Defined Type: ora_secured::controls::use_multifactor_authentication_for_local_access_to_non_privileged_accounts

Defined in:
manifests/controls/use_multifactor_authentication_for_local_access_to_non_privileged_accounts.pp

Summary

Review DBMS settings, OS settings, and/or enterprise-level authentication/access mechanism settings to determine whether users logging on to non-privileged accounts locally are required to use multifactor authentication.

Overview

ora_secured::controls::use_multifactor_authentication_for_local_access_to_non_privileged_accounts

If users logging on to non-privileged accounts locally are not required to use multifactor authentication, this is a finding.

Use authentication to prove the identities of users who are attempting to log on to the database. Authenticating user identity is imperative in distributed environments, without which there can be little confidence in network security. Passwords are the most common means of authentication. Oracle Database enables strong authentication with Oracle authentication adapters that support various third-party authentication services, including TLS with digital certificates.

If the $ORACLE_HOME/network/admin/sqlnet.ora contains entries similar to the following, TLS is enabled. (Note: This assumes that a single sqlnet.ora file, in the default location, is in use. Please see the supplemental file “Non-default sqlnet.ora configurations.pdf” for how to find multiple and/or differently located sqlnet.ora files.)

SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS) SSL_VERSION = 1.2 SSL_CLIENT_AUTHENTICATION = TRUE WALLET_LOCATION =

(SOURCE =
  (METHOD = FILE)
  (METHOD_DATA =
    (DIRECTORY = /u01/app/oracle/product/12.1.0/dbhome_1/owm/wallets)
  )
)

SSL_CIPHER_SUITES= (SSL_RSA_WITH_AES_256_CBC_SHA384) ADR_BASE = /u01/app/oracle

Configure DBMS, OS and/or enterprise-level authentication/access mechanism to require multifactor authentication for local users logging on to non-privileged accounts.

If appropriate, enable support for Transport Layer Security (TLS) protocols and multifactor authentication through the use of Smart Cards (CAC/PIV).

## Skipping

To deliberately skip this control (e.g. meaning don’t use Puppet to enforce this setting), we provide you with three ways:

1) Add ‘ora_secured::controls::use_multifactor_authentication_for_local_access_to_non_privileged_accounts: skip` to your hiera data. This will skip this control for ALL databases. 2) Add `ora_secured::controls::use_multifactor_authentication_for_local_access_to_non_privileged_accounts::dbname: skip` to your hiera data. This will skip this control for specified database only. 3) Add an entry with the content `use_multifactor_authentication_for_local_access_to_non_privileged_accounts` to the array value `ora_secured::skip_list` in your hiera data.

## Benchmarks

This control is used in the following benchmarks:

  • [Oracle Database 12c CIS V1](/docs/ora_secured/stig/db12c_V1.html) - id V-61709

See the file “LICENSE” for the full license governing this code.

Parameters:

  • title

    The SID to apply the control to. All controls need an SID to apply the control to. Here is a simple example: “‘ puppet ora_secured::controls::control_name { ’DBSID’:} “‘ In this example, the string DBSID is the sid to apply the control to.



57
58
59
60
61
62
63
64
 
# File 'manifests/controls/use_multifactor_authentication_for_local_access_to_non_privileged_accounts.pp', line 57

define ora_secured::controls::use_multifactor_authentication_for_local_access_to_non_privileged_accounts
{
  ora_secured_setup { "use_multifactor_authentication_for_local_access_to_non_privileged_accounts on ${title}":
    ensure => 'present',
  }

  alert('Specified STIG control is not yet automatically enforced.')
}