|
|
|
|
 |
|
Database Security Readiness Review Checklist
|
Name |
Database Security Readiness Review Checklist, Version 7
Release 2.2
|
|
Version |
Version 7, Release 2.2
|
|
Status |
Final
|
| Creation
Date |
Not Available
|
| Revision
Date |
2006-10-29
|
| Product
Category |
Database Management System (DBMS)
|
| Vendor |
IBM
Oracle Corporation
Microsoft Corporation
|
| Product |
Oracle Database
MS SQL Server
IBM DB2 UDB
|
| Product
Version |
Oracle Database 8i, 9i, 10g
MS SQL Server 7 and 2000
IBM DB2 8.1
Generic Database
|
| Product
Role |
Database server
|
|
Checklist
Summary |
The Database Security Readiness Review (SRR) targets conditions
that undermine the integrity of security,
contribute to inefficient security operations
and administration, or may lead to interruption
of production operations. This SRR guide focuses
strictly on Oracle versions 8i, 9i and Microsoft
SQL Server versions 7.0, 2000. Additionally,
this checklist ensures the site has properly
installed and implemented the database environment
and that it is being managed in a way that
is secure, efficient, and effective, through
procedures outlined in the checklist. The
items reviewed are based on standards and
requirements published by DISA in the Security
Handbook and the Database Security Technical
Implementation Guide. The results of the SRR
scripts will coincide with the Database SRR
Checklist with the following: F - Finding,
N/F - Not A Finding, N/A - Not Applicable,
MR - Manual Review, or NR - Not Reviewed,
which can be filled in Section 2A (Oracle
SRR Result Report) or Section 2B (MS SQL Server
SRR Results Report).
DISA Field Security Operations has assigned a level of
urgency to each finding based on Chief Information
Officer (CIO) established criteria for certification
and accreditation. All findings are based
on regulations and guidelines. All findings
require correction by the host organization.
Category I findings are any vulnerabilities
that provide an attacker immediate access
into a machine, superuser access, or access
that bypasses a firewall. Category II findings
are any vulnerabilities that provide information
that has a high potential of giving access
to an intruder. Category III findings are
any vulnerabilities that provide information
that potentially could lead to compromise.
Category IV vulnerabilities, when resolved,
will prevent the possibility of degraded security.
|
| Known
Issues |
The vulnerabilities discussed in Sections 2A and 3A of
this document are applicable to Oracle versions
8i, 9i, and 10g, vulnerabilities discussed
in Sections 2B and 3B are applicable to MS
SQL Server versions 7.0 and 2000, and vulnerabilities
discussed in Sections 2C and 3C are applicable
to DB2 version 8 on Unix and Windows platforms.
The checklist does not address database versions
earlier than those referenced above. For earlier
versions, the reviewer should mark all checks
except the check for a supported version,
as NA and treat this as a completed database
review. The unsupported version check should
be marked as Open. The generic checklist should
be used to cover databases other than Oracle,
SQL Server, and DB2. To perform a successful
Security Readiness Review (SRR), this document
provides two methods to assess vulnerabilities
on an Oracle and MS SQL Server DBMS — DISA
FSO scripts and manual procedures. The manual
procedures should be performed if the SRR
command-scripts are not available, if they
are not permitted, or if there is a discrepancy
in the tools’ reporting.
|
| Target
Audience |
Developped for the DOD.
This checklist has been created for IT professionals,
information security and database personnel.
The document assumes that the reader has experienceadministering
Oracle, SQL Server, DB2, or other databases.
|
| Target
Operational Environment |
Enterprise and Specialized
Security-Limited Functionality.
|
| Checklist
Installation Tools |
None.
|
| Rollback
Capability |
The Oracle scripts use temporary tables that are dropped
after script completion.
|
| Testing
Information |
Not Available.
|
| NIAP/CMVP
Status |
Not Available.
|
| Regulatory
Compliance |
DOD Directive 8500.
|
Comments,
Warnings, Disclaimer, Miscellaneous
|
Please refer to the Checklist or the README.TXT files provided
with the scripts for any comments, warnings,
or detailed instructions.
|
| Disclaimer |
Not Available.
|
| Product
Support |
It should be noted that FSO Support for the STIGs, Checklists,
and Tools is only available to DOD Customers.
|
| Submitting
Organization/Authors |
Defense Information Systems Agency
|
| Point
of Contact |
Not Available.
|
| Sponsor |
Not Available.
|
| Licensing |
Not Available.
|
| Checklist
Homepage |
http://iase.disa.mil/stigs/checklist/index.html
|
| Download
Package |
http://iase.disa.mil/stigs/checklist/
DB-Checklist-V7R2-2-20061029.zip
|
| Integrity |
SHA1 Digest
(DB-Checklist-V7R2-2-20061029.zip)
= 0b34e212e9df0670fee538fe3e9c5a541822ee0c
SHA256 Digest
(DB-Checklist-V7R2-2-20061029.zip)
= ee83fe3344173d60296059ab89f4162e85637d99de4
04e9b34eea59a37e9819d
|
| Change
History |
Version
6, Release 1.4, 2004-05
Version 6, Release 1.5, 2004-09
Version 6, Release 1.6, 2004-12-10
Version 7, Release 1.2, 2005-07-29
Version 7, Release 1.3, 2005-12-16
Version 7, Release 1.4, 2006-04-14
Version 7, Release 2.1, 2006-06-30
Version 7, Release 2.2, 2006-10-29
|
| Dependency/Requirement |
Database Security Technical Implementation Guide, v7 Release
1
|
| References |
The following table enumerates the documents and resources
consulted:
Database Security Technical Implementation
Guide, Version 7.1, 29 October 2004.
|
| NIST
Identifier |
1006
|
|
|
|
NIST and the checklist submitter do not guarantee or warrant the checklist's
accuracy or completeness. NIST is not responsible for loss, damage, or
problems that may be caused by using the checklist.
|
