source code.
The DBMS must support organizational requirements to encrypt information stored in the database.
The DBMS must terminate the network connection associated with a communications session at the end of the session or after an organization defined time period of inactivity.
The DBMS must protect against or limit the effects of the organization defined types of Denial of Service (DoS) attacks.
The DBMS must only generate error messages that provide information necessary for corrective actions without revealing organization defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.
73
74
The DBMS must support organizational requirements to employ automated patch management tools to facilitate flaw remediation to organization defined information system components.
The DBMS must notify appropriate individuals when accounts are created/modified/disabled/terminated.
DISA Reference PCI equivalent CIS benchmark Oracle 11gSRG-APP-000001-DB-000031 2.2 3.9
SRG-APP-000014-DB-000036 2.3
SRG-APP-000017-DB-000037
SRG-APP-000019-DB-000197
SRG-APP-000026-DB-000005
SRG-APP-000027-DB-000186
SRG-APP-000028-DB-000187
SRG-APP-000029-DB-000188
SRG-APP-000030-DB-000173
SRG-APP-000057-DB-000127
SRG-APP-000062-DB-000009
SRG-APP-000062-DB-000010SRG-APP-000062-DB-000011
SRG-APP-000062-DB-000014
2.6 - A.132.6 - A.14
2.22.6 - A.132.6 - A.14
5.25.7
5.185.195.225.24
2.22.6 - A.132.6 - A.14
5.35.8
5.205.255.28
2.22.6 - A.132.6 - A.14
5.45.9
5.215.235.26
2.22.6 - A.132.6 - A.14
5.45.9
5.215.235.26
2.6 - A.132.6 - A.14
2.22.6 - A.112.6 - A.12
4.3.94.3.104.3.11
SRG-APP-000062-DB-000016 2.2
SRG-APP-000063-DB-000017
SRG-APP-000063-DB-000018
SRG-APP-000063-DB-000019
SRG-APP-000063-DB-000020
SRG-APP-000063-DB-000021
SRG-APP-000063-DB-000023 2.1SRG-APP-000065-DB-000024 2.2
SRG-APP-000065-DB-000025 2.2 3.1
SRG-APP-000066-DB-000195 2.2 2.15
SRG-APP-000067-DB-000026 2.2 3.1
SRG-APP-000071-DB-000047
SRG-APP-000089-DB-000064
SRG-APP-000090-DB-000065
SRG-APP-000091-DB-000066
2.72.8
2.132.20
2.6 - A.112.6 - A.12
2.22.6 - A.112.6 - A.12
2.194.14.24.34.44.54.64.74.84.9
4.10
2.6 - A.112.6 - A.12
2.6 - A.112.6 - A.12
3.23.6
2.6 - A.132.6 - A.14
2.6 - A.132.6 - A.14
2.6 - A.132.6 - A.14
2.6 - A.132.6 - A.14
SRG-APP-000092-DB-000208 5.1
SRG-APP-000093-DB-000052
SRG-APP-000095-DB-000039
SRG-APP-000109-DB-000049
SRG-APP-000115-DB-000055
SRG-APP-000115-DB-000056
SRG-APP-000117-DB-000058
2.22.6 - A.132.6 - A.14
2.22.6 - A.132.6 - A.14
2.32.45.15.25.35.45.55.65.75.85.9
5.105.115.125.135.145.155.165.175.185.195.205.215.225.235.245.255.265.275.28
2.6 - A.132.6 - A.14
2.6 - A.132.6 - A.14
2.6 - A.132.6 - A.14
2.6 - A.132.6 - A.14
SRG-APP-000118-DB-000059
SRG-APP-000125-DB-000170
SRG-APP-000133-DB-000199
SRG-APP-000133-DB-000205
SRG-APP-000133-DB-000207
SRG-APP-000140-DB-000033 2.2
SRG-APP-000141-DB-000090 1.2
SRG-APP-000141-DB-000091
SRG-APP-000141-DB-000092
SRG-APP-000141-DB-000093SRG-APP-000142-DB-000094
SRG-APP-000144-DB-000101
SRG-APP-000145-DB-000095
SRG-APP-000145-DB-000096SRG-APP-000145-DB-000097
SRG-APP-000145-DB-000098
2.6 - A.112.6 - A.12
2.1.12.1.22.1.32.1.42.1.52.9
2.102.112.122.162.172.52.63.7
2.12.2
SRG-APP-000146-DB-000099
SRG-APP-000146-DB-000100SRG-APP-000149-DB-000104
SRG-APP-000156-DB-000111
SRG-APP-000163-DB-000113
SRG-APP-000164-DB-000082 2.2 3.8
SRG-APP-000165-DB-000081 2.2
SRG-APP-000166-DB-000070 2.2
SRG-APP-000170-DB-000073 2.2 3.8
SRG-APP-000171-DB-000074 2.3
SRG-APP-000173-DB-000076 3.3SRG-APP-000174-DB-000078 1.1
SRG-APP-000174-DB-000079 2.3
SRG-APP-000174-DB-000080 2.2 3.3SRG-APP-000179-DB-000114 2.3SRG-APP-000188-DB-000121 2.3
SRG-APP-000190-DB-000137
SRG-APP-000245-DB-000132 2.2
SRG-APP-000266-DB-000162 2.2 2.18
SRG-APP-000267-DB-000163 2.2 2.18
2.6 - A.112.6 - A.12
2.6 - A.112.6 - A.12
3.43.5
2.143.8
2.12.2
2.152.163.9
4.1.17
SRG-APP-000271-DB-000156 2.2 1.3
SRG-APP-000292-DB-000138 2.2 5.25.35.4
1 1 Change the Oracle default account passwords 1 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 2 Remove Oracle Sample Users 1 21 21 21 21 21 21 21 3 Ensure the latest version/patches for Oracle software is installed 2 Oracle Parameter Settings 2 1 listener.ora settings2 12 12 12 12 12 2 sqlnet.ora settings2 3 Setting for the 'audit_sys_operations' parameter 2 4 Setting for the 'audit_trail' parameter 2 5 Setting for the 'global_names' parameter
2 6 Setting for the 'local_listener' parameter 2 7 Setting for the 'o7_dictionary_accessibility' parameter 2 8 Setting for the 'os_roles' parameter 2 9 Setting for the 'remote_listener' parameter 2 10 Setting for the 'remote_login_passwordfile' parameter 2 11 Setting for the 'remote_os_authent' parameter 2 12 Setting for the 'remote_os_roles' parameter 2 13 Setting for the 'utl_file_dir' parameter 2 14 Setting for the 'sec_case_sensitive_logon' parameter 2 15 Setting for the 'sec_max_failed_login_attempts' parameter 2 16 Setting for the 'sec_protocol_error_further_action' parameter 2 17 Setting for the 'sec_protocol_error_trace_action' parameter 2 18 Setting for the 'sec_return_server_release_banner' parameter 2 19 Setting for the 'sql92_security' parameter 2 20 Setting for undocumented '_trace_files_public' parameter 3 Oracle client/user connection and login restrictions 3 1 Restrictions on failed login attempts via the default DB profile 3 2 Requirements for account locking via on the default DB profile 3 3 Restrictions on password duration via the default DB profile 3 4 Restrictions on password history via the default DB profile 3 5 Restrictions on password use (reuse) via a DB profile 3 6 Requirements for account locking (grace time) via a DB profile 3 7 Requirements for limiting EXTERNAL user login capability 3 8 Requirement for setting the password verification function 3 9 Requirements for limiting the number of sessions per user 4 Oracle user access and authorization restrictions4 1 Default Public Privileges for Packages and Object Types4 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 1
4 14 2 Non-Default Public Privileges for Packages and Object Types 4 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 3 System Privileges 4 34 34 34 34 34 34 34 34 34 34 34 4 Role Privileges4 44 44 44 44 5 Table and View privileges4 54 54 54 54 54 54 54 6 Limiting basic user privileges to restrict the ANY keyword 4 7 Limiting users by restricting the WITH_ADMIN privilege 4 8 Limit direct privileges for proxy user 4 9 Revoke execute any procedure from user OUTLN 4 10 Revoke execute any procedure from user DBSNMP 5 Audit/Logging Policies and Procedures
5 1 Audit all CREATE SESSION (logon/logoff) activities 5 2 Audit all CREATE USER object activities/requests 5 3 Audit all ALTER USER object activities/requests 5 4 Audit all DROP USER object activities/requests 5 5 Audit all user ROLE activities/requests 5 6 Audit all user GRANT ROLE activities/requests 5 7 Audit all user CREATE PROFILE activities/requests 5 8 Audit all user ALTER PROFILE activities/requests 5 9 Audit all user DROP PROFILE activities/requests 5 10 Audit all DATABASE LINK activities/requests 5 11 Audit all PUBLIC DATABASE LINK activities/requests 5 12 Audit all PUBLIC SYNONYM activities/requests 5 13 Audit all user SYNONYM activities/requests 5 14 Audit all grants and revokes of privileges on directories 5 15 Audit all user SELECT ANY DICTIONARY activities/requests 5 16 Audit all user GRANT ANY OBJECT PRIVILEGE activities/requests 5 17 Audit all user GRANT ANY PRIVILEGE activities/requests 5 18 Audit all user CREATE PROCEDURE activities/requests 5 19 Audit all user CREATE ANY PROCEDURE activities/requests 5 20 Audit all user ALTER ANY PROCEDURE activities/requests 5 21 Audit all user DROP ANY PROCEDURE activities/requests 5 22 Audit all user CREATE ANY LIBRARY activities/requests 5 23 Audit all user DROP ANY LIBRARY activities/requests 5 24 Audit all user CREATE ANY TRIGGER activities/requests 5 25 Audit all user ALTER ANY TRIGGER activities/requests 5 26 Audit all user DROP ANY TRIGGER activities/requests 5 27 Set AUDIT ALL ON SYS.AUD$ activities 5 28 Audit all user ALTER SYSTEM activities/requests
1 Change the default password for 'APEX_040000' 2 Change the default password for 'APPQOSSYS' 3 Change the default password for 'CTXSYS' 4 Change the default password for 'DBSNMP' 5 Change the default password for 'DIP' 6 Change the default password for 'EXFSYS' 7 Change the default password for 'MDDATA' 8 Change the default password for 'MDSYS' 9 Change the default password for 'LBACSYS' 10 Change the default password for 'OLAPSYS' 11 Change the default password for 'ORACLE_OCM' 12 Change the default password for 'ORDDATA' 13 Change the default password for 'ORDPLUGINS' 14 Change the default password for 'ORDSYS' 15 Change the default password for 'OUTLN' 16 Change the default password for 'OWBSYS_AUDIT' 17 Change the default password for 'OWBSYS' 18 Change the default password for 'SI_INFORMTN_SCHEMA' 19 Change the default password for 'SPATIAL_CSW_ADMIN_USR' 20 Change the default password for 'SPATIAL_WFS_ADMIN_USR' 21 Change the default password for 'SYS' 22 Change the default password for 'SYSTEM' 23 Change the default password for 'WK_TEST' 24 Change the default password for 'WKPROXY' 25 Change the default password for 'WKSYS' 26 Change the default password for 'WMSYS' 27 Change the default password for 'XDB'
1 Remove the sample user 'BI' 2 Remove the sample user 'HR' 3 Remove the sample user 'IX' 4 Remove the sample user 'OE' 5 Remove the sample user 'PM' 6 Remove the sample user 'SCOTT' 7 Remove the sample user 'SH'
1 Setting for 'secure_control_listener_name' parameter 2 extproc configuration in listener.ora 3 Setting for the 'admin_restrictions_listener_name' parameter 4 Change the default port numbers that connect to Oracle 5 Setting for parameter 'secure_register_listener_name' parameter
1 Limit public access to the DBMS_ADVISOR package 2 Limit public access to the DBMS_CRYPTO package 3 Limit public access to the DBMS_JAVA package 4 Limit public access to the DBMS_JAVA_TEST package 5 Limit public access to the DBMS_JOB package 6 Limit public access to the DBMS_LDAP package 7 Limit public access to the DBMS_LOB package 8 Limit public access to the DBMS_OBFUSCATION_TOOLKIT package 9 Limit public access to the DBMS_RANDOM package 10 Limit public access to the DBMS_SCHEDULER package 11 Limit public access to the DBMS_SQL package 12 Limit public access to the DBMS_XMLGEN package 13 Limit public access to the DBMS_XMLQUERY package 14 Limit public access to the UTL_FILE package 15 Limit public access to the UTL_INADDR package 16 Limit public access to the UTL_TCP package 17 Limit public access to the UTL_MAIL package 18 Limit public access to the UTL_SMTP package 19 Limit public access to the UTL_DBWS package 20 Limit public access to the UTL_ORAMTS package 21 Limit public access to the UTL_HTTP package
22 Limit public access to the HTTPURITYPE object type
1 Limiting public user access to the DBMS_SYS_SQL package 2 Limit public access to the DBMS_BACKUP_RESTORE package 3 Limiting public user access to the DBMS_AQADM_SYSCALLS package 4 Limiting public user access to the DBMS_REPACT_SQL_UTL package 5 Limiting public user access to the INITJVMAUX package 6 Limiting public user access to the DBMS_STREAMS_ADM_UTL package 7 Limiting public user access to the DBMS_AQADM_SYS package 8 Limiting public user access to the DBMS_STREAMS_RPC package 9 Limiting public user access to the DBMS_AQADM_SYS package 10 Limiting public user access to the DBMS_PRVTAQIM package 11 Limiting public user access to the LTADM package 12 Limiting public user access to the WWV_DBMS_SQL package 13 Limiting public user access to the WWV_EXECUTE_IMMEDIATE package 14 Limiting public user access to the DBMS_IJOB package 15 Limiting public user access to the DBMS_FILE_TRANSFER package
1 Limiting users by restricting the SELECT ANY DICTIONARY privilege 2 Limiting users by restricting the SELECT ANY TABLE privilege 3 Limiting users by restricting the AUDIT SYSTEM privilege 4 Limiting users by restricting the EXEMPT ACCESS POLICY 5 Limiting users by restricting the BECOME USER privilege 6 Limiting users by restricting the CREATE PROCEDURE privilege 7 Limiting users by restricting the ALTER SYSTEM privilege 8 Limiting users by restricting the CREATE ANY LIBRARY privilege 9 Limiting users by restricting GRANT ANY OBJECT PRIVILEGE privilege 10 Limiting users by restricting GRANT ANY ROLE privilege 11 Limiting users by restricting GRANT ANY PRIVILEGE privilege
1 Limiting user authorizations for the DELETE_CATALOG_ROLE 2 Limiting user authorizations for the SELECT_CATALOG_ROLE 3 Limiting user authorizations for the EXECUTE_CATALOG role 4 Limiting users by restricting the DBA role
1 Limiting authorizations for the SYS.AUD$ table 2 Limiting authorizations for the SYS.USER_HISTORY$ table 3 Limiting authorizations for the SYS.LINK$ table 4 Limiting authorizations for the SYS.USER$ table 5 Limiting user authorizations for the DBA_% views 6 Limiting authorizations for the SCHEDULER$_CREDENTIAL table 7 Drop table sys.user$mig
1 Installation, Updates and Patches 11
2 Surface Area Reduction 22222222222222
3 Extended Stored Procedures 33333333333333
4 Authentication and Authorization 444
5 Password Policies 555
6 Auditing and Logging666
7 Application Development 77
1 Installation, Updates and Patches 1 Install the Latest SQL Server Service Packs and Hotfixes 2 Install on dedicated single-function member servers
2 Surface Area Reduction 1 Set the 'Ad Hoc Distributed Queries' Server Configuration Option to 0 2 Set the 'CLR Enabled' Server Configuration Option to 0 3 Set the 'Cross DB Ownership Chaining' Server Configuration Option to 0 4 Set the 'Database Mail XPs' Server Configuration Option to 0 5 Set the 'Ole Automation Procedures' Server Configuration Option to 0 6 Set the 'Remote Access' Server Configuration Option to 0 7 Set the 'Remote Admin Connections' Server Configuration Option to 0 8 Set the 'Scan For Startup Procs' Server Configuration Option to 0 9 Set the 'Trustworthy' Database Property to Off 10 Disable Unnecessary SQL Server Protocols 11 Configure SQL Server to use non-standard ports 12 Set the 'Hide Instance' option to 'Yes' for Production SQL Server instances 13 Disable the 'sa' Login Account 14 Rename the 'sa' Login Account
3 Extended Stored Procedures 1 Revoke Execute on 'xp_availablemedia' to PUBLIC 2 Set the 'xp_cmdshell' option to disabled 3 Revoke Execute on 'xp_dirtree' to PUBLIC 4 Revoke Execute on 'xp_enumgroups' to PUBLIC 5 Revoke Execute on 'xp_fixeddrives' to PUBLIC 6 Revoke Execute on 'xp_servicecontrol' to PUBLIC 7 Revoke Execute on 'xp_subdirs' to PUBLIC 8 Revoke Execute on 'xp_regaddmultistring' to PUBLIC 9 Revoke Execute on 'xp_regdeletekey' to PUBLIC 10 Revoke Execute on 'xp_regdeletevalue' to PUBLIC 11 Revoke Execute on 'xp_regenumvalues' to PUBLIC 12 Revoke Execute on 'xp_regremovemultistring' to PUBLIC 13 Revoke Execute on 'xp_regwrite' to PUBLIC 14 Revoke Execute on 'xp_regread' to PUBLIC
4 Authentication and Authorization 1 Set The 'Server Authentication' Property To Windows Authentication mode 2 Revoke CONNECT permissions on the 'guest user' within all SQL Server databases excluding the master, msdb and tempdb 3 Drop Orphaned Users From SQL Server Databases
5 Password Policies 1 Set the 'MUST_CHANGE' Option to ON for All SQL Authenticated Logins 2 Set the 'CHECK_EXPIRATION' Option to ON for All SQL Authenticated Logins Within the Sysadmin Role 3 Set the 'CHECK_POLICY' Option to ON for All SQL Authenticated Logins
6 Auditing and Logging1 Set the 'Maximum number of error log files' setting to greater than or equal to 12 2 Set the 'Default Trace Enabled' Server Configuration Option to 1 3 Set 'Login Auditing' to Both failed and successful logins
7 Application Development 1 Sanitize Database and Application User Input 2 Set the 'CLR Assembly Permission Set' to SAFE_ACCESS for All CLR Assemblies
SRG-APP-000019-DB-000197SRG-APP-000026-DB-000005SRG-APP-000027-DB-000186SRG-APP-000028-DB-000187SRG-APP-000029-DB-000188SRG-APP-000030-DB-000173SRG-APP-000071-DB-000047SRG-APP-000089-DB-000064SRG-APP-000090-DB-000065SRG-APP-000091-DB-000066SRG-APP-000092-DB-000208SRG-APP-000093-DB-000052SRG-APP-000095-DB-000039SRG-APP-000109-DB-000049SRG-APP-000115-DB-000055SRG-APP-000115-DB-000056
