| Vuln ID | Severity | Asset | STIG | Title | Status | Doc Status | Assigned To | Actions |
|---|---|---|---|---|---|---|---|---|
| V-206520 | CAT I | MONT-DB-002 | Database Security Requirements Guide | The DBMS must integrate with an organization-level... | - | |||
Check TextIf all accounts are authenticated by the organization-level authentication/access mechanism and not by the DBMS, this is not a finding. If there are any accounts managed by the DBMS, review the system documentation for justification and approval of these accounts. If any DBMS-managed accounts exist that are not documented and approved, this is a finding. Fix TextIntegrate DBMS security with an organization-level authentication/access mechanism providing account management for all users, groups, roles, and any other principals. For each DBMS-managed account that is not documented and approved, either transfer it to management by the external mechanism, or document the need for it and obtain approval, as appropriate. CommentsThe database server can only be accessed by a privileged user, who creates an Afloat Operations Service Desk ticket. Once the Afloat Operations Service Desk confirms the privileged user has the proper credentials, a domain admin account is created for the user and is valid for 14 days. Installer accounts are created and sent from shore and are authenticated using user id/password. The naming convention for the domain admin account is not consistent across various platforms and installers may not have access to a CAC reader. Application accounts are authenticated using either user id/password or a CAC. This allows flexibility to allow a mariner to access the ShipCLIP application when CAC card issues occur during ship deployments and a mariner is unable to correct until in port.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206521 | CAT I | MONT-DB-002 | Database Security Requirements Guide | The DBMS must enforce approved authorizations for ... | - | |||
Check TextCheck DBMS settings to determine whether users are restricted from accessing objects and data they are not authorized to access. If appropriate access controls are not implemented to restrict access to authorized users and to restrict the access of those users to objects and data they are authorized to see, this is a finding. Fix TextConfigure the DBMS settings and access controls to permit user access only to objects and data that the user is authorized to view or interact with, and to prevent access to all other objects and data. CommentsMSC Afloat Applications utilize access controls and access authentication to the database server and the DBMS enforces roles at the database level in accordance with MSC IBS Access Control Policy 2.2.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206545 | CAT I | MONT-DB-002 | Database Security Requirements Guide | The DBMS software installation account must be res... | - | |||
Check TextReview procedures for controlling, granting access to, and tracking use of the DBMS software installation account. If access or use of this account is not restricted to the minimum number of personnel required or if unauthorized access to the account has been granted, this is a finding. Fix TextDevelop, document, and implement procedures to restrict and track use of the DBMS software installation account. CommentsSoftware installations can only be performed by a privileged user. The database server can only be accessed by a privileged user who creates an Afloat Operations Service Desk ticket. Once the Afloat Operations Service Desk confirms the privileged user has the proper credentials, a domain admin account is created for the user and is valid for 14 days. A request to relax the HBSS policy is also submitted to Afloat Operations Service Desk who approves and implements the request.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206555 | CAT I | MONT-DB-002 | Database Security Requirements Guide | If DBMS authentication, using passwords, is employ... | - | |||
Check TextIf DBMS authentication, using passwords, is not employed, this is not a finding. If the DBMS is configured to inherit password complexity and lifetime rules from the operating system or access control program, this is not a finding. Review the DBMS settings relating to password complexity. Determine whether the following rules are enforced. If any are not, this is a finding. a. minimum of 15 characters, including at least one of each of the following character sets: - Uppercase. - Lowercase. - Numerics. - Special characters (e.g., ~ ! @ # $ % ^ & * ( ) _ + = - ' [ ] / ? > <). b. Minimum number of characters changed from previous password: 50 percent of the minimum password length; that is, eight. Review the DBMS settings relating to password lifetime. Determine whether the following rules are enforced. If any are not, this is a finding. a. Password lifetime limits for interactive accounts: Minimum 24 hours, maximum 60 days. b. Password lifetime limits for noninteractive accounts: Minimum 24 hours, maximum 365 days. c. Number of password changes before an old one may be reused: Minimum of five. Fix TextIf the use of passwords is not needed, configure the DBMS to prevent their use if it is capable of this; if it is not, institute policies and procedures to prohibit their use. If the DBMS can inherit password complexity rules from the operating system or access control program, configure it to do so. Otherwise, use DBMS configuration parameters and/or custom code to enforce the following rules for passwords: a. Minimum of 15 characters, including at least one of each of the following character sets: - Uppercase. - Lowercase. - Numerics. - Special characters (e.g., ~ ! @ # $ % ^ & * ( ) _ + = - ' [ ] / ? > <). b. Minimum number of characters changed from previous password: 50 percent of the minimum password length; that is, eight. c. Password lifetime limits for interactive accounts: Minimum 24 hours, maximum 60 days. d. Password lifetime limits for non-interactive accounts: Minimum 24 hours, maximum 365 days. e. Number of password changes before an old one may be reused: Minimum of five. CommentsDatabase contains an obfuscated procedure, f_verify_pwd, that enforces password complexity. Login Policies enforce password lifetime.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206556 | CAT I | MONT-DB-002 | Database Security Requirements Guide | The DBMS must for password-based authentication, s... | - | |||
Check TextReview the list of DBMS database objects, database configuration files, associated scripts, and applications defined within and external to the DBMS that access the database. The list should also include files or settings used to configure the operational environment for the DBMS and for interactive DBMS user accounts. Determine whether any DBMS database objects, database configuration files, associated scripts, applications defined within or external to the DBMS that access the database, and DBMS/user environment files/settings contain database passwords. If any do, confirm that DBMS passwords stored internally or externally to the DBMS are hashed using FIPS-approved cryptographic algorithms and include a salt. If any passwords are stored in clear text, this is a finding. If any passwords are stored with reversible encryption, this is a finding. If any passwords are stored using unsalted hashes, this is a finding. Fix TextDevelop, document, and maintain a list of DBMS database objects, database configuration files, associated scripts, applications defined within or external to the DBMS that access the database, and DBMS/user environment files/settings in the System Security Plan. Record whether they do or do not contain DBMS passwords. If passwords are present, ensure they are correctly hashed using one-way, salted hashing functions, and that the hashes are protected by host system security. CommentsDatabase passwords are stored as hashed, salted representations.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206557 | CAT I | MONT-DB-002 | Database Security Requirements Guide | If passwords are used for authentication, the DBMS... | - | |||
Check TextReview configuration settings for encrypting passwords in transit across the network. If passwords are not encrypted, this is a finding. If it is determined that passwords are passed unencrypted at any point along the transmission path between the source and destination, this is a finding. Fix TextConfigure encryption for transmission of passwords across the network. If the database does not provide encryption for logon events natively, employ encryption at the OS or network level. Ensure passwords remain encrypted from source to destination. CommentsDatabase or application connections transmit data using TLS in-transit encryption which includes the encrypted representations of passwords. In-transit encryption is configured in the smisdbs17-E.cfg file using the -ec option and specifying the identity path+filename of the obfuscated TLS configuration file.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206559 | CAT I | MONT-DB-002 | Database Security Requirements Guide | The DBMS must enforce authorized access to all PKI... | - | |||
Check TextReview DBMS configuration to determine whether appropriate access controls exist to protect the DBMS's private key(s). If the DMBS’s private key(s) are not stored in a FIPS 140-2 or 140-3 validated cryptographic module, this is a finding. If access to the DBMS’s private key(s) is not restricted to authenticated and authorized users, this is a finding. Fix TextStore all DBMS PKI private keys in a FIPS 140-2 or 140-3 validated cryptographic module. Ensure access to the DBMS PKI private keys is restricted to only authenticated and authorized users. CommentsThe database server can only be accessed by a privileged user, who creates an Afloat Operations Service Desk ticket. Once the Afloat Operations Service Desk confirms the privileged user has the proper credentials, a domain admin account is created for the user and is valid for 14 days. Access to PKI private keys is restricted to privileged users having direct access to the server. Files containing In-transit and at-rest encryption keys are obfuscated. If the keys are modified, the database will not start or be accessible.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206561 | CAT I | MONT-DB-002 | Database Security Requirements Guide | The DBMS must obscure feedback of authentication i... | - | |||
Check TextIf all interaction with the user for purposes of authentication is handled by a software component separate from the DBMS, this is not a finding. If any application, tool or feature associated with the DBMS/database displays any authentication secrets (to include PINs and passwords) during - or after - the authentication process, this is a finding. Fix TextModify and configure each non-compliant application, tool, or feature associated with the DBMS/database so that it does not display authentication secrets. CommentsThe DBMS is configured to obfuscate passwords during the authentication process.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206562 | CAT I | MONT-DB-002 | Database Security Requirements Guide | The DBMS must use NIST FIPS 140-2 or 140-3 validat... | - | |||
Check TextReview DBMS configuration to verify it is using NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations. If NIST FIPS 140-2 or 140-3 validated modules are not being used for all cryptographic operations, this is a finding. Fix TextUtilize NIST FIPS 140-2 or 140-3 validated cryptographic modules for all cryptographic operations. CommentsThe DBMS is configured to start in FIPS mode using the -fips database server option (SQL Anywhere 17 - -fips Database Option.pdf). This option enables the DBMS to use the FIPS 140-2 cryptographic modules (SQL Anywhere 17 - FIPS-certified Encryption Technology.pdf).
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206570 | CAT I | MONT-DB-002 | Database Security Requirements Guide | The DBMS must protect the confidentiality and inte... | - | |||
Check TextIf the application owner and Authorizing Official have determined that encryption of data at rest is NOT required, this is not a finding. Review DBMS settings to determine whether controls exist to protect the confidentiality and integrity of data at rest in the database. If controls do not exist or are not enabled, this is a finding. Fix TextApply appropriate controls to protect the confidentiality and integrity of data at rest in the database. CommentsData encryption is configured to protect the confidentiality and integrity of data at rest.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206604 | CAT I | MONT-DB-002 | Database Security Requirements Guide | The DBMS must implement cryptographic mechanisms t... | - | |||
Check TextReview the system documentation to determine whether the organization has defined the information at rest that is to be protected from modification, which must include, at a minimum, PII and classified information. If no information is identified as requiring such protection, this is not a finding. Review the configuration of the DBMS, operating system/file system, and additional software as relevant. If any of the information defined as requiring cryptographic protection from modification is not encrypted in a manner that provides the required level of protection, this is a finding. Fix TextConfigure the DBMS, operating system/file system, and additional software as relevant, to provide the required level of cryptographic protection. CommentsData encryption is configured to protect the confidentiality and integrity of data at rest using the -ek (strong database encryption) option in the database configuration file.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206605 | CAT I | MONT-DB-002 | Database Security Requirements Guide | The DBMS must implement cryptographic mechanisms p... | - | |||
Check TextReview the system documentation to determine whether the organization has defined the information at rest that is to be protected from disclosure, which must include, at a minimum, PII and classified information. If the documentation indicates no information requires such protections, this is not a finding. Review the configuration of the DBMS, operating system/file system, and additional software as relevant. If any of the information defined as requiring protection is not encrypted in a manner that provides the required level of protection and is not physically secured to the required level, this is a finding. Fix TextConfigure the DBMS, operating system/file system, and additional software as relevant, to provide the required level of cryptographic protection for information requiring cryptographic protection against disclosure. Secure the premises, equipment, and media to provide the required level of physical protection. CommentsData encryption is configured to protect the confidentiality and integrity of data at rest using the -ek (strong database encryption) option in the database configuration file.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-233495 | CAT I | MONT-DB-002 | Database Security Requirements Guide | The DBMS must use NSA-approved cryptography to pro... | - | |||
Check TextIf the DBMS is deployed in an unclassified environment, this is not applicable (NA). If the DBMS is not configured to use NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards, this is a finding. Fix TextDeploy a DBMS compatible with the use of NSA-approved cryptography. Configure the DBMS and related system components to use NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. CommentsMSC IBS Afloat applications do not handle classified information.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-278969 | CAT I | MONT-DB-002 | Database Security Requirements Guide | The DBMS must be a version supported by the vendor... | - | |||
Check TextVerify the DBMS is a version supported by the vendor. If the DBMS is not a version supported by the vendor, this is a finding. Fix TextUpgrade or install a version of the DBMS supported by the vendor. CommentsMSC Business System Afloat applications use SQL Anywhere 17 database software. On page 16 of SAP SQL Anywhere Supported Platforms.pdf, this database version is currently active and supported by SAP.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206519 | CAT II | MONT-DB-002 | Database Security Requirements Guide | The DBMS must limit the number of concurrent sessi... | - | |||
Check TextDetermine whether the system documentation specifies limits on the number of concurrent DBMS sessions per account by type of user. If it does not, assume a limit of 10 for database administrators and 2 for all other users. Review the concurrent-sessions settings in the DBMS and/or the applications using it, and/or the system software supporting it. If the DBMS is capable of enforcing this restriction but is not configured to do so, this is a finding. This holds even if the restriction is enforced by applications or supporting software. If it is not technically feasible for the DBMS to enforce this restriction, but the application(s) or supporting software are configured to do so, this is not a finding. If it is not technically feasible for the DBMS to enforce this restriction, and applications and supporting software are not so configured, this is a finding. If the value for any type of user account is not set, this is a finding. If a value is set but is not equal to the value specified in the documentation (or the default value defined in this check) for the type of user, this is a finding. Fix TextIf the DBMS is capable of enforcing this restriction, but is not configured to do so, configure it to do so. (This may involve the development of one or more triggers.) If it is not technically feasible for the DBMS to enforce this restriction, and the application(s) and supporting software are not configured to do so, configure them to do so. If the value for any type of user account is not set, determine the correct value and set it. If a value is set but is not equal to the value specified for the type of user, determine the correct value, set it, and update the documentation, as appropriate. CommentsInstallUserLogin_Policy is set to 5 connections. Direct DB access is not available to users so UserLogin_Policy and CACUserLogin_Policy not set. Application-level user access is set to only allow 2 simultaneous connections.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206522 | CAT II | MONT-DB-002 | Database Security Requirements Guide | The DBMS must protect against a user falsely repud... | - | |||
Check TextReview system documentation to determine the data and the actions on data that need to be protected from repudiation by means of audit trails. Review DBMS settings to determine whether users can be identified as individuals when using shared accounts. If the individual user who is using a shared account cannot be identified, this is a finding. Review the design and the contents of the application data tables. If they do not include the necessary audit data, this is a finding. Review the configuration of audit logs to determine whether auditing includes details identifying the individual user. If it does not, this is a finding. Fix TextUse accounts assigned to individual users. Where the application connects to the DBMS using a standard, shared account, ensure that it also captures the individual user identification and passes it to the DBMS. Modify application database tables and all supporting code to capture the necessary audit data. Modify the configuration of audit logs to include details identifying the individual user. CommentsShipCLIP does not utilize shared accounts.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206523 | CAT II | MONT-DB-002 | Database Security Requirements Guide | The DBMS must provide audit record generation capa... | - | |||
Check TextCheck DBMS auditing to determine whether organization-defined auditable events are being audited by the system. If organization-defined auditable events are not being audited, this is a finding. Fix TextDeploy a DBMS that supports the DoD minimum set of auditable events. Configure the DBMS to generate audit records for at least the DoD minimum set of events. CommentsAuditing is turned on for databases and organization-defined auditable events are being audited. Page 2 of reference document SQL Anywhere 17 - Auditing Options.pdf specifies how to enable auditing and set the types of auditing events captured in the audit log.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206524 | CAT II | MONT-DB-002 | Database Security Requirements Guide | The DBMS must allow only the ISSM (or individuals ... | - | |||
Check TextCheck DBMS settings and documentation to determine whether designated personnel are able to select which auditable events are being audited. If designated personnel are not able to configure auditable events, this is a finding. Fix TextConfigure the DBMS's settings to allow designated personnel to select which auditable events are audited. CommentsAuditable events are set before the databases are deployed. To be able to set auditable events, a user must have SET ANY SECURITY OPTION system privilege (Page 3 of reference document SQL Anywhere 17 - Auditing Options.pdf).
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206525 | CAT II | MONT-DB-002 | Database Security Requirements Guide | The DBMS must be able to generate audit records wh... | - | |||
Check TextReview DBMS documentation to verify that audit records can be produced when privileges/permissions/role memberships are retrieved. If the DBMS is not capable of this, this is a finding. If the DBMS is currently required to audit the retrieval of privilege/permission/role membership information, review the DBMS/database security and audit configurations to verify that audit records are produced when privileges/permissions/role memberships are retrieved. If they are not produced, this is a finding. Fix TextDeploy a DBMS capable of producing the required audit records when privileges/permissions/role memberships are retrieved. If currently required, configure the DBMS to produce audit records when privileges/permissions/role memberships are retrieved. CommentsPage 2 of reference document SQL Anywhere 17 - Auditing Options.pdf specifies the types of auditing events captured in the audit log. A setting of ‘all’ includes auditing of successful permission checks on objects.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206526 | CAT II | MONT-DB-002 | Database Security Requirements Guide | The DBMS must be able to generate audit records wh... | - | |||
Check TextReview DBMS documentation to verify that audit records can be produced when the system denies or fails to complete attempts to retrieve privileges/permissions/role membership. If the DBMS is not capable of this, this is a finding. If the DBMS is currently required to audit the retrieval of privilege/permission/role membership information, review the DBMS/database security and audit configurations to verify that audit records are produced when the DBMS denies retrieval of privileges/permissions/role memberships. If they are not produced, this is a finding. Review the DBMS/database security and audit configurations to verify that audit records are produced when other errors prevent retrieval of privileges/permissions/role memberships. If they are not produced, this is a finding. Fix TextDeploy a DBMS capable of producing the required audit records when it denies or fails to complete access to privileges/permissions/role membership. If currently required, configure the DBMS to produce audit records when it denies access to privileges/permissions/role membership. Configure the DBMS to produce audit records when other errors prevent access to privileges/permissions/role membership. CommentsPage 2 of reference document SQL Anywhere 17 - Auditing Options.pdf specifies the types of auditing events captured in the audit log. A setting of ‘all’ includes auditing of failed permission checks on objects.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206527 | CAT II | MONT-DB-002 | Database Security Requirements Guide | The DBMS must initiate session auditing upon start... | - | |||
Check TextReview DBMS vendor documentation to determine whether the DBMS software is capable of session auditing. If the DBMS is not capable of session auditing and a third party product is not being used for session level auditing, this is a finding. If the DBMS is capable of session level auditing and specific session audits are currently defined but session auditing is not enabled; or if a third-party product is available for session auditing and specific session audits are currently defined but session auditing is not enabled, this is a finding. Fix TextDeploy a DBMS capable of session auditing. Configure the DBMS software or third-party product to enable session auditing. CommentsSection ‘Auditing Individual Connections’ on Page 2 of reference document SQL Anywhere 17- Database Activity Audit.pdf specifies that connection-specific auditing option is enabled by default once auditing is enabled.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206528 | CAT II | MONT-DB-002 | Database Security Requirements Guide | The DBMS must produce audit records containing suf... | - | |||
Check TextCheck DBMS settings and existing audit records to verify information specific to the audit event type is being captured and stored with the audit records. If audit records exist without information regarding what type of event occurred, this is a finding. Fix TextConfigure DBMS audit settings to include event type as part of the audit record. CommentsAudit log records contain the type of event that occurred.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206529 | CAT II | MONT-DB-002 | Database Security Requirements Guide | The DBMS must produce audit records containing tim... | - | |||
Check TextCheck DBMS settings and existing audit records to verify information specific to the date and time of the event is being captured and stored with the audit records. If audit records exist without the date and time of the event, this is a finding. Fix TextConfigure DBMS audit settings to include the date and time of the occurrence of the event as part of the audit record. CommentsPage 2 of reference document SQL Anywhere 17- Database Activity Audit.pdf specifies that the audit log captures accurate timestamps of all events (to a resolution of milliseconds).
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206530 | CAT II | MONT-DB-002 | Database Security Requirements Guide | The DBMS must produce audit records containing suf... | - | |||
Check TextCheck DBMS settings and existing audit records to verify information specific to where the event occurred is being captured and stored with the audit records. If audit records exist without information regarding where the event occurred, this is a finding. Fix TextConfigure DBMS audit settings to include where the event occurred as part of the audit record. CommentsPage 2 of reference document SQL Anywhere 17- Database Activity Audit.pdf specifies that the audit log captures All login attempts (successful and failed), including the computer name.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206531 | CAT II | MONT-DB-002 | Database Security Requirements Guide | The DBMS must produce audit records containing suf... | - | |||
Check TextCheck DBMS settings and existing audit records to verify information specific to the source (origin) of the event is being captured and stored with audit records. If audit records exist without information regarding the source of the event, this is a finding. Fix TextConfigure DBMS audit settings to include the source of the event as part of the audit record. CommentsPage 2 of reference document SQL Anywhere 17- Database Activity Audit.pdf specifies that the audit log captures all login attempts (successful and failed), including the computer name.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206532 | CAT II | MONT-DB-002 | Database Security Requirements Guide | The DBMS must produce audit records containing suf... | - | |||
Check TextCheck DBMS settings and existing audit records to verify information specific to the outcome of the event is being captured and stored with the audit records. If audit records exist without the outcome of the event that occurred, this is a finding. Fix TextConfigure DBMS audit settings to include the outcome of the event as part of the audit record. CommentsPage 2 of reference document SQL Anywhere 17- Database Activity Audit.pdf specifies that the audit log captures the outcome (success or failure) of events.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206533 | CAT II | MONT-DB-002 | Database Security Requirements Guide | The DBMS must produce audit records containing suf... | - | |||
Check TextCheck DBMS settings and existing audit records to verify a user name associated with the event is being captured and stored with the audit records. If audit records exist without specific user information, this is a finding. Fix TextConfigure DBMS audit settings to include user name as part of the audit record. CommentsPage 2 of reference document SQL Anywhere 17- Database Activity Audit.pdf specifies that the audit log captures the identity of user, subject, process associated with an event.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206534 | CAT II | MONT-DB-002 | Database Security Requirements Guide | The DBMS must include additional, more detailed, o... | - | |||
Check TextReview the system documentation to identify what additional information the organization has determined to be necessary. Check DBMS settings and existing audit records to verify that all organization-defined additional, more detailed information is in the audit records for audit events identified by type, location, or subject. If any additional information is defined and is not contained in the audit records, this is a finding. Fix TextConfigure DBMS audit settings to include all organization-defined detailed information in the audit records for audit events identified by type, location, or subject. CommentsMSC does not have any additional organization-defined information that needs to be captured in addition to the information already captured as defined in reference document SQL Anywhere 17 – Database Activity Audit.pdf, which includes additional information for events by type, location, or subject.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206537 | CAT II | MONT-DB-002 | Database Security Requirements Guide | The DBMS must use system clocks to generate time s... | - | |||
Check TextUsing product documentation, verify that the DBMS uses current time stamp values obtained from or synchronized with the internal system clock used by the operating system. If it is not able to, this is a finding. If it is able to but is configured so that it does not do so, this is a finding. Fix TextDeploy a DBMS that can use time stamp values obtained from or synchronized with the internal system clock used by the operating system. Configure the DBMS to use time stamp values obtained from or synchronized with the internal system clock used by the operating system. CommentsReference document SQL Anywhere 17 Date functions.pdf states that SQL Anywhere date functions use system clock.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206538 | CAT II | MONT-DB-002 | Database Security Requirements Guide | The audit information produced by the DBMS must be... | - | |||
Check TextReview locations of audit logs, both internal to the database and database audit logs located at the operating system level. Verify there are appropriate controls and permissions to protect the audit information from unauthorized access. If appropriate controls and permissions do not exist, this is a finding. Fix TextApply controls and modify permissions to protect database audit log data from unauthorized access, whether stored in the database itself or at the OS level. CommentsThe database server can only be accessed by a privileged user who creates an Afloat Operations Service Desk ticket. Once the Afloat Operations Service Desk confirms the privileged user has the proper credentials, a domain admin account is created for the user and is valid for 14 days. The Audit log is generated in directory E:\IBSDatabaseAuditFiles\Logs\ShipCLIP, is in a non-human readable format, and can only be translated by the dbmanageetd tool located on the database server. A privileged user must know how to execute the dbmanageetd tool to translate the encrypted file.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206539 | CAT II | MONT-DB-002 | Database Security Requirements Guide | The audit information produced by the DBMS must be... | - | |||
Check TextReview locations of audit logs, both internal to the database and database audit logs located at the operating system level. Verify there are appropriate controls and permissions to protect the audit information from unauthorized modification. If appropriate controls and permissions do not exist, this is a finding. Fix TextApply controls and modify permissions to protect database audit log data from unauthorized modification, whether stored in the database itself or at the OS level. CommentsThe database server can only be accessed by a privileged user who creates an Afloat Operations Service Desk ticket. Once the Afloat Operations Service Desk confirms the privileged user has the proper credentials, a domain admin account is created for the user and is valid for 14 days. The Audit log is generated in directory E:\IBSDatabaseAuditFiles\Logs\ShipCLIP, is in a non-human readable format, and can only be translated by the dbmanageetd tool located on the database server. The dbmanageetd tool cannot make modifications to the original audit log, but only produces an XML translation of the original audit log. Any modifications to the audit log will produce an error when the dbmanageetd tool tries to perform the translation.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206540 | CAT II | MONT-DB-002 | Database Security Requirements Guide | The audit information produced by the DBMS must be... | - | |||
Check TextReview locations of audit logs, both internal to the database, and database audit logs located at the operating system level. Verify there are appropriate controls and permissions to protect the audit information from unauthorized deletion. If appropriate controls and permissions do not exist, this is a finding. Fix TextApply controls and modify permissions to protect database audit log data from unauthorized deletion, whether stored in the database itself or at the OS level. CommentsThe database server can only be accessed by a privileged user who creates an Afloat Operations Service Desk ticket. Once the Afloat Operations Service Desk confirms the privileged user has the proper credentials, a domain admin account is created for the user and is valid for 14 days. The Audit log is generated in directory E:\IBSDatabaseAuditFiles\Logs\ShipCLIP, is in a non-human readable format, and can only be translated by the dbmanageetd tool located on the database server. Audit log cannot be deleted while in use.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206541 | CAT II | MONT-DB-002 | Database Security Requirements Guide | The DBMS must protect its audit features from unau... | - | |||
Check TextReview the access permissions to tools used to view or modify audit log data. These tools may include features within the DBMS itself or software external to the database. If appropriate permissions and access controls to prevent unauthorized access are not applied to these tools, this is a finding. Fix TextApply or modify access controls and permissions (both within the DBMS and in the file system/operating system) to tools used to view or modify audit log data. Tools must be accessible by authorized personnel only. CommentsThe database server can only be accessed by a privileged user who creates an Afloat Operations Service Desk ticket. Once the Afloat Operations Service Desk confirms the privileged user has the proper credentials, a domain admin account is created for the user and is valid for 14 days. The Audit log is generated in directory E:\IBSDatabaseAuditFiles\Logs\ShipCLIP, is in a non-human readable format, and can only be translated by the dbmanageetd tool located on the database server.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206542 | CAT II | MONT-DB-002 | Database Security Requirements Guide | The DBMS must protect its audit configuration from... | - | |||
Check TextReview the access permissions to tools used to view or modify audit log data. These tools may include features within the DBMS itself or software external to the database. If appropriate permissions and access controls to prevent unauthorized configuration are not applied to these tools, this is a finding. Fix TextApply or modify access controls and permissions (both within the DBMS and in the file system/operating system) to tools used to view or modify audit log data. Tools must be configurable by authorized personnel only. CommentsThe database server can only be accessed by a privileged user who creates an Afloat Operations Service Desk ticket. Once the Afloat Operations Service Desk confirms the privileged user has the proper credentials, a domain admin account is created for the user and is valid for 14 days. The Audit log is generated in directory E:\IBSDatabaseAuditFiles\Logs\ShipCLIP, is in a non-human readable format, and can only be translated by the dbmanageetd tool located on the database server. The dbmanageetd tool does not have an option to modify the original audit log. It can only generate an XML translation of the original audit log. Any modifications to the original audit log will produce an error when the dbmanageetd tool tries to perform the translation.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206543 | CAT II | MONT-DB-002 | Database Security Requirements Guide | The DBMS must protect its audit features from unau... | - | |||
Check TextReview the access permissions to tools used to view or modify audit log data. These tools may include features within the DBMS itself or software external to the database. If appropriate permissions and access controls to prevent unauthorized removal are not applied to these tools, this is a finding. Fix TextApply or modify access controls and permissions (both within the DBMS and in the file system/operating system) to tools used to view or modify audit log data. Ensure that tools may be removed by authorized personnel only. CommentsThe database server can only be accessed by a privileged user who creates an Afloat Operations Service Desk ticket. Once the Afloat Operations Service Desk confirms the privileged user has the proper credentials, a domain admin account is created for the user and is valid for 14 days. The Audit log is generated in directory E:\IBSDatabaseAuditFiles\Logs\ShipCLIP, is in a non-human readable format, and can only be translated by the dbmanageetd tool located on the database server. The dbmanageetd tool does not have an option to delete the original audit log.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206544 | CAT II | MONT-DB-002 | Database Security Requirements Guide | The DBMS must limit privileges to change software ... | - | |||
Check TextReview monitoring procedures and implementation evidence to verify monitoring of changes to database software libraries, related applications, and configuration files is done. Verify the list of files, directories, and database application objects (procedures, functions, and triggers) being monitored is complete. If monitoring does not occur or is not complete, this is a finding. Fix TextImplement procedures to monitor for unauthorized changes to DBMS software libraries, related software application libraries, and configuration files. If a third-party automated tool is not employed, an automated job that reports file information on the directories and files of interest and compares them to the baseline report for the same will meet the requirement. Use file hashes or checksums for comparisons, as file dates may be manipulated by malicious users. CommentsPage 2 of reference document SQL Anywhere 17- Database Activity Audit.pdf specifies that a setting of ‘all’ includes auditing of DDL statements.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206546 | CAT II | MONT-DB-002 | Database Security Requirements Guide | Database software, including DBMS configuration fi... | - | |||
Check TextReview the DBMS software library directory and note other root directories located on the same disk directory or any subdirectories. If any non-DBMS software directories exist on the disk directory, examine or investigate their use. If any of the directories are used by other applications, including third-party applications that use the DBMS, this is a finding. Only applications that are required for the functioning and administration, not use, of the DBMS should be located in the same disk directory as the DBMS software libraries. If other applications are located in the same directory as the DBMS, this is a finding. For databases located on mainframes, confirm that the database and its configuration files are isolated in their own DASD pools. If database software and database configuration files share DASD with other applications, this is a finding. Fix TextInstall all applications on directories separate from the DBMS software library directory. Relocate any directories or reinstall other application software that currently shares the DBMS software library directory. For mainframe-based databases, locate database software and configuration files in separate DASD pools from other mainframe applications. CommentsDatabase software is installed on the database server in directory C:\Program Files\SQL Anywhere 17. Database configuration files reside in directories E:\smis_app and E:\smis_app\ShipCLIP\configure.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206547 | CAT II | MONT-DB-002 | Database Security Requirements Guide | Database objects (including but not limited to tab... | - | |||
Check TextReview system documentation to identify accounts authorized to own database objects. Review accounts that own objects in the database(s). If any database objects are found to be owned by users not authorized to own database objects, this is a finding. Fix TextAssign ownership of authorized objects to authorized object owner accounts. CommentsAll database objects are owned by the system accounts DBA, dbo, sammuser, rs_systabgroup, shipclip and SYS.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206548 | CAT II | MONT-DB-002 | Database Security Requirements Guide | The role(s)/group(s) used to modify database struc... | - | |||
Check TextIdentify the group(s)/role(s) established for DBMS modification. Obtain the list of users in those group(s)/roles. Identify the individuals authorized to modify the DBMS. If unauthorized access to the group(s)/role(s) has been granted, this is a finding. Fix TextRevoke unauthorized memberships in the DBMS modification group(s)/role(s). CommentsThe DBMS architecture does not allow users, even with the highest privileges, to modify the structure or logic of built-in security objects. The SYS_AUTH_SA_ROLE, SYS_AUTH_SSO_ROLE, SYS_RUN_REPLICATION_ROLE, and SYS_AUTH_DBA_ROLE, are the only roles allowed to make modifications to database structure and logic modules.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206549 | CAT II | MONT-DB-002 | Database Security Requirements Guide | Default demonstration and sample databases, databa... | - | |||
Check TextReview vendor documentation and vendor websites to identify vendor-provided demonstration or sample databases, database applications, objects, and files. Review the DBMS to determine if any of the demonstration and sample databases, database applications, or files are installed in the database or are included with the DBMS application. If any are present in the database or are included with the DBMS application, this is a finding. Fix TextRemove any demonstration and sample databases, database applications, objects, and files from the DBMS. CommentsDatabase configuration does not contain any sample or demonstration databases or objects. All databases are created and configured at time of installation.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206550 | CAT II | MONT-DB-002 | Database Security Requirements Guide | Unused database components, DBMS software, and dat... | - | |||
Check TextReview the list of components and features installed with the database. Use the DBMS product installation tool if supported and review the product installation documentation. If unused components or features are installed and are not documented and authorized, this is a finding. Fix TextUninstall unused components or features that are installed and can be uninstalled. Remove any database objects and applications that are installed to support them. CommentsDatabase installation is configured to only install relevant components.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206551 | CAT II | MONT-DB-002 | Database Security Requirements Guide | Unused database components that are integrated in ... | - | |||
Check TextReview the DBMS for unused components of the system that cannot be uninstalled. If unused components or features are present on the system, can be disabled, and are not disabled, this is a finding. Fix TextDisable any unused components or features that cannot be uninstalled. CommentsDatabase installation is configured to only install relevant components.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206552 | CAT II | MONT-DB-002 | Database Security Requirements Guide | Access to external executables must be disabled or... | - | |||
Check TextReview the database for definitions of application executable objects stored external to the database. Determine if there are methods to disable use or access, or to remove definitions for external executable objects. Verify each application executable object listed is authorized by the ISSO. If any are not, this is a finding. Fix TextDisable use of or remove any external application executable object definitions that are not authorized. CommentsDBMS does not have external application executable object definitions.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206553 | CAT II | MONT-DB-002 | Database Security Requirements Guide | The DBMS must be configured to prohibit or restric... | - | |||
Check TextReview the DBMS settings and local documentation for functions, ports, protocols, and services that are not approved. If any are found, this is a finding. Fix TextDisable functions, ports, protocols, and services that are not approved. CommentsThe designated port used by the database is configured in the smisdbs17-E.cfg file using the -x option. ShipCLIP utilizes port 2639.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206554 | CAT II | MONT-DB-002 | Database Security Requirements Guide | The DBMS must uniquely identify and authenticate o... | - | |||
Check TextReview DBMS settings to determine whether organizational users are uniquely identified and authenticated when logging on/connecting to the system. If organizational users are not uniquely identified and authenticated, this is a finding. Fix TextConfigure DBMS settings to uniquely identify and authenticate all organizational users who log on/connect to the system. CommentsAll application users are uniquely identified using a first initial+last name format within the database and installation users are uniquely identified using a first initial+last name+’_install’ format.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206558 | CAT II | MONT-DB-002 | Database Security Requirements Guide | The DBMS, when utilizing PKI-based authentication,... | - | |||
Check TextReview DBMS configuration to verify that certificates being accepted by the DBMS are validated by performing RFC 5280-compliant certification path validation. If certificates are not being validated by performing RFC 5280-compliant certification path validation, this is a finding. Fix TextConfigure the DBMS to validate certificates by performing RFC 5280-compliant certification path validation. CommentsDBMS resides on the database server and can only be accessed directly by authorized personnel with the proper permissions and logged on to the server using PKI Authentication. PKI validation is performed by the O/S upon log in. The DBMS cannot be directly accessed remotely because of PPMS implementation.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206560 | CAT II | MONT-DB-002 | Database Security Requirements Guide | The DBMS must map the PKI-authenticated identity t... | - | |||
Check TextReview DBMS configuration to verify DBMS user accounts are being mapped directly to unique identifying information within the validated PKI certificate. If user accounts are not being mapped to authenticated identities, this is a finding. Fix TextConfigure the DBMS to map the authenticated identity directly to the DBMS user account. CommentsAll application users are uniquely identified using a first initial+last name format within the database. PKI authentications are associated to the application user accounts within the database using the CAC EDI number.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206563 | CAT II | MONT-DB-002 | Database Security Requirements Guide | The DBMS must uniquely identify and authenticate n... | - | |||
Check TextReview DBMS settings to determine whether non-organizational users are uniquely identified and authenticated when logging onto the system. If non-organizational users are not uniquely identified and authenticated, this is a finding. Fix TextConfigure DBMS settings to uniquely identify and authenticate all non-organizational users who log onto the system. CommentsAll application users are uniquely identified using a first initial+last name format within the database. Non-organizational users do not have direct access to the DBMS.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206564 | CAT II | MONT-DB-002 | Database Security Requirements Guide | The DBMS must separate user functionality (includi... | - | |||
Check TextCheck DBMS settings and vendor documentation to verify that administrative functionality is separate from user functionality. If administrator and general user functionality are not separated either physically or logically, this is a finding. Fix TextConfigure DBMS to separate database administration and general user functionality. CommentsUsers are configured with roles that separate user functionality from database management functionality. Application users are not assigned to DBA or SSO roles which govern database management functions.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||
| V-206565 | CAT II | MONT-DB-002 | Database Security Requirements Guide | The DBMS must invalidate session identifiers upon ... | - | |||
Check TextReview DBMS settings and vendor documentation to verify user sessions are terminated, and session identifiers invalidated, upon user logout. If they are not, this is a finding. Review system documentation and organization policy to identify other events that should result in session terminations. If other session termination events are defined, review DBMS settings to verify occurrences of these events would cause session termination, invalidating the session identifiers. If occurrences of defined session terminating events do not cause session terminations, invalidating the session identifiers, this is a finding. Fix TextConfigure DBMS settings to terminate sessions, invalidating their session identifiers, upon user logout. Configure DBMS settings to terminate sessions, invalidating their session identifiers, upon the occurrence of any organization- or policy-defined session termination event. CommentsThe DBMS generates unique system-generated session identifiers for every database login connection. The session identifiers are invalidated upon user logout or for other session terminations. The DBMS is not accessible by a direct remote connection or URL.
Source: Montford Point ShipCLIP DB V4R4.ckl
Scan Date: 2026-03-06T12:50:21.809591
Technology Area: Database Review
|
||||||||