1

2
3
4
5
6
7
8
9
10
11
12
Authentication a DBMS may provide its own authentication mechanism or use
the host operating system or another external authentication system such as a
directory service to identify and authenticate users.
Authorization the DBMS provides three types: 1) privileges that protect data and
objects definitions; 2) privileges that control access to the data stored within the
database objects; and 3) privileges to administer the database configuration and
Confidentiality a DBMS may provide data encryption for stored and
Integrity a DBMS may provide data validation mechanisms, data relationship
integrity, transaction logging and rollback, and session lock mechanisms to control
multiple update requests against the same data.
Audit a DBMS may provide privileged operations data change audit logging.
Backup and Recovery a DBMS may provide backup and recovery features to
mitigate hardware or software failure losses.
Replication part or all of the database data objects may be copied and
maintained in a separate remote database.
Federated or distributed databases these provide access to data stored in
remote databases to local database users and applications. Database clustering
database clustering provides high-availability to data by providing instant access to
duplicate databases in the event of access failure to a primary database.
The host operating system provides protection of the database and its
The application provides access to the data. If the application does not
contribute to the security model, it can provide fully-privileged, un-audited access
to the database and data to which it connects.
The Network provides protections via network devices and applications.
Web and/or application servers provide the security framework for all hosted
web applications may control access to other served applications.
PCI
Req. #
Sub # App'x
#
PCI Req.
2.1 Always change vendor-supplied defaults and remove or disable unnecessary
default accounts before installing a system on the network. This applies to ALL
default passwords, including but not limited to those used by operating systems,
software that provides security services, application and system accounts, point-
of-sale (POS) terminals, simple network management protocol (SNMP),
community strings, etc.
2.2 Develop configuration standards for all system components. Assure that these
standards address all known security vulnerabilities and are consistent with
industry-accepted system hardening standards. Sources of industry-accepted
system hardening standards may include, but are not limited to:
Center for Internet Security (CIS)
International Organization for Standardization (ISO)
SysAdmin Audit Network Security (SANS) Institute
National Institute of Standards Technology (NIST).
2.2.4 Configure system security parameters to prevent misuse.
2.2.5 Remove all unnecessary functionality, such as scripts, drivers, features,
subsystems, file systems, and unnecessary web servers
2.3 Encrypt all non-console administrative access using strong cryptography. Use
technologies such as SSH, VPN, or SSL/TLS for web-based management and
other non-console administrative access
2.6 Shared hosting providers must protect each entity's hosted environment and
cardholder data. These providers must meet specific requirements as detailed in
Appendix A: "Additional PCI DSS Requirements for Shared Hosting Providers"
A.1.1 Ensure that each entity only runs processes that have access to that entitys
cardholder data environment.
A.1.2 Restrict each entity's access and privileges to its own cardholder data
environment only.
A.1.3 Ensure logging and audit trails are enabled and unique to each entity's
cardholder data environment and consistent with PCI DSS Requirement 10.
A.1.4 Enable processes to provide for timely forensic investigation in the event of a
compromise to any hosted merchant or service provider.
3.3 Mask PAN when displayed (the first six and last four digits are the maximum
number of digits to be displayed), such that only personnel with a legitimate
business need to see the full PAN
Note: This requirement does not supersede stricter requirements in place for
displays of cardholder datafor example legal or payment card brand
requirements for point-of-sale (POS) receipts
3.4 Render PAN unreadable anywhere it is stored (including on portable digital
media, backup media, and in logs) by using any of the following approaches:
One-way hashes based on strong cryptography, (hash must be of the entire
PAN)
Truncation (hashing cannot be used to replace the truncated segment of PAN)
Index tokens and pads (pads must be securely stored)
Strong cryptography with associated key-management processes and
procedures
Note: It is a relatively trivial effort for a malicious individual to reconstruct
original PAN data if they have access to both the truncated and hashed version
of a PAN. Where hashed and truncated versions of the same PAN are present in
an entitys environment, additional controls should be in place to ensure that
the hashed and truncated versions cannot be correlated to reconstruct the
original PAN.
3.5 Document and implement procedures to protect keys used to secure stored
cardholder data against disclosure and misuse:
Note: This requirement applies to keys used to encrypt stored cardholder data,
and also applies to key-encrypting keys used to protect data-encrypting
keyssuch key-encrypting keys must be at least as strong as the data-encrypting
key.
3.5.1 Restrict access to cryptographic keys to the fewest number of custodians
necessary.
3.5.2 Store secret and private keys used to encrypt/decrypt cardholder data in one (or
more) of the following forms at all times:
Encrypted with a key-encrypting key that is at least as strong as the data-
encrypting key, and that is stored separately from the data-encrypting key
Within a secure cryptographic device (such as a hardware security module
(HSM) or PTS-approved point of interaction device)
As at least two full-length key components or key shares, in accordance with
an industry-accepted method
Note: It is not required that public keys be stored in one of these forms.
3.6 3.6.1 Generation of strong cryptographic keys
3.6.2 Secure cryptographic key distribution
3.6.3 Secure cryptographic key storage
3.6.4 Cryptographic key changes for keys that have reached the end of their
cryptoperiod (for example, after a defined period of time has passed and/or
after a certain amount of cipher-text has been produced by a given key), as
defined by the associated application vendor or key owner, and based on
industry best practices and guidelines (for example, NIST Special Publication 800-
57).
6.1 Establish a process to identify security vulnerabilities, using reputable outside
sources for security vulnerability information, and assign a risk ranking (for
example, as high, medium, or low) to newly discovered security
vulnerabilities.
Note: Risk rankings should be based on industry best practices as well as
consideration of potential impact.
6.2 Ensure that all system components and software are protected from known
vulnerabilities by installing all vendor-supplied security patches. Install critical
security patches within one month of release.
6.4 6.4.1 Separate development/test environments from production environments, and
enforce the separation with access controls
6.4.3 Production data (live PANs) are not used for testing or development
6.4.5 Change control procedures for the implementation of security patches and
software modifications must include the following:
6.4.1 Documentation of impact
6.4.2 Documented change approval by authorized parties
6.4.3 Functionality testing to verify that the change does not adversely impact
the security of the system
6.4.4 Back-out procedures
6.5 6.5 Address common coding vulnerabilities in software-development processes
as follows:
Train developers in secure coding techniques, including how to avoid common
coding vulnerabilities, and understanding how sensitive data is handled in
memory.
Develop applications based on secure coding guidelines.
Note: The vulnerabilities listed at 6.5.1 through 6.5.10 were current with
industry best practices when this version of PCI DSS was published. However, as
industry best practices for vulnerability management are updated (for example,
the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.), the current
best practices must be used for these requirements
6.5.1 Injection flaws, particularly SQL injection. Also consider OS Command Injection,
LDAP and XPath injection flaws as well as other injection flaws
6.5.3 Insecure cryptographic storage
6.5.4 Insecure communications
7.1 7.1.1 Define access needs for each role, including:
System components and data resources that each role needs to access for
their job function
Level of privilege required (for example, user, administrator, etc.) for accessing
resources.
7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job
responsibilities.
7.1.3 Assign access based on individual personnel's job classification and function.
7.2 Establish an access control system for systems components with multiple users
that restricts access based on a user's need to know, and is set to "deny all"
unless specifically allowed.
This access control system must include the following:
7.2.1 Coverage of all system components
7.2.2 Assignment of privileges to individuals based on job classification and function
7.2.3 Default deny-all setting
8.1 Define and implement policies and procedures to ensure proper user
identification management for non-consumer users and administrators on all
system components as follows:
8.1.1 Assign all users a unique ID before allowing them to access system components
or cardholder data.
8.1.2 Control addition, deletion, and modification of user IDs, credentials, and other
identifier objects
8.1.3 Immediately revoke access for any terminated users
8.1.4 Remove/disable inactive user accounts at least every 90 days
8.1.5 Manage IDs used by vendors to access, support, or maintain system components
via remote access as follows:
Enabled only during the time period needed and disabled when not in use.
Monitored when in use.
8.1.6 Limit repeated access attempts by locking out the user ID after not more than six
attempts.
8.1.7 Set the lockout duration to a minimum of 30 minutes or until an administrator
enables the user ID.
8.1.8 If a session has been idle for more than 15 minutes, require the user to re-
authenticate to re-activate the terminal session.
8.2 In addition to assigning a unique ID, ensure proper user-authentication
management for non-consumer users and administrators on all system
components by employing at least one of the following methods to authenticate
all users:
Something you know, such as a password or passphrase
Something you have, such as a token device or smart card
Something you are, such as a biometric
8.2.2 Use strong cryptography, render all authentication credentials (such as
passwords/phrases) unreadable during transmission and storage on all system
components.
8.2.3 Passwords/phrases must meet the following:
Require a minimum length of at least seven characters
Contain both numeric and alphabetic characters.
Alternatively, the passwords/phrases must have complexity and strength at least
equivalent to the parameters specified above.
8.2.4 Change user passwords/passphrases at least every 90 days.
8.2.5 Do not allow an individual to submit a new password/phrase that is the same as
any of the last four passwords/phrases he or she has used.
8.3 Incorporate two-factor authentication for remote network access originating
from outside the network by personnel (including users and administrators) and
all third parties, (including vendor access for support or maintenance).
Note: Two-factor authentication requires that two of the three authentication
methods (see Requirement 8.2 for descriptions of authentication methods) be
used for authentication. Using one factor twice (for example, using two separate
passwords) is not considered two-factor authentication.
Examples of two-factor technologies include remote authentication and dial-in
service (RADIUS) with tokens; terminal access controller access control systems
(TACACS) with tokens; and other technologies that facilitate two-factor
authentication.
8.5 Do not use group, shared, or generic IDs, passwords, or other authentication
methods as follows:
Generic user IDs are disabled or removed.
Shared user IDs do not exist for system administration and other critical
functions.
Shared and generic user IDs are not used to administer any system components.
8.7 All access to any database containing cardholder data (Including access by
applications, administrators, and all other users) Is restricted as follows:
All user access to, user queries of, and user actions on databases are through
programmatic methods.
Only database administrators have the ability to directly access or query
databases.
Application IDs for database applications can only be used by the applications
(and not by individual users or other non-application processes).
10.1 Implement audit trails to link all access to system components to each individual
user.
10.2 Implement automated audit trails for all system components to reconstruct the
following events:
10.2.1 All individual user accesses to cardholder data
10.2.2 All actions taken by any individual with root or administrative privileges
10.2.3 Access to all audit trails
10.2.4 Invalid logical access attempts
10.2.5 Use of and changes to identification and authentication mechanismsincluding
but not limited to creation of new accounts and elevation of privilegesand all
changes, additions, or deletions to accounts with root or administrative
privileges.
10.2.7 Creation and deletion of system-level objects
10.3 Record at least the following audit trail entries for all system components for
each event:
10.3.1 User identification
10.3.2 Type of event
10.3.3 Date and Time
10.3.4 Success or failure indication
10.3.5 Origination of event
10.3.6 Identity or name of affected data, system component, or resource
10.5 Secure audit trails so they cannot be altered.
10.5.1 Limit viewing of audit trails to those with a job-related need.
10.5.2 Protect audit trail files from unauthorized modifications.
10.5.3 Promptly back-up audit trail files to a centralized log server or media that is
difficult to alter.
10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that
existing log data cannot be changed without generating alerts (although new
data being added should not cause an alert)
10.6 Review logs and security events for all system components to identify anomalies
or suspicious activity.
Note: Log harvesting, parsing, and alerting tools may be used to meet this
Requirement.
10.7 Retain audit trail history for at least one year, with a minimum of three months
immediately available for analysis (for example, online, archived, or restorable
from back-up)
DISA Equivalent
SRG-APP-000063-DB-000023
SRG-APP-000141-DB-000090
SRG-APP-000174-DB-000078
SRG-APP-000014-DB-000036
SRG-APP-000171-DB-000074
SRG-APP-000174-DB-000079
SRG-APP-000179-DB-000114
SRG-APP-000188-DB-000121
SRG-APP-000001-DB-000031
SRG-APP-000026-DB-000005
SRG-APP-000027-DB-000186
SRG-APP-000028-DB-000187
SRG-APP-000029-DB-000188
SRG-APP-000062-DB-000011
SRG-APP-000062-DB-000016
SRG-APP-000063-DB-000019
SRG-APP-000065-DB-000024
SRG-APP-000065-DB-000025
SRG-APP-000066-DB-000195
SRG-APP-000067-DB-000026
SRG-APP-000092-DB-000208
SRG-APP-000093-DB-000052
SRG-APP-000140-DB-000033
SRG-APP-000141-DB-000090
SRG-APP-000164-DB-000082
SRG-APP-000165-DB-000081
SRG-APP-000166-DB-000070
SRG-APP-000170-DB-000073
SRG-APP-000174-DB-000078
SRG-APP-000174-DB-000080
SRG-APP-000245-DB-000132
SRG-APP-000266-DB-000162
SRG-APP-000267-DB-000163
SRG-APP-000271-DB-000156
SRG-APP-000292-DB-000138
SRG-APP-000019-DB-000197
SRG-APP-000026-DB-000005
SRG-APP-000027-DB-000186
SRG-APP-000028-DB-000187
SRG-APP-000029-DB-000188
SRG-APP-000062-DB-000011
SRG-APP-000063-DB-000018
SRG-APP-000063-DB-000019
SRG-APP-000063-DB-000020
SRG-APP-000063-DB-000021
SRG-APP-000133-DB-000207
SRG-APP-000149-DB-000104
SRG-APP-000156-DB-000111
No. Rule Title
1 The DBMS must limit the number of concurrent sessions for each system account to an
organization defined number of sessions.
2 A DBMS providing remote access capabilities must utilize approved cryptography to protect
the confidentiality and integrity of data passing over remote access sessions.
3 The DBMS must allow all remote access to be routed through managed access control
points.
4 The DBMS must ensure remote sessions that access an organization defined list of security
functions and security-relevant information are audited.
5 The DBMS must support the requirement to automatically audit account creation.
6 The DBMS must support the requirement to automatically audit account modification.
7 The DBMS must automatically audit account disabling actions.
8 The DBMS must automatically audit account termination.
9 The DBMS must support the organizational requirements for automatically monitoring,
auditing, and alerting on abnormal usage of accounts.
10 The DBMS must enforce organization defined limitations on the embedding of data types
within other data types.
11 The DBMS must support organizational requirements to implement separation of duties
through assigned information access authorizations.
12 DBMS processes or services must run under custom, dedicated OS accounts.
13 The DBMS must restrict grants to sensitive information to authorized user roles.
14 The DBMS must be protected from unauthorized access by developers.
15 The DBMS must restrict access to system tables and other configuration information or
metadata to DBAs or other authorized users.
16 Administrators must utilize a separate, distinct administrative account when performing
administrative activities, accessing database security functions, or accessing security-
relevant information.
17 Non-privileged accounts must be utilized when accessing non-administrative functions.
18 The DBA role must not be assigned excessive or unauthorized privileges.
19 OS accounts utilized to run external procedures called by the DBMS must have limited
privileges.
20 DBA OS accounts must be granted only those host system privileges necessary for the
administration of the DBMS.
21 DBMS default account names must be changed if allowed.
22 The DBMS must specify account lockout duration that is greater than or equal to the
organization approved minimum.
23 The DBMS must have the capability to limit the number of failed login attempts based upon
an organization defined number of consecutive invalid attempts occurring within an
organization defined time period.
24 The DBMS must enforce the organization defined time period during which the limit of
consecutive failed login attempts by a user is counted.
25 The DBMS, when the maximum numbers of unsuccessful attempts is exceeded, must
automatically lock the account/node for an organization defined time period or lock the
account/node until released by an administrator IAW organizational policy.
26 The DBMS must have allocated audit record storage capacity, and its auditing configured to
reduce the likelihood of storage capacity being exceeded.
27 The DBMS must provide audit record generation capability for organization defined
auditable events within the database.
28 The DBMS must allow designated organizational personnel to select which auditable events
are to be audited by the database.
29 The DBMS must generate audit records for the selected list of auditable events.
30 The DBMS must initiate session auditing upon startup of the database.
31 The DBMS must provide the capability to capture, record, and log all content related to a
user session.
32 The DBMS must produce audit records containing sufficient information to establish details
of the event (type of events, when, where, origin, outcome,identity of implicated user)
33 The DBMS must be capable of taking organization defined actions upon audit failure or a
component failure is detected (e.g., overwrite oldest audit records, stop generating audit
records, cease processing, notify of audit failure).
34 The DBMS must provide the capability to automatically process audit records for events of
interest based upon selectable event criteria.
35 Attempts to bypass access controls must be audited.
36 The DBMS must synchronize with internal operating system clocks which in turn, are
synchronized on an organization defined frequency with an organization defined
authoritative time source.
37 The DBMS must protect audit information and audit tools from any type of unauthorized
access, modification, or deletion.
38 The DBMS must support the requirement to back up audit data and records onto a different
system or media than the system being audited on an organization defined frequency.
39 Database software directories, including DBMS configuration files, must be stored in
dedicated directories, separate from the host OS and other applications.
40 Vendor supported software must be evaluated and patched against newly found
vulnerabilities.
41 The OS must limit privileges to change the DBMS software resident within software libraries
(including privileged programs).
42 The DBMS must enforce requirements for remote connections to the information system.
43 Default demonstration and sample databases, database objects, and applications must be
removed.
44 Unused database components, DBMS software, and database objects must be removed.
45 Unused database components which are integrated in the DBMS and cannot be uninstalled
must be disabled.
46 Access to external executables must be disabled or restricted.
47 The DBMS must support the organizational requirements to specifically prohibit or restrict
the use of unauthorized/non-secure functions, ports, protocols, and/or services.
48 Recovery procedures and technical system features must exist to ensure recovery is done in
a secure and verifiable manner.
49 The DBMS must be capable of backing up user-level information per a defined frequency.
50 Database backup procedures must be defined, documented, and implemented.
51 Database recovery procedures must be developed, documented, implemented, and
periodically tested.
52 DBMS backup and restoration files must be protected from unauthorized access.
53 DBMS must conduct backups of system-level information per organization defined
frequency that is consistent with recovery time and recovery point objectives.
54 The DBMS software libraries must be periodically backed up.
55 The DBMS must use multifactor authentication for remote network access (originating
outside) to privileged/non-privilged accounts.
56 The DBMS must use organization defined replay-resistant authentication mechanisms for
network access to privileged/non-privileged accounts.
57 The DBMS must support organizational requirements to disable user accounts after an
organization defined time period of inactivity.
58 The DBMS must support organizational requirements to enforce minimum password length.
59 The DBMS must support organizational requirements to prohibit password reuse for the
organization defined number of generations.
60 The DBMS must support organizational requirements to enforce password complexity by
the number of upper case, lower case, numeric, and special characters used.
61 The DBMS must support organizational requirements to enforce the number of characters
that get changed when passwords are changed.
62 The DBMS must support organizational requirements to enforce password encryption for
storage and transmission.
63 The DBMS must enforce password minimum lifetime restrictions.
64 DBMS default accounts must be assigned custom passwords.
65 DBMS passwords must not be stored in compiled, encoded, or encrypted batch jobs or
compiled, encoded, or encrypted application source code.
66 The DBMS must enforce password maximum lifetime restrictions.
67 The DBMS must use approved cryptography for authentication mechanisms.
68 The DBMS must support organizational requirements to encrypt information stored in the
database.
69 The DBMS must terminate the network connection associated with a communications
session at the end of the session or after an organization defined time period of inactivity.
70 The DBMS must protect against or limit the effects of the organization defined types of
Denial of Service (DoS) attacks.
71 The DBMS must only generate error messages that provide information necessary for
corrective actions without revealing organization defined sensitive or potentially harmful
information in error logs and administrative messages that could be exploited.
72 The DBMS must restrict error messages, so only authorized personnel may view them.
73 The DBMS must support organizational requirements to employ automated patch
management tools to facilitate flaw remediation to organization defined information
system components.
74 The DBMS must notify appropriate individuals when accounts are
created/modified/disabled/terminated.
DISA Reference
PCI equivalent CIS benchmark Oracle 11g
SRG-APP-000001-DB-000031
2.2 3.9
SRG-APP-000014-DB-000036
2.3
SRG-APP-000017-DB-000037
SRG-APP-000019-DB-000197
2.6 - A.13
2.6 - A.14
SRG-APP-000026-DB-000005
2.2
2.6 - A.13
2.6 - A.14
5.2
5.7
5.18
5.19
5.22
5.24
SRG-APP-000027-DB-000186
2.2
2.6 - A.13
2.6 - A.14
5.3
5.8
5.20
5.25
5.28
SRG-APP-000028-DB-000187
2.2
2.6 - A.13
2.6 - A.14
5.4
5.9
5.21
5.23
5.26
SRG-APP-000029-DB-000188
2.2
2.6 - A.13
2.6 - A.14
5.4
5.9
5.21
5.23
5.26
SRG-APP-000030-DB-000173
2.6 - A.13
2.6 - A.14
SRG-APP-000057-DB-000127
SRG-APP-000062-DB-000009
SRG-APP-000062-DB-000010
SRG-APP-000062-DB-000011
2.2
2.6 - A.11
2.6 - A.12
4.3.9
4.3.10
4.3.11
SRG-APP-000062-DB-000014
SRG-APP-000062-DB-000016
2.2 2.7
2.8
2.13
2.20
SRG-APP-000063-DB-000017
SRG-APP-000063-DB-000018
2.6 - A.11
2.6 - A.12
SRG-APP-000063-DB-000019
2.2
2.6 - A.11
2.6 - A.12
2.19
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
4.10
SRG-APP-000063-DB-000020
2.6 - A.11
2.6 - A.12
SRG-APP-000063-DB-000021
2.6 - A.11
2.6 - A.12
SRG-APP-000063-DB-000023
2.1
SRG-APP-000065-DB-000024
2.2 3.2
3.6
SRG-APP-000065-DB-000025
2.2 3.1
SRG-APP-000066-DB-000195
2.2 2.15
SRG-APP-000067-DB-000026
2.2 3.1
SRG-APP-000071-DB-000047
2.6 - A.13
2.6 - A.14
SRG-APP-000089-DB-000064
2.6 - A.13
2.6 - A.14
SRG-APP-000090-DB-000065
2.6 - A.13
2.6 - A.14
SRG-APP-000091-DB-000066
2.6 - A.13
2.6 - A.14
SRG-APP-000092-DB-000208
2.2
2.6 - A.13
2.6 - A.14
5.1
SRG-APP-000093-DB-000052
2.2
2.6 - A.13
2.6 - A.14
2.3
2.4
5.1
5.2
5.3
5.4
5.5
5.6
5.7
5.8
5.9
5.10
5.11
5.12
5.13
5.14
5.15
5.16
5.17
5.18
5.19
5.20
5.21
5.22
5.23
5.24
SRG-APP-000095-DB-000039
2.6 - A.13
2.6 - A.14
SRG-APP-000109-DB-000049
2.6 - A.13
2.6 - A.14
SRG-APP-000115-DB-000055
2.6 - A.13
2.6 - A.14
SRG-APP-000115-DB-000056
2.6 - A.13
2.6 - A.14
SRG-APP-000117-DB-000058
SRG-APP-000118-DB-000059
SRG-APP-000125-DB-000170
SRG-APP-000133-DB-000199
SRG-APP-000133-DB-000205
SRG-APP-000133-DB-000207
2.6 - A.11
2.6 - A.12
SRG-APP-000140-DB-000033
2.2 2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.9
2.10
2.11
2.12
2.16
2.17
2.5
2.6
3.7
SRG-APP-000141-DB-000090
2.1
2.2
1.2
SRG-APP-000141-DB-000091
SRG-APP-000141-DB-000092
SRG-APP-000141-DB-000093
SRG-APP-000142-DB-000094
SRG-APP-000144-DB-000101
SRG-APP-000145-DB-000095
SRG-APP-000145-DB-000096
SRG-APP-000145-DB-000097
SRG-APP-000145-DB-000098
SRG-APP-000146-DB-000099
SRG-APP-000146-DB-000100
SRG-APP-000149-DB-000104
2.6 - A.11
2.6 - A.12
SRG-APP-000156-DB-000111
2.6 - A.11
2.6 - A.12
SRG-APP-000163-DB-000113
SRG-APP-000164-DB-000082
2.2 3.8
SRG-APP-000165-DB-000081
2.2 3.4
3.5
SRG-APP-000166-DB-000070
2.2 2.14
3.8
SRG-APP-000170-DB-000073
2.2 3.8
SRG-APP-000171-DB-000074
2.3
SRG-APP-000173-DB-000076
3.3
SRG-APP-000174-DB-000078
2.1
2.2
1.1
SRG-APP-000174-DB-000079
2.3
SRG-APP-000174-DB-000080
2.2 3.3
SRG-APP-000179-DB-000114
2.3
SRG-APP-000188-DB-000121
2.3
SRG-APP-000190-DB-000137
SRG-APP-000245-DB-000132
2.2 2.15
2.16
3.9
4.1.17
SRG-APP-000266-DB-000162
2.2 2.18
SRG-APP-000267-DB-000163
2.2 2.18
SRG-APP-000271-DB-000156
2.2 1.3
SRG-APP-000292-DB-000138
2.2 5.2
5.3
5.4
1 1 Change the Oracle default account passwords
1 1
1 1
1 1
1 1
1 1
1 1
1 1
1 1
1 1
1 1
1 1
1 1
1 1
1 1
1 1
1 1
1 1
1 1
1 1
1 1
1 1
1 1
1 1
1 1
1 1
1 1
1 1
1 2 Remove Oracle Sample Users
1 2
1 2
1 2
1 2
1 2
1 2
1 2
1 3 Ensure the latest version/patches for Oracle software is installed
2 Oracle Parameter Settings
2 1 listener.ora settings
2 1
2 1
2 1
2 1
2 1
2 2 sqlnet.ora settings
2 3 Setting for the 'audit_sys_operations' parameter
2 4 Setting for the 'audit_trail' parameter
2 5 Setting for the 'global_names' parameter
2 6 Setting for the 'local_listener' parameter
2 7 Setting for the 'o7_dictionary_accessibility' parameter
2 8 Setting for the 'os_roles' parameter
2 9 Setting for the 'remote_listener' parameter
2 10 Setting for the 'remote_login_passwordfile' parameter
2 11 Setting for the 'remote_os_authent' parameter
2 12 Setting for the 'remote_os_roles' parameter
2 13 Setting for the 'utl_file_dir' parameter
2 14 Setting for the 'sec_case_sensitive_logon' parameter
2 15 Setting for the 'sec_max_failed_login_attempts' parameter
2 16 Setting for the 'sec_protocol_error_further_action' parameter
2 17 Setting for the 'sec_protocol_error_trace_action' parameter
2 18 Setting for the 'sec_return_server_release_banner' parameter
2 19 Setting for the 'sql92_security' parameter
2 20 Setting for undocumented '_trace_files_public' parameter
3 Oracle client/user connection and login restrictions
3 1 Restrictions on failed login attempts via the default DB profile
3 2 Requirements for account locking via on the default DB profile
3 3 Restrictions on password duration via the default DB profile
3 4 Restrictions on password history via the default DB profile
3 5 Restrictions on password use (reuse) via a DB profile
3 6 Requirements for account locking (grace time) via a DB profile
3 7 Requirements for limiting EXTERNAL user login capability
3 8 Requirement for setting the password verification function
3 9 Requirements for limiting the number of sessions per user
4 Oracle user access and authorization restrictions
4 1 Default Public Privileges for Packages and Object Types
4 1
4 1
4 1
4 1
4 1
4 1
4 1
4 1
4 1
4 1
4 1
4 1
4 1
4 1
4 1
4 1
4 1
4 1
4 1
4 1
4 1
4 1
4 2 Non-Default Public Privileges for Packages and Object Types
4 2
4 2
4 2
4 2
4 2
4 2
4 2
4 2
4 2
4 2
4 2
4 2
4 2
4 2
4 2
4 3 System Privileges
4 3
4 3
4 3
4 3
4 3
4 3
4 3
4 3
4 3
4 3
4 3
4 4 Role Privileges
4 4
4 4
4 4
4 4
4 5 Table and View privileges
4 5
4 5
4 5
4 5
4 5
4 5
4 5
4 6 Limiting basic user privileges to restrict the ANY keyword
4 7 Limiting users by restricting the WITH_ADMIN privilege
4 8 Limit direct privileges for proxy user
4 9 Revoke execute any procedure from user OUTLN
4 10 Revoke execute any procedure from user DBSNMP
5 Audit/Logging Policies and Procedures
5 1 Audit all CREATE SESSION (logon/logoff) activities
5 2 Audit all CREATE USER object activities/requests
5 3 Audit all ALTER USER object activities/requests
5 4 Audit all DROP USER object activities/requests
5 5 Audit all user ROLE activities/requests
5 6 Audit all user GRANT ROLE activities/requests
5 7 Audit all user CREATE PROFILE activities/requests
5 8 Audit all user ALTER PROFILE activities/requests
5 9 Audit all user DROP PROFILE activities/requests
5 10 Audit all DATABASE LINK activities/requests
5 11 Audit all PUBLIC DATABASE LINK activities/requests
5 12 Audit all PUBLIC SYNONYM activities/requests
5 13 Audit all user SYNONYM activities/requests
5 14 Audit all grants and revokes of privileges on directories
5 15 Audit all user SELECT ANY DICTIONARY activities/requests
5 16 Audit all user GRANT ANY OBJECT PRIVILEGE activities/requests
5 17 Audit all user GRANT ANY PRIVILEGE activities/requests
5 18 Audit all user CREATE PROCEDURE activities/requests
5 19 Audit all user CREATE ANY PROCEDURE activities/requests
5 20 Audit all user ALTER ANY PROCEDURE activities/requests
5 21 Audit all user DROP ANY PROCEDURE activities/requests
5 22 Audit all user CREATE ANY LIBRARY activities/requests
5 23 Audit all user DROP ANY LIBRARY activities/requests
5 24 Audit all user CREATE ANY TRIGGER activities/requests
5 25 Audit all user ALTER ANY TRIGGER activities/requests
5 26 Audit all user DROP ANY TRIGGER activities/requests
5 27 Set AUDIT ALL ON SYS.AUD$ activities
5 28 Audit all user ALTER SYSTEM activities/requests
1 Change the default password for 'APEX_040000'
2 Change the default password for 'APPQOSSYS'
3 Change the default password for 'CTXSYS'
4 Change the default password for 'DBSNMP'
5 Change the default password for 'DIP'
6 Change the default password for 'EXFSYS'
7 Change the default password for 'MDDATA'
8 Change the default password for 'MDSYS'
9 Change the default password for 'LBACSYS'
10 Change the default password for 'OLAPSYS'
11 Change the default password for 'ORACLE_OCM'
12 Change the default password for 'ORDDATA'
13 Change the default password for 'ORDPLUGINS'
14 Change the default password for 'ORDSYS'
15 Change the default password for 'OUTLN'
16 Change the default password for 'OWBSYS_AUDIT'
17 Change the default password for 'OWBSYS'
18 Change the default password for 'SI_INFORMTN_SCHEMA'
19 Change the default password for 'SPATIAL_CSW_ADMIN_USR'
20 Change the default password for 'SPATIAL_WFS_ADMIN_USR'
21 Change the default password for 'SYS'
22 Change the default password for 'SYSTEM'
23 Change the default password for 'WK_TEST'
24 Change the default password for 'WKPROXY'
25 Change the default password for 'WKSYS'
26 Change the default password for 'WMSYS'
27 Change the default password for 'XDB'
1 Remove the sample user 'BI'
2 Remove the sample user 'HR'
3 Remove the sample user 'IX'
4 Remove the sample user 'OE'
5 Remove the sample user 'PM'
6 Remove the sample user 'SCOTT'
7 Remove the sample user 'SH'
1 Setting for 'secure_control_listener_name' parameter
2 extproc configuration in listener.ora
3 Setting for the 'admin_restrictions_listener_name' parameter
4 Change the default port numbers that connect to Oracle
5 Setting for parameter 'secure_register_listener_name' parameter
1 Limit public access to the DBMS_ADVISOR package
2 Limit public access to the DBMS_CRYPTO package
3 Limit public access to the DBMS_JAVA package
4 Limit public access to the DBMS_JAVA_TEST package
5 Limit public access to the DBMS_JOB package
6 Limit public access to the DBMS_LDAP package
7 Limit public access to the DBMS_LOB package
8 Limit public access to the DBMS_OBFUSCATION_TOOLKIT package
9 Limit public access to the DBMS_RANDOM package
10 Limit public access to the DBMS_SCHEDULER package
11 Limit public access to the DBMS_SQL package
12 Limit public access to the DBMS_XMLGEN package
13 Limit public access to the DBMS_XMLQUERY package
14 Limit public access to the UTL_FILE package
15 Limit public access to the UTL_INADDR package
16 Limit public access to the UTL_TCP package
17 Limit public access to the UTL_MAIL package
18 Limit public access to the UTL_SMTP package
19 Limit public access to the UTL_DBWS package
20 Limit public access to the UTL_ORAMTS package
21 Limit public access to the UTL_HTTP package
22 Limit public access to the HTTPURITYPE object type
1 Limiting public user access to the DBMS_SYS_SQL package
2 Limit public access to the DBMS_BACKUP_RESTORE package
3 Limiting public user access to the DBMS_AQADM_SYSCALLS package
4 Limiting public user access to the DBMS_REPACT_SQL_UTL package
5 Limiting public user access to the INITJVMAUX package
6 Limiting public user access to the DBMS_STREAMS_ADM_UTL package
7 Limiting public user access to the DBMS_AQADM_SYS package
8 Limiting public user access to the DBMS_STREAMS_RPC package
9 Limiting public user access to the DBMS_AQADM_SYS package
10 Limiting public user access to the DBMS_PRVTAQIM package
11 Limiting public user access to the LTADM package
12 Limiting public user access to the WWV_DBMS_SQL package
13 Limiting public user access to the WWV_EXECUTE_IMMEDIATE package
14 Limiting public user access to the DBMS_IJOB package
15 Limiting public user access to the DBMS_FILE_TRANSFER package
1 Limiting users by restricting the SELECT ANY DICTIONARY privilege
2 Limiting users by restricting the SELECT ANY TABLE privilege
3 Limiting users by restricting the AUDIT SYSTEM privilege
4 Limiting users by restricting the EXEMPT ACCESS POLICY
5 Limiting users by restricting the BECOME USER privilege
6 Limiting users by restricting the CREATE PROCEDURE privilege
7 Limiting users by restricting the ALTER SYSTEM privilege
8 Limiting users by restricting the CREATE ANY LIBRARY privilege
9 Limiting users by restricting GRANT ANY OBJECT PRIVILEGE privilege
10 Limiting users by restricting GRANT ANY ROLE privilege
11 Limiting users by restricting GRANT ANY PRIVILEGE privilege
1 Limiting user authorizations for the DELETE_CATALOG_ROLE
2 Limiting user authorizations for the SELECT_CATALOG_ROLE
3 Limiting user authorizations for the EXECUTE_CATALOG role
4 Limiting users by restricting the DBA role
1 Limiting authorizations for the SYS.AUD$ table
2 Limiting authorizations for the SYS.USER_HISTORY$ table
3 Limiting authorizations for the SYS.LINK$ table
4 Limiting authorizations for the SYS.USER$ table
5 Limiting user authorizations for the DBA_% views
6 Limiting authorizations for the SCHEDULER$_CREDENTIAL table
7 Drop table sys.user$mig
1 Installation, Updates and Patches
1
1
2 Surface Area Reduction
2
2
2
2
2
2
2
2
2
2
2
2
2
2
3 Extended Stored Procedures
3
3
3
3
3
3
3
3
3
3
3
3
3
3
4 Authentication and Authorization
4
4
4
5 Password Policies
5
5
5
6 Auditing and Logging
6
6
6
7 Application Development
7
7
1 Installation, Updates and Patches
1 Install the Latest SQL Server Service Packs and Hotfixes
2 Install on dedicated single-function member servers
2 Surface Area Reduction
1 Set the 'Ad Hoc Distributed Queries' Server Configuration Option to 0
2 Set the 'CLR Enabled' Server Configuration Option to 0
3 Set the 'Cross DB Ownership Chaining' Server Configuration Option to 0
4 Set the 'Database Mail XPs' Server Configuration Option to 0
5 Set the 'Ole Automation Procedures' Server Configuration Option to 0
6 Set the 'Remote Access' Server Configuration Option to 0
7 Set the 'Remote Admin Connections' Server Configuration Option to 0
8 Set the 'Scan For Startup Procs' Server Configuration Option to 0
9 Set the 'Trustworthy' Database Property to Off
10 Disable Unnecessary SQL Server Protocols
11 Configure SQL Server to use non-standard ports
12 Set the 'Hide Instance' option to 'Yes' for Production SQL Server instances
13 Disable the 'sa' Login Account
14 Rename the 'sa' Login Account
3 Extended Stored Procedures
1 Revoke Execute on 'xp_availablemedia' to PUBLIC
2 Set the 'xp_cmdshell' option to disabled
3 Revoke Execute on 'xp_dirtree' to PUBLIC
4 Revoke Execute on 'xp_enumgroups' to PUBLIC
5 Revoke Execute on 'xp_fixeddrives' to PUBLIC
6 Revoke Execute on 'xp_servicecontrol' to PUBLIC
7 Revoke Execute on 'xp_subdirs' to PUBLIC
8 Revoke Execute on 'xp_regaddmultistring' to PUBLIC
9 Revoke Execute on 'xp_regdeletekey' to PUBLIC
10 Revoke Execute on 'xp_regdeletevalue' to PUBLIC
11 Revoke Execute on 'xp_regenumvalues' to PUBLIC
12 Revoke Execute on 'xp_regremovemultistring' to PUBLIC
13 Revoke Execute on 'xp_regwrite' to PUBLIC
14 Revoke Execute on 'xp_regread' to PUBLIC
4 Authentication and Authorization
1 Set The 'Server Authentication' Property To Windows Authentication mode
2 Revoke CONNECT permissions on the 'guest user' within all SQL Server databases excluding the master, msdb and tempdb
3 Drop Orphaned Users From SQL Server Databases
5 Password Policies
1 Set the 'MUST_CHANGE' Option to ON for All SQL Authenticated Logins
2 Set the 'CHECK_EXPIRATION' Option to ON for All SQL Authenticated Logins Within the Sysadmin Role
3 Set the 'CHECK_POLICY' Option to ON for All SQL Authenticated Logins
6 Auditing and Logging
1 Set the 'Maximum number of error log files' setting to greater than or equal to 12
2 Set the 'Default Trace Enabled' Server Configuration Option to 1
3 Set 'Login Auditing' to Both failed and successful logins
7 Application Development
1 Sanitize Database and Application User Input
2 Set the 'CLR Assembly Permission Set' to SAFE_ACCESS for All CLR Assemblies
2 Revoke CONNECT permissions on the 'guest user' within all SQL Server databases excluding the master, msdb and tempdb
SRG-APP-000019-DB-000197
SRG-APP-000026-DB-000005
SRG-APP-000027-DB-000186
SRG-APP-000028-DB-000187
SRG-APP-000029-DB-000188
SRG-APP-000030-DB-000173
SRG-APP-000071-DB-000047
SRG-APP-000089-DB-000064
SRG-APP-000090-DB-000065
SRG-APP-000091-DB-000066
SRG-APP-000092-DB-000208
SRG-APP-000093-DB-000052
SRG-APP-000095-DB-000039
SRG-APP-000109-DB-000049
SRG-APP-000115-DB-000055
SRG-APP-000115-DB-000056