STIG Implementation Script for Oracle Database Appliance (Doc ID 1461102.1)

Last updated on MAY 21, 2023

Applies to:

Goal

The Department of Defense(DoD) DISA Information Assurance Process includes Certification and Accreditation(C&A) including the Security Technical Implementation Guides(STIGs). These are guidelines and scripts that are run to advise on securing and locking down database, operating system, application servers, and other system components. Currently, DoD customers are running various Oracle products that go through the DoD C&A process including the STIG process. General STIG Information is available at: - https://public.cyber.mil/stigs/

The Oracle Database Appliance(ODA) is a fully integrated system of software, servers, storage, and networking in a single box that delivers high-availability database services. Oracle engineered Oracle Database Appliance for simplicity. Accordingly, Oracle aims to provide a more simplified configuration and patching process.

Because the DoD C&A STIG process requires vulnerability assessment and remediation, Oracle will make commercially reasonable efforts to work with the customer through the Oracle Support service request process to meet the DoD C&A STIG remediation requirement or to enable customers to make the necessary changes to the Oracle Database Appliance in order to do so, provided that the customer is officially supported by Oracle Database Appliance product development organization. If there is a problem with an Oracle Database Appliance patch due to the DoD C&A STIG Remediation then we ask customers to work with Oracle Support to determine the appropriate course of action to potentially rollback remediation steps, re-run the patch, and then re-apply DoD C&A STIG process and required remediation steps.

Please note that Oracle Database Appliance is an engineered system and is pre-configured for optimal usage. There are out-of-the-box configuration settings that may not be modified. For example, the Disk Group composition and configuration may not be altered beyond the recommended configurations. However, certain qualified and supported changes may be allowed after review. Oracle also allows various third party agents to run on the Oracle Database Appliance. These include, Anti-Virus software, HBSS software, SCAP Compliant agents, Retina Scan software etc.

Please note that if you are using the ODA-EM Plug-In, the root password must be welcome1 (default) during the discovery process.

STIG compliance was implemented in 19.12 ODA Release.
See https://docs.oracle.com/en/engineered-systems/oracle-database-appliance/19.12/cmtrn/about-18.html#GUID-D58F1D2F-6A0A-4226-B009-ABBFFA8B556D

For 18.7 and later versions, you can enable STIG using the steps defined in the documentation:
https://docs.oracle.com/en/engineered-systems/oracle-database-appliance/18.7/cmtsg/security-features-database-appliance.html

Solution