DoD STIGs – Database Security Requirements Guide

STIGs Image

What are the Database SRG DoD Stigs?

The Database Security Requirements Guide, or SRG, is published as a tool to help you improve the security of your information systems.

They were originally intended for use with the Department of Defense Information Systems, but actually contain some good practices that can be used by all organizations to help secure systems.

Before we start, let’s get some things clear

The requirements are derived from the NIST 800-53 and related documents. The information provided in these posts is based on the publicly available DISA FSO archive of STIG contact (which is public domain information). DISA FSO does not endorse, collaborate or have anything to do with these posts or site. Please do not contact them for support or questions about this site. If you use the information in any of these posts to make changes to your system, we are not responsible for the consequences (unless you use our services to help out).

There is a lot to cover

There are over 300 Findings that are reviewed to make sure your systems are compliant with the Database SRGs.

Of those there are 7 Category I, 306 Category II, and 16 Category III findings. The lower the category number, the higher the priority. Basically Category I means – FIX THIS NOW!

Through a series of blog posts we are going to touch on each of the findings, and make sure you understand if and how it pertains to SQL Server specifically.

Just so you know, a lot of the findings deal with processes outside of the SQL Server environment. In those cases we will do our best to provide basics of what can be done. Those findings that are directly related to SQL Server will be detailed with scripts to be used to determine if a violation has occured and customizable scripts to help take corrective actions.

Let’s get to it! – The List

Here is the list of the Finding IDs under the Database SRG. They are listed in Category level order from critical to low.

We are working constantly to get our interpretations onto each of the posts. If the post states Coming Soon! at the bottom we haven’t quite gotten to it, but we will!

If you come across a STIG that we haven’t commented on and would like us to get to it sooner, let us know!

We hope you find these useful in learning and understanding these requirements.

[content_box color=”#ff6600″]

Need Help?

Compliance is no easy task. It is not a set-it-and-forget-it situation.

A lot has to be done to get to a compliant state, and then it has to be maintained and monitored.

If you need help, WaterOx Consulting offers SQL Server consulting for not only getting compliant, but also making sure your SQL Servers are running as well as they can.

Contact us to talk with you about what your needs are and how we can help.

[/content_box] [divider]
This list has been updated to reflect the 2015 database requirements for the DoD STIGs
Vulnerability IDSeverityTitle
V-32514mediumThe DBMS must separate user functionality (including user interface services) from database management functionality.
V-58111mediumThe DBMS must generate audit records showing starting and ending time for user access to the database(s).
V-58059mediumThe DBMS must provide an immediate real-time alert to appropriate support staff of all audit failure events requiring real-time alerts.
V-58113mediumThe DBMS must generate audit records when concurrent logons/connections by the same user from different workstations occur.
V-58115mediumThe DBMS must generate audit records for all privileged activities or other system-level access.
V-58117mediumThe DBMS must generate audit records when unsuccessful attempts to execute privileged activities or other system-level access occur.
V-58119mediumThe DBMS must be able to generate audit records when successful accesses to objects occur.
V-58051mediumThe DBMS must provide centralized configuration of the content to be captured in audit records generated by all components of the DBMS.
V-58053mediumThe DBMS must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
V-58055mediumThe DBMS must off-load audit data to a separate log management facility; this shall be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.
V-58057mediumThe DBMS must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75% of maximum audit record storage capacity.
V-58183mediumWhen invalid inputs are received, the DBMS must behave in a predictable and documented manner that reflects organizational and system objectives.
V-58181mediumThe DBMS and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
V-58065mediumThe DBMS must generate time stamps, for audit records and application data, with a minimum granularity of one second.
V-58067mediumThe DBMS must provide the means for individuals in authorized roles to change the auditing to be performed on all application components, based on all selectable event criteria within organization-defined time thresholds.
V-58061mediumThe DBMS must be configurable to overwrite audit log records, oldest first (First-In-First-Out – FIFO), in the event of unavailability of space for more audit log records.
V-58063mediumThe DBMS must record time stamps, in audit records and application data, that can be mapped to Coordinated Universal Time (UTC, formerly GMT).
V-58069mediumThe DBMS must be able to generate audit records when unsuccessful attempts to retrieve privileges/permissions occur.
V-58109mediumThe DBMS must generate audit records when unsuccessful logons or connection attempts occur.
V-32469mediumIf passwords are used for authentication, the DBMS must transmit only encrypted representations of passwords.
V-32468mediumIf passwords are used for authentication, the DBMS must store only hashed, salted representations of passwords.
V-58105mediumThe DBMS must generate audit records when unsuccessful attempts to delete categories of information (e.g., classification levels/security levels) occur.
V-58103mediumThe DBMS must generate audit records when categories of information (e.g., classification levels/security levels) are deleted.
V-58101mediumThe DBMS must generate audit records when unsuccessful attempts to modify categories of information (e.g., classification levels/security levels) occur.
V-58107mediumThe DBMS must generate audit records when successful logons or connections occur.
V-32399mediumThe DBMS must protect its audit features from unauthorized removal.
V-32375mediumThe DBMS must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.
V-32374mediumThe DBMS must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event.
V-58071mediumThe DBMS must generate audit records when privileges/permissions are added.
V-32371mediumThe DBMS must produce audit records containing sufficient information to establish the sources (origins) of the events.
V-32370mediumThe DBMS must produce audit records containing sufficient information to establish where the events occurred.
V-32373mediumThe DBMS must produce audit records containing sufficient information to establish the outcome (success or failure) of the events.
V-58075mediumThe DBMS must generate audit records when privileges/permissions are modified.
V-58079mediumThe DBMS must generate audit records when privileges/permissions are deleted.
V-32203mediumThe DBMS must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
V-58179mediumThe DBMS and associated applications must reserve the use of dynamic code execution for situations that require it.
V-32394mediumThe audit information produced by the DBMS must be protected from unauthorized modification.
V-32478mediumThe DBMS must map the PKI-authenticated identity to an associated user account.
V-32479mediumThe DBMS must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
V-32476mediumThe DBMS must enforce authorized access to all PKI private keys stored/utilized by the DBMS.
V-32393mediumThe audit information produced by the DBMS must be protected from unauthorized read access.
V-58171mediumThe DBMS must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components.
V-32475mediumThe DBMS, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.
V-58177mediumSecurity-relevant software updates to the DBMS must be installed within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).
V-58175mediumWhen updates are applied to the DBMS software, any software components that have been replaced or made unnecessary must be removed.
V-32481mediumThe DBMS must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-32480mediumThe DBMS must use NIST FIPS 140-2 validated cryptographic modules for cryptographic operations.
V-32571mediumThe DBMS must reveal detailed error messages only to the ISSO, ISSM, SA and DBA.
V-32362mediumThe DBMS must provide audit record generation capability for DoD-defined auditable events within all DBMS/database components.
V-32363mediumThe DBMS must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
V-32366mediumThe DBMS must provide the capability for authorized users to capture, record, and log all content related to a user session.
V-32364mediumThe DBMS must be able to generate audit records when privileges/permissions are retrieved.
V-32365mediumThe DBMS must initiate session auditing upon startup.
V-58087mediumThe DBMS must generate audit records when security objects are modified.
V-58085mediumThe DBMS must generate audit records when unsuccessful attempts to access security objects occur.
V-32369mediumThe DBMS must produce audit records containing time stamps to establish when the events occurred.
V-58083mediumThe DBMS must be able to generate audit records when security objects are accessed.
V-58081mediumThe DBMS must generate audit records when unsuccessful attempts to delete privileges/permissions occur.
V-58169mediumThe DBMS must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.
V-58161mediumThe DBMS must implement NIST FIPS 140-2 validated cryptographic modules to generate and validate cryptographic hashes.
V-58163mediumThe DBMS must implement NIST FIPS 140-2 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owners requirements.
V-58165mediumThe DBMS must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.
V-58167mediumThe DBMS must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.
V-32192mediumThe DBMS must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.
V-58089mediumThe DBMS must generate audit records when unsuccessful attempts to modify security objects occur.
V-58019mediumThe DBMS must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.
V-58155mediumThe DBMS must maintain the confidentiality and integrity of information during reception.
V-58157mediumThe DBMS must use NSA-approved cryptography to protect classified information in accordance with the data owners requirements.
V-58151mediumAccess to database files must be limited to relevant processes and to authorized, administrative users.
V-58099mediumThe DBMS must generate audit records when categories of information (e.g., classification levels/security levels) are modified.
V-58153mediumThe DBMS must maintain the confidentiality and integrity of information during preparation for transmission.
V-32398mediumThe DBMS must protect its audit configuration from unauthorized modification.
V-32397mediumThe DBMS must protect its audit features from unauthorized access.
V-58095mediumThe DBMS must generate audit records when categories of information (e.g., classification levels/security levels) are accessed.
V-32395mediumThe audit information produced by the DBMS must be protected from unauthorized deletion.
V-58097mediumThe DBMS must generate audit records when unsuccessful attempts to access categories of information (e.g., classification levels/security levels) occur.
V-58159mediumThe DBMS must implement NIST FIPS 140-2 validated cryptographic modules to provision digital signatures.
V-58091mediumThe DBMS must generate audit records when security objects are deleted.
V-32391mediumThe DBMS must use system clocks to generate time stamps for use in audit records and application data.
V-58093mediumThe DBMS must generate audit records when unsuccessful attempts to delete security objects occur.
V-32555mediumThe DBMS must check the validity of all data inputs except those specifically identified by the organization.
V-32412mediumDatabase objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to the DBMS, etc.) must be owned by database/DBMS principals authorized for ownership.
V-32413mediumDatabase software, including DBMS configuration files, must be stored in dedicated directories, or DASD pools, separate from the host OS and other applications.
V-32414mediumThe DBMS software installation account must be restricted to authorized users.
V-32415mediumThe DBMS must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to the DBMS.
V-32184mediumThe DBMS must utilize NIST FIPS 140-2 validated cryptographic modules to protect the integrity of remote access sessions in the unclassified environment.
V-32182mediumThe DBMS must utilize DoD-approved encryption when passing authentication secrets for remote access sessions.
V-32183mediumThe DBMS must utilize NIST FIPS 140-2 validated cryptographic modules for encryption of unclassified data passing over remote access sessions.
V-32529mediumIn the event of a system failure, the DBMS must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.
V-32347mediumThe DBMS must protect against a user falsely repudiating having performed organization-defined actions.
V-32424mediumUnused database components, DBMS software, and database objects must be removed.
V-32427mediumAccess to external executables must be disabled or restricted.
V-32426mediumUnused database components which are integrated in the DBMS and cannot be uninstalled must be disabled.
V-58147mediumThe DBMS must require users to re-authenticate when organization-defined circumstances or situations require re-authentication.
V-32423mediumDefault demonstration and sample databases, database objects, and applications must be removed.
V-58149mediumThe DBMS must prevent unauthorized and unintended information transfer via shared system resources.
V-32428mediumThe DBMS must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
V-32383mediumThe DBMS must by default shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.
V-58021mediumExecution of software modules (to include stored procedures, functions, and triggers) with elevated privileges must be restricted to necessary cases only.
V-58023mediumThe DBMS must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
V-58025mediumThe DBMS must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect.
V-58073mediumThe DBMS must generate audit records when unsuccessful attempts to add privileges/permissions occur.
V-32547mediumDatabase contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy.
V-58077mediumThe DBMS must generate audit records when unsuccessful attempts to modify privileges/permissions occur.
V-32523mediumThe DBMS must invalidate session identifiers upon user logout or other session termination.
V-58045mediumThe DBMS must utilize DoD-approved cryptography to protect the integrity of remote access sessions in the classified environment.
V-58137mediumThe DBMS must prohibit the use of cached authenticators after an organization-defined time period.
V-58135mediumThe DBMS must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.
V-58133mediumThe DBMS must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.
V-58131mediumThe DBMS must be configured in accordance with the security configuration settings based on DoD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, DTMs, and IAVMs.
V-58039mediumThe DBMS must associate organization-defined types of security labels having organization-defined security label values with information in process.
V-58037mediumThe DBMS must associate organization-defined types of security labels having organization-defined security label values with information in storage.
V-58035mediumThe DBMS must provide logout functionality to allow the user to manually terminate a session initiated by that user.
V-32536mediumThe DBMS must isolate security functions from non-security functions.
V-32534mediumThe DBMS must protect the confidentiality and integrity of all information at rest.
V-58121mediumThe DBMS must generate audit records when unsuccessful accesses to objects occur.
V-32157mediumThe DBMS must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.
V-32528mediumThe DBMS must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.
V-58125mediumThe DBMS must enforce access restrictions associated with changes to the configuration of the DBMS or database(s).
V-58049mediumThe DBMS must utilize centralized management of the content captured in audit records generated by all components of the DBMS.
V-58127mediumThe DBMS must produce audit records of its enforcement of access restrictions associated with changes to the configuration of the DBMS or database(s).
V-32442mediumThe DBMS must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
V-58123mediumThe DBMS must generate audit records for all direct access to the database(s).
V-58043mediumThe DBMS must utilize DoD-approved encryption to protect the confidentiality of classified data passing over remote access sessions.
V-58041mediumThe DBMS must associate organization-defined types of security labels having organization-defined security label values with information in transmission.
V-32570mediumThe DBMS must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
V-58047mediumThe DBMS must provide the capability to immediately disconnect or disable remote access to the information system.
V-58129mediumThe role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to the DBMS, etc.) must be restricted to authorized users.
V-32526mediumThe DBMS must recognize only system-generated session identifiers.
V-58173mediumThe DBMS must maintain a separate execution domain for each executing process.
V-32368mediumThe DBMS must produce audit records containing sufficient information to establish what type of events occurred.
[hide]
Vulnerability IDSeverityTitle
V-32244HighDBA OS accounts must be granted only those host system privileges necessary for the administration of the DBMS.
V-32479HighThe DBMS must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
V-32476HighThe DBMS, when using PKI-based authentication, must enforce authorized access to the corresponding private key.
V-32472HighDBMS default accounts must be assigned custom passwords.
V-32568HighThe DBMS must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission unless the transmitted data is otherwise protected by alternative physical measures.
V-32410HighVendor supported software must be evaluated and patched against newly found vulnerabilities.
V-32526HighThe DBMS must recognize only system-generated session identifiers.
V-32242MediumThe DBA role must not be assigned excessive or unauthorized privileges.
V-32599MediumThe DBMS must notify appropriate individuals when accounts are terminated.
V-32598MediumThe DBMS must notify appropriate individuals when account disabling actions are taken.
V-32595MediumThe application uses cryptographic mechanisms to protect the integrity of audit tools.
V-32594MediumThe application must either implement compensating security controls or the organization explicitly accepts the risk of not performing the verification as required.
V-32597MediumThe DBMS must notify appropriate individuals when accounts are modified.
V-32505MediumSoftware and/or firmware used for collaborative computing devices must prohibit remote activation excluding the organization defined exceptions where remote activation is to be allowed.
V-32591MediumApplications providing notifications regarding suspicious events must include the capability to notify an organization defined list of response personnel who are identified by name and/or by role.
V-32590MediumApplications providing IDS and prevention capabilities must prevent non-privileged users from circumventing intrusion detection and prevention capabilities.
V-32593MediumThe application must enforce organizational requirements to protect information obtained from intrusion monitoring tools from unauthorized access, modification, and deletion.
V-32592MediumThe DBMS must support taking organization defined list of least disruptive actions to terminate suspicious events.
V-32223MediumApplications providing information flow control must track problems associated with the binding of security attributes to data.
V-32222MediumThe application must bind security attributes to information to facilitate information flow policy enforcement.
V-32221MediumApplications must uniquely identify destination domains for information transfer.
V-32220MediumApplications must uniquely authenticate source domains for information transfer.
V-32226MediumApplications must prevent encrypted data from bypassing content-checking mechanisms.
V-32225MediumApplications must enforce information flow using dynamic control based on policy that allows or disallows information flow based on changing conditions or operational considerations.
V-32224MediumApplications must enforce information flow control using protected processing domains (e.g., domain type-enforcement) as a basis for flow control decisions
V-32229MediumApplications must use security policy filters as a basis for making information flow control decisions.
V-32228MediumApplications must enforce information flow control on metadata.
V-32519MediumThe application must perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.
V-32179MediumThe DBMS must display security labels in human-readable form on each object output from the system to system output devices.
V-32454MediumApplications managing devices must authenticate devices before establishing remote network connections using bidirectional authentication between devices that are cryptographically based.
V-32455MediumApplications managing network connections for devices must authenticate devices before establishing wireless network connections by using bidirectional authentication that is cryptographically based.
V-32359MediumThe application must provide the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization defined level of tolerance.
V-32450MediumThe DBMS must use organization defined replay-resistant authentication mechanisms for network access to privileged accounts.
V-32451MediumThe DBMS must use organization defined replay-resistant authentication mechanisms for network access to non-privileged accounts.
V-32452MediumApplications required to identify devices must uniquely identify and authenticate an organization defined list of specific and/or types of devices before establishing a connection.
V-32353MediumThe application must validate the binding of the reviewers identity to the information at the transfer/release point prior to release/transfer from one security domain to another security domain.
V-32380MediumThe application must reject or delay, as defined by the organization, network traffic generated above configurable traffic volume thresholds.
V-32351MediumThe DBMS must maintain reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released.
V-32245MediumUse of the DBMS software installation account must be restricted to DBMS software installation.
V-32458MediumWeb services applications establishing identities at run-time for previously unknown entities must dynamically manage identifiers, attributes, and associated access authorizations.
V-32356MediumDatabases utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights.
V-32381MediumThe DBMS must shutdown immediately in the event of an audit failure, unless an alternative audit capability exists.
V-32524MediumThe DBMS must provide a logout functionality to allow the user to manually terminate the session.
V-32588MediumApplications providing malware and/or firewall protection must monitor inbound and outbound communications for unauthorized activities or conditions.
V-32589MediumApplications that detect and alarm on security events such as Intrusion Detection, Firewalls, Anti-Virus, or Malware must provide near real-time alert notification.
V-32460MediumThe DBMS must support organizational requirements to enforce minimum password length.
V-32582MediumApplications scanning for malicious code must support organizational requirements to configure malicious code protection mechanisms to perform periodic scans of the information system on an organization defined frequency.
V-32583MediumApplications providing malicious code protection must support organizational requirements to configure malicious code protection mechanisms to perform real-time scans of files from external sources as the files are downloaded, opened, or executed in accordance with organizational security policy.
V-32581MediumApplications providing malicious code protection must support organizational requirements to update malicious code protection mechanisms (including signature definitions) whenever new releases are available in accordance with organizational configuration.
V-32586MediumIntrusion detection software must be able to interconnect using standard protocols to create a system wide intrusion detection system.
V-32587MediumFor those instances where the organization requires encrypted traffic to be visible to information system monitoring tools, the application transmitting the encrypted traffic must make provisions to allow that traffic to be visible to specific system monitoring tools.
V-32584MediumApplications providing malicious code protection must support organizational requirements to be configured to perform organization defined action(s) in response to malicious code detection.
V-32585MediumApplications providing malicious code protection must support organizational requirements to address the receipt of false positives during malicious code detection, eradication efforts, and the resulting potential impact on the availability of the information system.
V-32230MediumApplications providing information flow control must uniquely authenticate destination domains when transferring information.
V-32231MediumIn support of information flow requirements, applications must track problems associated with information transfer.
V-32232MediumAdministrative privileges must be assigned to database accounts via database roles.
V-32501MediumThe DBMS must employ NSA-approved cryptography to protect classified information.
V-32234MediumDBMS processes or services must run under custom, dedicated OS accounts.
V-32235MediumThe DBMS must restrict grants to sensitive information to authorized user roles.
V-32236MediumA single database connection configuration file must not be used to configure all database clients.
V-32237MediumThe DBMS must be protected from unauthorized access by developers.
V-32238MediumThe DBMS must be protected from unauthorized access by developers on shared production/development host systems.
V-32239MediumThe DBMS must restrict access to system tables and other configuration information or metadata to DBAs or other authorized users.
V-32508MediumApplications must support organizational requirements to issue public key certificates under an appropriate certificate policy or obtain public key certificates under an appropriate certificate policy from an approved service provider.
V-32509MediumApplications designed to address malware issues and/or enforce policy pertaining to organizational use of mobile code must implement detection and inspection mechanisms to identify unauthorized mobile code.
V-32461MediumThe DBMS must support organizational requirements to enforce minimum password length.
V-32349MediumThe DBMS must validate the binding of the information to the identity of the information producer.
V-32463MediumThe DBMS must support organizational requirements to enforce password complexity by the number of upper case characters used.
V-32462MediumThe DBMS must support organizational requirements to prohibit password reuse for the organization defined number of generations.
V-32465MediumThe DBMS must support organizational requirements to enforce password complexity by the number of numeric characters used.
V-32464MediumThe DBMS must support organizational requirements to enforce password complexity by the number of lower case characters used.
V-32467MediumThe DBMS must support organizational requirements to enforce the number of characters that get changed when passwords are changed.
V-32466MediumThe DBMS must support organizational requirements to enforce password complexity by the number of special characters used.
V-32469MediumThe DBMS must support organizational requirements to enforce password encryption for transmission.
V-32468MediumThe DBMS must support organizational requirements to enforce password encryption for storage.
V-32346MediumThe DBMS must notify users of organization defined security related changes to the users account occurring during the organization defined time period.
V-32516MediumThe application must provide additional data origin and integrity artifacts along with the authoritative data the system returns in response to name/address resolution queries.
V-32511MediumApplications utilizing mobile code must meet policy requirements regarding the acquisition, development, and/or use of mobile code.
V-32510MediumApplications designed to address malware issues and/or enforce policy pertaining to organizational use of mobile code must take corrective actions, when unauthorized mobile code is identified.
V-32161MediumApplications must ensure that users can directly initiate session lock mechanisms which prevent further access to the system.
V-32483MediumApplications that are designed and intended to address incident response scenarios must provide a configurable capability to automatically disable an information system if any of the organization defined security violations are detected.
V-32513MediumApplications designed to enforce policy pertaining to the use of mobile code must prevent the automatic execution of mobile code in organization defined software applications and require organization defined actions prior to executing the code.
V-32389MediumThe DBMS must provide the capability to automatically process audit records for events of interest based upon selectable event criteria.
V-32449MediumThe DBMS, if using multifactor authentication when accessing non-privileged accounts via the network, must provide one of the factors by a device that is separate from the information system gaining access.
V-32512MediumApplications designed to enforce policy pertaining to organizational use of mobile code must prevent the download and execution of prohibited mobile code.
V-32424MediumUnused database components, DBMS software, and database objects must be removed.
V-32375MediumThe DBMS must include organization defined additional, more detailed information in the audit records for audit events identified by type, location, or subject.
V-32374MediumThe DBMS must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event.
V-32377MediumThe DBMS itself, or the logging or alerting mechanism the application utilizes, must provide a warning when allocated audit record storage volume reaches an organization defined percentage of maximum audit record storage capacity.
V-32376MediumThe DBMS must provide the ability to write specified audit record content to a centralized audit log repository.
V-32209MediumApplications providing information flow control must enforce approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy.
V-32208MediumApplications providing information flow control must enforce approved authorizations for controlling the flow of information within the system in accordance with applicable policy.
V-32373MediumThe DBMS must produce audit records containing sufficient information to establish the outcome (success or failure) of the events.
V-32205MediumThe DBMS must enforce non-discretionary access control policies over users and resources where the policy rule set for each policy specifies access control information (i.e., position, nationality, age, project, time of day).
V-32204MediumThe DBMS must enforce dual authorization, based on organizational policies and procedures for organization defined privileged commands.
V-32207MediumThe DBMS must prevent access to organization defined security-relevant information except during secure, non-operable system states.
V-32206MediumThe DBMS must enforce Discretionary Access Control (DAC) policy allowing users to specify and control sharing by named individuals, groups of individuals, or by both, limiting propagation of access rights and includes or excludes access to the granularity of a single user.
V-32201MediumService Oriented Architecture (SOA) based applications must dynamically manage user privileges and associated access authorizations.
V-32200MediumThe DBMS must support the organizational requirements for automatically monitoring, auditing, and alerting on atypical usage of accounts.
V-32203MediumThe DBMS must enforce approved authorizations for logical access to the system in accordance with applicable policy.
V-32202MediumThe application must employ automated mechanisms enabling authorized users to make information sharing decisions based on access authorizations of sharing partners and access restrictions on information to be shared.
V-32577MediumThe application must prevent non-privileged users from circumventing malicious code protection capabilities.
V-32576MediumThe application must automatically update malicious code protection mechanisms, including signature definitions. Examples include anti-virus signatures and malware data files employed to identify and/or block malicious software from executing.
V-32162MediumThe application must have the ability to retain a session lock remaining in effect until the user re-authenticates using established identification and authentication procedures.
V-32574MediumApplications serving to determine the state of information system components with regard to flaw remediation (patching) must use automated mechanisms to make that determination. The automation schedule must be determined on an organization defined basis.
V-32573MediumApplications providing patch management capabilities must support the organizational requirements to install software updates automatically.
V-32572MediumThe DBMS must support the requirement to activate an alarm and/or automatically shut down the information system if an application component failure is detected. This can include conducting a graceful application shutdown to avoid losing information.
V-32478MediumThe DBMS must ensure that PKI-based authentication maps the authenticated identity to the user account.
V-32426MediumUnused database components which are integrated in the DBMS and cannot be uninstalled must be disabled.
V-32474MediumThe DBMS must enforce password maximum lifetime restrictions.
V-32475MediumThe DBMS, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor.
V-32473MediumDBMS passwords must not be stored in compiled, encoded, or encrypted batch jobs or compiled, encoded, or encrypted application source code.
V-32470MediumThe DBMS must enforce password minimum lifetime restrictions.
V-32518MediumThe application must perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.
V-32406MediumThe application must support the employment of automated mechanisms supporting the auditing of the enforcement actions.
V-32246MediumDBMS default account names must be changed.
V-32419MediumConfiguration management applications must employ automated mechanisms to centrally verify configuration settings.
V-32378MediumThe DBMS must provide a real-time alert when organization defined audit failure events occur.
V-32418MediumConfiguration management applications must employ automated mechanisms to centrally apply configuration settings.
V-32481MediumThe DBMS must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-32480MediumThe DBMS must use NIST validated FIPS 140-2 compliant cryptography for authentication mechanisms.
V-32487MediumThe DBMS must employ strong identification and authentication techniques when establishing non-local maintenance and diagnostic sessions.
V-32486MediumThe DBMS must employ cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.
V-32485MediumThe DBMS, when used for non-local maintenance sessions, must protect those sessions through the use of a strong authenticator tightly bound to the user.
V-32484MediumApplications related to incident tracking must support organizational requirements to employ automated mechanisms to assist in the tracking of security incidents.
V-32489MediumDatabases employed to write data to portable digital media must use cryptographic mechanisms to protect and restrict access to information on portable digital media.
V-32488MediumThe DBMS must terminate all sessions and network connections when non-local maintenance is completed.
V-32456MediumApplications managing network connectivity must have the capability to authenticate devices before establishing network connections by using bidirectional authentication that is cryptographically based.
V-32255MediumThe DBMS must have its auditing configured to reduce the likelihood of storage capacity being exceeded.
V-32362MediumThe DBMS must provide audit record generation capability for organization defined auditable events within the database.
V-32363MediumThe DBMS must allow designated organizational personnel to select which auditable events are to be audited by the database.
V-32218MediumApplications must provide the ability to enforce security policies regarding information on interconnected systems.
V-32219MediumApplications must uniquely identify source domains for information transfer.
V-32366MediumThe DBMS must provide the capability to capture, record, and log all content related to a user session.
V-32367MediumThe DBMS must provide the capability to remotely view all content related to an established user session in real time.
V-32364MediumThe DBMS must generate audit records for the DoD selected list of auditable events.
V-32365MediumThe DBMS must initiate session auditing upon startup of the database.
V-32212MediumApplications providing information flow controls must provide the capability for privileged administrators to configure security policy filters to support different organizational security policies.
V-32213MediumApplications providing flow control must identify data type, specification and usage when transferring information between different security domains so that policy restrictions may be applied.
V-32210MediumApplications providing information flow control must use explicit security attributes on information, source, and destination objects as a basis for flow control decisions.
V-32211MediumApplications providing information flow control must provide the capability for privileged administrators to enable/disable security policy filters.
V-32216MediumApplications designed to control information flow must provide the ability to detect unsanctioned information being transmitted across security domains.
V-32217MediumApplications must provide the ability to prohibit the transfer of unsanctioned information in accordance with security policy.
V-32214MediumApplications, when transferring information between different security domains, must decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms.
V-32215MediumApplications, when transferring information between different security domains, must implement or incorporate policy filters that constrain data object and structure attributes according to organizational security policy requirements.
V-32564MediumApplications that serve to protect organizations and individuals from SPAM messages must incorporate update mechanisms updating protection mechanisms and signature updates when new application releases are available in accordance with organizational configuration management policy and procedures.
V-32565MediumApplications that are utilized to address the issue of SPAM and provide protection from SPAM must automatically update any and all SPAM protection measures including signature definitions.
V-32409MediumThe DBMS must support the enforcement of a two-person rule for changes to organization defined application components and system-level information.
V-32567MediumApplications must provide automated support for the management of distributed security testing.
V-32560MediumAny software application designed to function as a firewall must be capable employing a default deny all configuration.
V-32561MediumApplications providing remote connectivity must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communications path with resources in external networks.
V-32562MediumProxy applications must support logging individual Transmission Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators (URLs), domain names, and Internet Protocol (IP) addresses.
V-32563MediumApplications performing extrusion detection must be capable of denying network traffic and auditing internal users (or malicious code) posing a threat to external information systems.
V-32403MediumThe DBMS must protect the audit records generated, as a result of remote access to privileged accounts, and the execution of privileged functions.
V-32402MediumThe DBMS must protect audit data records and integrity by using cryptographic mechanisms.
V-32401MediumThe DBMS must support the requirement to back up audit data and records onto a different system or media than the system being audited on an organization defined frequency.
V-32400MediumThe DBMS must have the capability to produce audit records on hardware-enforced, write-once media.
V-32407MediumApplications must prevent the installation of organization defined critical software programs not signed with a certificate that has been recognized and approved by the organization.
V-32360MediumA DBMS utilizing Discretionary Access Control (DAC) must enforce a policy that includes or excludes access to the granularity of a single user.
V-32405MediumThe DBMS must support the organizational requirement to employ automated mechanisms for enforcing access restrictions.
V-32404MediumThe DBMS must support enforcement of logical access restrictions associated with changes to the DBMS configuration and to the database itself.
V-32191MediumApplications must not enable information system functionality providing the capability for automatic execution of code on mobile devices without user direction.
V-32190MediumThe application must monitor for unauthorized connections of mobile devices to organizational information systems.
V-32193MediumThe DBMS must provide a mechanism to automatically identify accounts designated as temporary or emergency accounts.
V-32192MediumThe DBMS must provide automated mechanisms for supporting user account management.
V-32195MediumThe DBMS must be capable of automatically disabling accounts after a 35 day period of account inactivity.
V-32194MediumThe DBMS must provide a mechanism to automatically terminate accounts designated as temporary or emergency accounts after an organization defined time period.
V-32197MediumThe DBMS must support the requirement to automatically audit account modification.
V-32196MediumThe DBMS must support the requirement to automatically audit account creation.
V-32199MediumThe DBMS must automatically audit account termination.
V-32198MediumThe DBMS must automatically audit account disabling actions.
V-32445MediumThe DBMS must use multifactor authentication for local access to privileged accounts.
V-32253MediumThe DBMS must retain the notification message or banner on the screen until users take explicit actions to log on to the database.
V-32490MediumThe DBMS must support organizational requirements to encrypt information stored in the database.
V-32491MediumApplication software used to detect the presence of unauthorized software must employ automated detection mechanisms and notify designated organizational officials in accordance with the organization defined frequency.
V-32492MediumThe DBMS must terminate the network connection associated with a communications session at the end of the session or after an organization defined time period of inactivity.
V-32493MediumThe application must establish a trusted communications path between the user and organization defined security functions within the information system.
V-32494MediumApplications involved in the production, control, and distribution of symmetric cryptographic keys must use NIST-approved or NSA-approved key management technology and processes.
V-32495MediumApplications involved in the production, control, and distribution of symmetric and asymmetric cryptographic keys must use NIST-approved or NSA-approved key management technology and processes.
V-32496MediumApplications involved in the production, control, and distribution of asymmetric cryptographic keys must use must use approved PKI Class 3 certificates or prepositioned keying material.
V-32497MediumApplications involved in the production, control, and distribution of asymmetric cryptographic keys must use approved PKI Class 3 or class 4 certificates and hardware tokens that protect the users private key.
V-32498MediumThe DBMS must implement required cryptographic protections using cryptographic modules complying with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
V-32499MediumDatabase data files containing sensitive information must be encrypted.
V-32459MediumThe DBMS must support organizational requirements to disable user accounts after an organization defined time period of inactivity.
V-32361MediumThe application must produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.
V-32399MediumThe DBMS must protect audit tools from unauthorized deletion.
V-32398MediumThe DBMS must protect audit tools from unauthorized modification.
V-32397MediumThe DBMS must protect audit tools from unauthorized access.
V-32395MediumThe DBMS must protect audit information from unauthorized deletion.
V-32394MediumThe DBMS must protect audit information from unauthorized modification.
V-32393MediumThe DBMS must protect audit information from any type of unauthorized access.
V-32392MediumThe DBMS must synchronize with internal operating system clocks which in turn, are synchronized on an organization defined frequency with an organization defined authoritative time source.
V-32391MediumThe DBMS must use system clocks to generate timestamps for audit records.
V-32390MediumAttempts to bypass access controls must be audited.
V-32553MediumApplications functioning in the capacity of a firewall must check incoming communications to ensure the communications are coming from an authorized source and routed to an authorized destination.
V-32369MediumThe DBMS must produce audit records containing sufficient information to establish when (date and time) the events occurred.
V-32555MediumThe DBMS must check the validity of data inputs.
V-32554MediumThe application must be capable of implementing host-based boundary protection mechanisms for servers, workstations, and mobile devices.
V-32557MediumApplications designed to enforce protocol formats must employ automated mechanisms to enforce strict adherence to protocol format.
V-32556MediumBoundary protection applications must prevent discovery of specific system components (or devices) composing a managed interface.
V-32559MediumBoundary protection applications must be capable of preventing public access into the organizations internal networks except as appropriately mediated by managed interfaces.
V-32558MediumBoundary protection applications must fail securely in the event of an operational failure.
V-32412MediumDatabase objects must be owned by accounts authorized for ownership.
V-32413MediumDatabase software directories, including DBMS configuration files, must be stored in dedicated directories, or DASD pools, separate from the host OS and other applications.
V-32414MediumThe DBMS software installation account must be restricted to authorized users.
V-32415MediumDatabase software, applications and configuration files must be monitored to discover unauthorized changes.
V-32416MediumThe DBMS must automatically implement organization defined safeguards and countermeasures if security functions (or mechanisms) are changed inappropriately.
V-32417MediumConfiguration management applications must employ automated mechanisms to centrally manage configuration settings.
V-32188MediumThe DBMS must ensure remote sessions that access an organization defined list of security functions and security-relevant information are audited.
V-32189MediumThe DBMS must support the disabling of network protocols deemed by the organization to be non-secure.
V-32186MediumThe DBMS must allow all remote access to be routed through managed access control points.
V-32187MediumThe application must monitor for unauthorized remote connections to the information system on an organization defined frequency.
V-32184MediumA DBMS providing remote access capabilities must utilize approved cryptography to protect the integrity of remote access sessions.
V-32185MediumThe application must employ automated mechanisms to facilitate the monitoring and control of remote access methods.
V-32182MediumThe DBMS must utilize approved cryptography when passing authentication data for remote access sessions.
V-32183MediumA DBMS providing remote access capabilities must utilize organization defined cryptography to protect the confidentiality of data passing over remote access sessions.
V-32181MediumThe DBMS must display security labels using organization identified human-readable, standard naming conventions.
V-32448MediumThe DBMS, if using multifactor authentication when accessing privileged accounts via the network, must provide one of the factors by a device that is separate from the information system gaining access.
V-32447MediumThe DBMS must ensure users are authenticated with an individual authenticator prior to using a group authenticator.
V-32446MediumThe DBMS must use multifactor authentication for local access to non-privileged accounts.
V-32566MediumThe DBMS must verify there have not been unauthorized changes to the DBMS software and information.
V-32172MediumThe DBMS must maintain the binding of security labels to information with sufficient assurance that the information/attribute association can be used as the basis for automated policy actions.
V-32427MediumAccess to external executables must be disabled or restricted.
V-32170MediumThe DBMS must provide the capability to specify administrative users and grant them the right to change application security labels pertaining to application data.
V-32420MediumConfiguration management applications must employ automated mechanisms to centrally respond to unauthorized changes to configuration settings.
V-32423MediumDefault demonstration and sample databases, database objects, and applications must be removed.
V-32422MediumThe DBMS must enforce requirements for remote connections to the information system.
V-32384MediumTo support audit review, analysis and reporting the application must integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.
V-32385MediumApplications must provide the capability to centralize the review and analysis of audit records from multiple components within the system.
V-32386MediumThe application must prevent the execution of prohibited mobile code.
V-32429MediumTo support the requirements and principles of least functionality, the application must support organizational requirements regarding the use of automated mechanisms preventing program execution on the information system in accordance with the organization defined specifications.
V-32428MediumThe DBMS must support the organizational requirements to specifically prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services.
V-32382MediumThe DBMS must alert designated organizational officials in the event of an audit processing failure.
V-32383MediumThe DBMS must be capable of taking organization defined actions upon audit failure (e.g., overwrite oldest audit records, stop generating audit records, cease processing, notify of audit failure).
V-32421MediumConfiguration management solutions must track unauthorized, security-relevant configuration changes.
V-32549MediumThe DBMS must protect against or limit the effects of the organization defined types of Denial of Service (DoS) attacks.
V-32546MediumApplications must support organization defined requirements to load and execute from hardware-enforced, read-only media.
V-32547MediumThe DBMS must prevent unauthorized and unintended information transfer via shared system resources.
V-32544MediumApplications required to be non-modifiable must support organizational requirements to provide components that contain no writeable storage capability. These components must be persistent across restart and/or power on/off.
V-32545MediumApplications must, for organization defined information system components, load and execute the operating environment from hardware-enforced, read-only media.
V-32542MediumApplications must meet organizational requirements to implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
V-32543MediumThe application must protect the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission.
V-32540MediumThe DBMS must employ automated mechanisms to alert security personnel of inappropriate or unusual activities with security implications.
V-32169MediumThe DBMS must dynamically reconfigure security labels in accordance with an identified security policy as information is created and combined.
V-32532MediumOnly a Honey Pot information system and/or application must include components that proactively seek to identify web-based malicious code. Honey Pot systems must be not be shared or used for any other purpose other than described.
V-32163MediumThe DBMS must maintain and support organization defined security labels on stored information.
V-32500MediumThe DBMS must employ NIST validated cryptography to protect unclassified information.
V-32160MediumThe DBMS must not interfere or be impacted by an OS level session lock.
V-32371MediumThe DBMS must produce audit records containing sufficient information to establish the sources (origins) of the events.
V-32442MediumThe DBMS must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
V-32370MediumThe DBMS must produce audit records containing sufficient information to establish where the events occurred.
V-32523MediumThe DBMS must terminate user sessions upon user logout or any other organization or policy defined session termination events, such as idle time limit exceeded.
V-32166MediumThe DBMS must maintain the binding of security labels to information with sufficient assurance that the information/attribute association can be used as the basis for automated policy actions.
V-32569MediumThe DBMS must identify potentially security-relevant error conditions.
V-32432MediumThe DBMS must be capable of backing up user-level information per a defined frequency.
V-32433MediumDatabase backup procedures must be defined, documented, and implemented.
V-32430MediumRecovery procedures and technical system features must exist to ensure recovery is done in a secure and verifiable manner.
V-32431MediumThe DBMS must have transaction journaling enabled.
V-32436MediumDBMS must conduct backups of system-level information per organization defined frequency that is consistent with recovery time and recovery point objectives.
V-32437MediumThe DBMS software libraries must be periodically backed up.
V-32434MediumDatabase recovery procedures must be developed, documented, implemented, and periodically tested.
V-32435MediumDBMS backup and restoration files must be protected from unauthorized access.
V-32471MediumProcedures for establishing temporary passwords that meet DoD password requirements for new accounts must be defined, documented, and implemented.
V-32439MediumThe application must support and must not impede organizational requirements to conduct backups of information system documentation including security-related documentation per organization defined frequency.
V-32596MediumThe DBMS must notify appropriate individuals when accounts are created.
V-32248MediumThe DBMS must specify account lockout duration that is greater than or equal to the organization approved minimum.
V-32539MediumApplications must meet organizational requirements to implement an information system isolation boundary that minimizes the number of non-security functions included within the boundary containing security functions.
V-32538MediumThe DBMS must isolate security functions enforcing access and information flow control from both non-security functions and from other security functions.
V-32515MediumThe DBMS must prevent the presentation of information system management-related functionality at an interface utilized by general (i.e., non-privileged) users.
V-32241MediumNon-privileged accounts must be utilized when accessing non-administrative functions.
V-32379MediumThe application must enforce configurable traffic volume thresholds representing auditing capacity for network traffic.
V-32243MediumOS accounts utilized to run external procedures called by the DBMS must have limited privileges.
V-32530MediumApplications must enforce requirements regarding the connection of mobile devices to organizational information systems.
V-32537MediumThe DBMS must automatically terminate emergency accounts after an organization defined time period for each type of account.
V-32536MediumThe DBMS must isolate security functions from non-security functions by means of separate security domains.
V-32535MediumThe DBMS must employ cryptographic mechanisms preventing the unauthorized disclosure of information at rest unless the data is otherwise protected by alternative physical measures.
V-32534MediumThe DBMS must take needed steps to protect data at rest and ensure confidentiality and integrity of application data.
V-32579MediumApplications must provide notification of failed automated security tests.
V-32249MediumThe DBMS must have the capability to limit the number of failed login attempts based upon an organization defined number of consecutive invalid attempts occurring within an organization defined time period.
V-32514MediumThe DBMS must separate user functionality (including user interface services) from database management functionality.
V-32507MediumThe application must validate the integrity of security attributes exchanged between systems.
V-32502MediumThe DBMS must employ NIST validated FIPS compliant cryptography to protect unclassified information when such information must be separated from individuals who have the necessary clearances yet lack the necessary access approvals.
V-32411MediumThe OS must limit privileges to change the DBMS software resident within software libraries (including privileged programs).
V-32164MediumThe DBMS must maintain and support organization defined security labels on information in process.
V-32256MediumThe DBMS must have allocated audit record storage capacity.
V-32257MediumApplications scanning for malicious code must scan all media used for system maintenance prior to use.
V-32254MediumThe DBMS must display the system use information when appropriate, before granting further access.
V-32158MediumThe application must ensure the screen display is obfuscated when an application session lock event occurs.
V-32250MediumThe DBMS must enforce the organization defined time period during which the limit of consecutive failed login attempts by a user is counted.
V-32251MediumThe DBMS, when the maximum numbers of unsuccessful attempts is exceeded, must automatically lock the account/node for an organization defined time period or lock the account/node until released by an administrator IAW organizational policy.
V-32157MediumThe DBMS must limit the number of concurrent sessions for each system account to an organization defined number of sessions.
V-32578MediumMalicious code protection applications must update malicious code protection mechanisms only when directed by a privileged user.
V-32258MediumApplications utilizing mobile code must meet DoD-defined mobile code requirements.
V-32528MediumThe DBMS must fail to a known safe state for defined types of failures.
V-32529MediumThe DBMS must preserve any organization defined system state information in the event of a system failure.
V-32517MediumApplications, when operating as part of a distributed, hierarchical namespace, must provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains.
V-32444MediumThe DBMS must use multifactor authentication for network access to non-privileged accounts.
V-32443MediumThe DBMS must use multifactor authentication for network access to privileged accounts.
V-32571MediumThe DBMS must restrict error messages, so only authorized personnel may view them.
V-32503MediumApplications must respond to security function anomalies in accordance with organization defined responses and alternative action(s).
V-32520MediumThe application must perform data origin authentication and data integrity verification on all resolution responses received whether or not local client systems explicitly request this service.
V-32521MediumApplications that collectively provide name/address resolution service for an organization must implement internal/external role separation.
V-32522MediumThe DBMS must ensure authentication of both client and server during the entire session.
V-32570MediumThe DBMS must only generate error messages that provide information necessary for corrective actions without revealing organization defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited.
V-32504MediumThe DBMS must protect the integrity of publicly available information and applications.
V-32525MediumThe DBMS must generate a unique session identifier for each session.
V-32527MediumThe DBMS must generate unique session identifiers with organization defined randomness requirements.
V-32533MediumApplications must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission. When transmitting data, applications need to leverage transmission protection mechanisms such as TLS, SSL VPN
V-32240MediumAdministrators must utilize a separate, distinct administrative account when performing administrative activities, accessing database security functions, or accessing security-relevant information.
V-32368MediumThe DBMS must produce audit records containing sufficient information to establish what type of events occurred.
V-32506MediumThe DBMS must associate and maintain security labels when exchanging information between systems.
V-32531MediumThe application must disable network access by unauthorized components/devices or notify designated organizational officials.
V-32176MediumThe DBMS must allow authorized users to associate security labels to information in the database.
V-32227LowThe DBMS must enforce organization defined limitations on the embedding of data types within other data types.
V-32348LowThe DBMS must associate the identity of the information producer with the information.
V-32345LowThe DBMS must notify the user of the number of unsuccessful login attempts occurring during an organization defined time period.
V-32347LowThe DBMS must protect against an individual using a group account from falsely denying having performed a particular action.
V-32551LowThe DBMS must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
V-32550LowThe DBMS must restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
V-32388LowThe DBMS must provide a report generation capability for audit reduction data.
V-32387LowThe DBMS must provide an audit log reduction capability.
V-32260LowThe DBMS must display the number of failed login attempts made with a user account upon successful login of that user account.
V-32548LowThe DBMS must not share resources used to interface with systems operating at different security levels.
V-32552LowThe DBMS must limit the use of resources by priority and not impede the host from servicing processes designated as a higher-priority.
V-32575LowThe DBMS must support organizational requirements to employ automated patch management tools to facilitate flaw remediation to organization defined information system components.
V-32247LowThe DBMS must be able to function within separate processing domains (virtualized systems), when specified, to enable finer-grained allocation of user privileges.
V-32252LowThe DBMS must display an approved system use notification message or banner before granting access to the database.
V-32259LowThe DBMS must, upon successful login, display to the user the date and time of the users last login.
V-32233LowThe DBMS must support organizational requirements to implement separation of duties through assigned information access authorizations.
[/hide]

Comments 5

  1. I was wondering, if you can have a SQL Server with 2012 STIGs and use it to host data for several web servers. I am not sure if there is a standard on which types of data you cannot store in the same server together, unless of course you have a database that has classified information and another that is unclassified.

    1. Post
      Author

      As far as I know the separation of classified and non-classified databases is the priority in helping reduce risks. The overall guidelines of the STIGs help to secure the systems, even from themselves internally.
      The best way to know for certain is to discuss the matter with your auditor as they are the ones that will determine of you are ultimately compliant or not 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.