ࡱ>  T8\pMichael Caruso Ba=   ThisWorkbook=xiL;$8@"1Arial1Calibri1Calibri1Calibri1Arial1Arial1Arial1Arial1Arial1Arial1Arial1Arial1Arial1 Calibri14Calibri1 Calibri1Calibri1Calibri1 Arial1>Calibri14Calibri1?Calibri1Calibri1 Calibri1Calibri1,>Calibri1>Calibri1>Calibri1Calibri1h>Cambria1Calibri1 Calibri1Calibri14Calibri1 Calibri1Calibri1Calibri1,8Calibri18Calibri18Calibri1 Arial1>141<Calibri1?Calibri1h8Cambria1Calibri1 Calibri1Arial1<Arial1<Arial1 Arial1 Segoe UI"$"#,##0_);\("$"#,##0\)!"$"#,##0_);[Red]\("$"#,##0\)""$"#,##0.00_);\("$"#,##0.00\)'""$"#,##0.00_);[Red]\("$"#,##0.00\)7*2_("$"* #,##0_);_("$"* \(#,##0\);_("$"* "-"_);_(@_).))_(* #,##0_);_(* \(#,##0\);_(* "-"_);_(@_)?,:_("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_)6+1_(* #,##0.00_);_(* \(#,##0.00\);_(* "-"??_);_(@_) m/d/yyyy;@,'[<=9999999]###\-####;\(###\)\ ###\-####0.0                                                                                                                !    "      # ff  ff  +  )  +  ,  * $  %    & P  P ' P  P (    (  )   *      + `  ` ,                      -     .  / a>  a 0   @  ?   @   `@   ? @   x  `@   `  h? ?   h?   ` ?   `   `? ?   < 8  4! 0  4!! 8! 0!! 0 4 4?  0  0 4     8?  8  x? 7  x@ 7  x7  x?   x@   x x? ?  x@ ?  x?   x? @   x  x@   x@   x 8? @  8 x    P  x? ?   x@ ?   x?   x?  p? , x, x? , x@ , x, x? ? , x@ ? , x? ,  x? ,  x@ ,  x,  x@ ? ,  x? ,  x? ,  x@ ,  x, x,  x!, p,  x? ? ,  x,    x? @   `? @    @ ? ,   ? ,    ,   @ ,   ,   @ ,   ,   @ ,  ? ,   @ ,   , ? ?  @ ?  ?   ? @   @  ?  @   ? 7 @ 7 7 ?   1@  1 1@  2 3@  3 3   ? , @ , , 1@  1@  @  1@  1@  @ ,   )q     @ 7  7  ? @     @   @      ? 7 ? , @ , ,  3@ ?  3?  3  3 3@  4?  4@  4 ? ?  @ ?  ?   ? ?   @ ?   ?  ?  @    ?  ?  @    ?   @    ? @   @  ,     ?  1@  1@    ? ? ,  ? @ , 1 ? @ ,  8  ? @   ? ?      x@ @    x@ @    x@ @   8@ @    p@ @    8@ @    0@ @   8@ @   4  4?   0  ?   ?      8 ||2CP}A} )\ ###\-ef;_(@_) }A} )\ ###\-ef;_(@_) }A} )\ ###\-ef;_(@_) }A} )\ ###\-ef;_(@_) }A} )\ ###\-ef;_(@_) }A} )\ ###\-ef ;_(@_) }A} )\ ###\-L;_(@_) }A} )\ ###\-L;_(@_) }A}  )\ ###\-L;_(@_) }A}" )\ ###\-L;_(@_) }A}$ )\ ###\-L;_(@_) }A}& )\ ###\-L ;_(@_) }A}( )\ ###\-23;_(@_) }A}* )\ ###\-23;_(@_) }A}, )\ ###\-23;_(@_) }A}. )\ ###\-23;_(@_) }A}0 )\ ###\-23;_(@_) }A}2 )\ ###\-23 ;_(@_) }A}4 )\ ###\-;_(@_) }A}6 )\ ###\-;_(@_) }A}8 )\ ###\-;_(@_) }A}: )\ ###\-;_(@_) }A}< )\ ###\-;_(@_) }A}> )\ ###\- ;_(@_) }A}@ )\ ###\-;_(@_) }}B })\ ###\-;_(@_)    }}D )\ ###\-;_(@_) ??? ??? ??? ???}-}K )\ ###\-}A}M a)\ ###\-;_(@_) }A}O )\ ###\-;_(@_) }A}Q )\ ###\-?;_(@_) }A}S )\ ###\-23;_(@_) }-}U )\ ###\-}(}W  )\ ###\-}}Z ??v)\ ###\-̙;_(@_)    }A}\ })\ ###\-;_(@_) }A}^ e)\ ###\-;_(@_) }-}c )\ ###\-}x}f)\ ###\-;_(  }}i ???)\ ###\-;_(??? ???  ??? ???}-}l )\ ###\-}U}n )\ ###\-;_( }-}p )\ ###\-}(})\ ###\-}(})\ ###\-}(})\ ###\-}(})\ ###\-}(})\ ###\-}(})\ ###\-}(})\ ###\-}(})\ ###\-}(})\ ###\-}(})\ ###\-}(})\ ###\-}(})\ ###\-}(})\ ###\-}(})\ ###\-}(})\ ###\-}(})\ ###\-}(})\ ###\-}(})\ ###\-}(})\ ###\-}(})\ ###\-}(})\ ###\-}(} )\ ###\-}(} )\ ###\-}(} )\ ###\-}(} )\ ###\-}(} )\ ###\-}(} )\ ###\-}(} )\ ###\-}(})\ ###\-}(})\ ###\-}(})\ ###\-}(} )\ ###\-}(} )\ ###\-}(} )\ ###\-}(} )\ ###\-}(})\ ###\-}(}  )\ ###\-}(})\ ###\-}(})\ ###\-}(})\ ###\-}(} )\ ###\-}(} )\ ###\-}(} )\ ###\-}(} )\ ###\-}(} )\ ###\-}(} )\ ###\-}(} )\ ###\-}(} )\ ###\-}(})\ ###\-}(})\ ###\-}(})\ ###\-}(} )\ ###\-}(} )\ ###\-}(} )\ ###\-}(} )\ ###\-}(})\ ###\-}(})\ ###\-}(})\ ###\-}(})\ ###\-}(})\ ###\-}(})\ ###\-}(} )\ ###\-}(} )\ ###\-}(} )\ ###\-9 +  !%9   ?333 !%9  * !%9 +  !%9   ?333 !%9  * !%9 +  !%9 +  !%9 +  !%9 +  !% 20% - Accent1M 20% - Accent1 ef %20% - Accent1 2420% - Accent1 2 20% - Accent2M" 20% - Accent2 ef %20% - Accent2 2420% - Accent2 2 20% - Accent3M& 20% - Accent3 ef %20% - Accent3 2420% - Accent3 2 20% - Accent4M* 20% - Accent4 ef %20% - Accent4 2420% - Accent4 2 20% - Accent5M. 20% - Accent5 ef %20% - Accent5 2420% - Accent5 2 20% - Accent6M2 20% - Accent6  ef %20% - Accent6 2420% - Accent6 2 40% - Accent1M 40% - Accent1 L %40% - Accent1 2440% - Accent1 2 40% - Accent2M# 40% - Accent2 L渷 %40% - Accent2 2440% - Accent2 2 40% - Accent3M' 40% - Accent3 L %!40% - Accent3 2440% - Accent3 2" 40% - Accent4M+ 40% - Accent4 L %#40% - Accent4 2440% - Accent4 2$ 40% - Accent5M/ 40% - Accent5 L %%40% - Accent5 2440% - Accent5 2& 40% - Accent6M3 40% - Accent6  Lմ %'40% - Accent6 2440% - Accent6 2( 60% - Accent1M 60% - Accent1 23 %)60% - Accent1 2460% - Accent1 2* 60% - Accent2M$ 60% - Accent2 23ږ %+60% - Accent2 2460% - Accent2 2, 60% - Accent3M( 60% - Accent3 23כ %-60% - Accent3 2460% - Accent3 2. 60% - Accent4M, 60% - Accent4 23 %/60% - Accent4 2460% - Accent4 20 60% - Accent5M0 60% - Accent5 23 %160% - Accent5 2460% - Accent5 22 60% - Accent6M4 60% - Accent6  23 %360% - Accent6 2460% - Accent6 2 4Accent1AAccent1 O %5 Accent1 2( Accent1 2 6Accent2A!Accent2 PM %7 Accent2 2( Accent2 2 8Accent3A%Accent3 Y %9 Accent3 2( Accent3 2 :Accent4A)Accent4 d %; Accent4 2( Accent4 2 <Accent5A-Accent5 K %= Accent5 2( Accent5 2 >Accent6A1Accent6  F %? Accent6 2( Accent6 2@Bad9Bad  % ABad 2 Bad 2B Calculation Calculation  }% C Calculation 20 Calculation 2D Check Cell Check Cell  %????????? ???E Check Cell 2. Check Cell 2F CommaG( Comma [0] HComma 2I&CurrencyJ. Currency [0]KExplanatory TextG5Explanatory Text %LExplanatory Text 2:Explanatory Text 2 MGood;Good  a% NGood 2"Good 2O Heading 1G Heading 1 I}%OP Heading 1 2, Heading 1 2Q Heading 2G Heading 2 I}%?R Heading 2 2, Heading 2 2S Heading 3G Heading 3 I}%23T Heading 3 2, Heading 3 2U Heading 49 Heading 4 I}%V Heading 4 2, Heading 4 2W4 Hyperlink  X Hyperlink 2Y Hyperlink 2 2 ZInputuInput ̙ ??v%  [Input 2$Input 2\ Linked CellK Linked Cell }%] Linked Cell 20 Linked Cell 2 ^NeutralANeutral  e%_ Neutral 2( Neutral 2"Normal `Normal 2a Normal 2 2 bNormal 3c Normal 3 2; Normal 3 2 % dNormal 4 eNormal 5 fNoteb Note   gNote 2"Note 2 hNote 3 iOutputwOutput  ???%????????? ??? jOutput 2&Output 2k$Percent lTitle1Title I}% mTitle 2$Title 2 nTotalMTotal %OO oTotal 2$Total 2p Warning Text? Warning Text %qWarning Text 22Warning Text 2XTableStyleMedium2PivotStyleLight16` DashboardAResults4 InstructionsI9i for Windows 9i for UNIXAppendix Change Log,!  ;X !  ;M   ;X   ;M   ;   ;   ;'   ;#   ;   ;  ;SfVf@ @ H ! 5b-!ODw30@Gbe n!ODw30@GbePNG  IHDR<qsBIT|d IDATx^}``SJsH JH" btJww `ynw]^O9f3 o7𿴾gN3ڍR+[V]ò2 -EcYt޸!V66+-{mUu?RN}>_:ϭ՛ֳ*իd~=qك۽rn}L=Q"))),g%6$.(~f8x|G=1%1 ";KaL!w8يZdy(%,"ZBf鴵(4\JV-- 8+x9|o=ywOևo1|WFo9h4dqp56kWP8>7J( })ᑱ'$8\t"\&{r9|)4 JSkWMjJBve |>xW?3_T;F ߶3>b'{j-&VK)Xܒ[wBD86XۊNORK,"*JKz[6,goóIF7x,bڮ~)w-έf0aC[cwnݱHGbo^rΓƠw @?"< /7*kTK7e+600hGK/)Xj\Ir`7VFd 0|˗0o[мl;޻u3~Y+## ݈Je-NJ*"ݛ֔ƕ}&0X !%?"c6^^^jR]J|K8gK keeج_)eݬtTz_XAz VWӻE- f|rJH19&UDG.LXDI${J30 o"Ψ"zɪ}`2E]Wz-%;Yj?`}ŔwX#IoG>m eŻO0q{He,H}Hs$M^xaRTŊ2uYuB:DY:i_#?; CG-C`סO/spCnO 5 ~`_o]Gɗv" ^żd\צҶ{>?Հ܉5~vyd~D7Gt1痲sH~uwC:Ke\x+D⁰仡]doP_Kh$Rĭ{V;ӆu.2%FZV/'͖% ˹γWeEnߌF ߢ^i߶1Xg!Oi ^ ],&Z׷uW|g[kko^3cuDBy䎋c^84$ٓ$fljK2 {K@=yB bSIݭj4Ho M 7tl+I]'eڢmK:345P5g 8}LEloun탽l'011XO%R`~C)T4j6`9kEr$X}Pa\Zש$H(I cz8߮إmS} zH 1yVvd[=q3@ӍQnT.zLM!L?t8w9 o =nI̝w0_k;#|O:sAS{:h|чZV/+-G dJ2/&>nW Zʜ-G,<0ƯS,9$r%t_E zs,>tml+f|%_ D>⵼Nп 6?O?Q U;PA2 Rȥ  xH"}ֿ8Y **!mGȗ)Xv9;[2 lCsӹVB+N?0].]~ÜU*&0 JDRP|hkeܜ `Rcf>$ɪ7<+Ae 0G2$;Ag2HI9)Cț~ue)ɛ~% ϟfB x%> soL=yDAwym]0Mo* ;^AV}4@y%$_kn)nBa`X*rGvLIaZ7MeΓr;ުƁewi Gk@?(6lĈ>[  :@dߍ_̇Judߜ|`2CFK~r כ߭C7qd7iS'iO]xG~B/-xݨ_'tq/ : 76wɟkk&%мO_H_)otCw%yrn(35GA,ÿ[.Q5Q7 #z1oP/_ݓ^ع}{G_WuymfK>oLӘs,z`K0St@_TGb1M)C( DB? U[+H H)W&rD!wzC'E,jQ!|@~X3Jj8oveqr-5'k{N;u`BD0w|6&_/HLQEz6)VմѷPEGk8:L`Xxn7*-ںx:?`06ʖ/]JBݦU:o;(c025^5ߐW^HX]o+Z~[ L2}r ׃GOltc!9pŰ>*@H%kPHipA% oՓmWI~.͔ݫxm3sp2 s5=Z~m7-'/hX 0/ЭGMv}9Đz_H7.x|˄ߍPmCiiX~z~e$5 篷+vK , 8.O @/eLL:mkWP )gYI4 ͰNV]Jκ <4( yHcown,KiKR.S%CA|X/ʬ]"ƮN=e 4BkۦCmQsosY rdCgL͸7b-\w,1ֵ g_C&i]cPH.s)\,H_ ` `d?6J0R< `>E Hf{p0g+x|Wl9w&P#0Y):4&t/ޒUx`p KƆH:C̃D% B65gn/zbAf> rfҤ 5QGkeJV=yw̍:@?Co2A0ߏzECs=5vxz/(sL8e{N 5lXouUy$]J>гm$&.@=>+ e㴑pV,/Ni46!opu1A#6hվYk!^>x+?g찭Sg& >k˼AV#5\=n , `jF_l^Sz4.;ay~860KH[谺gK^?10zai ,X`g+~ !T@=%__ӄ)0.MgJ?{w_ md %d|?Tω4W&fv򛡆5kWOMҼV`|Ń94ss1Xbk3Ǒ%;aA*A)>~]jJ2|5rQ NP<s4Dn~(& s T/n{~փLZkO tGY}:hCy>}ʲ,尪P?$ڲT2mնĹ;帿7ρ%綊<\M:Nއ\)g mݍ!M}*ǻa^& Cwlp h:M&i <1T0,٥0h%=}jwJ->܌W.~ܨջN)TSL_eI󷾕4T+(.(JVOck>[ &~}@vE-&>SkZU;Gk|Oy.^-_}/.7{2 \ƞ#QJϵRuVzg7 , 'Icp\>{31݇Ӂr²Ѳֽ|5ea';+价!97WQ͚:j9= 9Hh#Eo Q5cJ?q7$__ >ytik>}fvX6~D!+7P^Mcҋڜa""=YbHD~:,?wE )x"`3QitOU|*Za(t( IيfsI[ݣ?H Caֿ>V |38c({7SB#˱fKZux=IdkOADtuiL_M`7( F0Q.bJM@ 8Jp#iN5f dv_ ܼf-to![(d%B=?~$ab夡Sߕ [g EKֽkbw5oڜrq߹V@G߁;pdP'W3 V\֧\p j`iûɅ[e1kUJ!|> =m*˟̼60oT~[`GX#HJE9/,*`Wf$zl(, Owz<ȑrꮭ| @/faj>p6+`,.J z_U]j2!O0q1CpVG>@o&wpi ';b%'Vi- l?{쫈<(|1Q5*+ i|֭SޘA8>RɈ1R ݧ%H}V陫a*mհ zIzFH$2ZL6~怖If{ŠLep[I<@gx`Mn·!ǾXb+uCױqɺ8YFá Kf# `yW+FGm5d`0D?I3䑘ۿrUk|qNrg潨O1O'e\D4VC]'ĽG1Wb@\ ʋR &A*]=!u JcxN6Q 9SwT--MǟB>[ϲ4`ک53KUG^sr 4h$N=-HR_W$խ˹qSn8BƊ]ⅲ޲R%֫yc6CJMm-_{懳'җz] 1~A |P ;XrZ#?oE``]W4H^vN7K.*wFJ26~k9n ci.f6ۼ:ㇿ&VM P{U-$ރZn=0^׶miKfu]uٻcۢ^wm[ґ݉.C-:Ȓـ &A@g u9ɌS):D*<`mFzZD.Ŗr)(Kwkr3Sj9zsx*>xKL KBwlq2s IDATbch͜{i}06DYr/lf`q1t&yU lBH͂ Cjmrŭw:]@]V@N3)y xO@8T\2H4gx br=8W/'ۏ>* qNoD=ADebk.LOt ,X-%@чR9nx$ޑB#I׃?@ouz5Z #zo.KW\rbwxS̿e"߱W!FKcXU 2q Sgl`b%mҵ)5%[[9񤸜,)Jky7ڋUJ<ɮ[ mfRiZI6R)Rk Ћ{CR{]$%%*Xiy_' ݑ̿귕:zicD{ Z50y` zOI50Oq_O[~¯fq2?a܍(=CmAJ-np6WQ: k/BztDc Ⱦ e&=]D qf֑g%,G\]AqDLEnBU)|VѮކ.aY4y6|l@ɭHjyJ ;ҥ5U>dycjjgeR PfS LBZ('91iCn u.JPa/;<~  /5&{dkgY)\`jlBJ]͸ nlKd֬QVܯ.}_G3X-+N5o_Olh b %Pa֯Jo~6lhՁX@Y'5lUd2L{g)}A<~'z2$#<-j*BPT$u{\k9~űeiK{J05ԯrq/Cc/E`鮙 k~E629DiE# FE!jee#n]Urc { &e>H x&p{jy)3褴ǪJ~ӽKM?S0y)hhfCus̪YUN lK#J.zg,Bq}ە06T\']ʑ8Y;],'$eYڥrj ì -Y1ݸAI^1Rʧ앣jQw;W5C%61EJ#-LjRyhI6lϰEڭ:Y3&Bk =^߭ | H =N*r*mՂr/aNhf2 EsoGWe4 s~|~ t`ːkB62váǰ0GR'n]!wo#& Ą6^!JUF<* P3D.+UðV&5= ԰+4h\Mmj!W g12s*\#Ћt";5Sl1֑o>~Eg(S,reל@Rm-`&@uИAQ(l7ێp3z,eZ?*;Y+S-&Hj^ҿF xjYpÙƞs:_,}%A~ ,'ˁeWW֫/wQ:= I=R>g.l:=ͦKQdP/2kf ]U,5><#؁J̴ͤ9OUbKRIu6I rH<s35`@lHy\[H]q?v.7_$ M˪넒ZKI4+6 vRf58AO3OJWdnVՕ#a"L '} qrcunצZll LO#n'gZ&v 5`SbxY}Rb t^ ߇qZԮ).A0l;N(a5w+- 6[KU PqB%-bX43 v-V>}\Sz ϗ y 8y1;58&T @ bL׺b3f*?o;.Cn,… eJBRZ)CL Ľ,y*%=H_>J%}Pf/"iڳ!8]9_ݺ[ԼZ}kXoVT5^=;o[[4Q cn*ŒPuF/j=|[miQD2S){4y*2K~eldZ$,k $p{t̩U  y]t[iKB͊ff!.B@;&6vt'Z_L_y؇^` y׬]ccVEUĻPS耭>s>N`R3}Sx+fݑH~erbKG0 *?0.^O 怅[$2) ̫b\qez ki;gzK!yGrB]/4lu(0UXZNsv͝2BkkeəP5AfGF ?AءR GZ ;N+3m僣a0Rj,-EY oX;Z'X{kI c_Δ@H=X˔@ԉ]&*Cn$!>b`Ɗ@LS[!Fc*m Dnar0X P%P [+ ˫X?ӻZˎea\n ض/6u7դ7u?Y>oXFy^?sdL\C1 8Qy4+CWbFæK=W<8R>ޜ2|Jڸl,J% d,.6GScM0 :Ex11`\wpaH Ҡb)9q%H-Kg{ 0PpƇ#!W} BNZŅ k#_s0 kuL76 [Y*&9P( gj6&TWSI24ws{>󴥘?< ǵ€ 7a bt~X$vb\\ ,4kEUulf5s`,d%(oY #,@.wϷjJG'Jg < ǰ!8:+sR@ !@I2cn' ]:,p !ϵ~'^E/멐-⠸0X`Lflu M+L֗Fe62n E4/<ɝx5udu"78jN}3ve&q݊u+~NUeHrLEjtoB JzZ1ٔ۴,U" KJBB( {!O+":IA2ֺիSF?'x S`@'xF_sQOwJ mlh5Ov`" =IWiOJە ;hQFR2xQ14o˺L2ES[#=7rS-`B#^UsS(w %:8TvrILoyt0)(ʰ7V5wHT:aߴ~J D 5Ϭ%ij,{q>P5ݼ@:6v2 0KR^Z3ݠ/u!Z|'[#z $'m6rp<~*Rui $tMAz!tz_{ߐw#bhNZq7;Yw9\~M6ȋ0Zv`0[0I4 ["%_}sx;}A W7,8H>{9<@:Co_gŒ픲K#1P6Wz|__f>?r:[S )Oa,iH鉶6(z SHi^w r*UQko!>uYmz2RU쟐Q3 T0B ?fxyS ,jQ(Z$}7'(Ld]Uw8ixfm4HѦ$Y9HYH;Pj}:%2fDZ±-H_$K[nqm T \ ~kC5v %^7da'`Yc`/`M1`SLmd2 PyO45dKuVFQrCHJK  ;L FpA&Q&zJ%|Fr\M6:A7͗*N2}_?JCr=ӡY- -_M$[bQg5L. 9CKPꑶʶz)".AU/Etå}, {Kr ̋Hh)\ܧo?YR 6æ)P=6 YVjTw%JBewlTyU v0E5=rHB| qmz {<j|SQqM?TZK: UPW.K X"yfju᯲=3 8ːr⢭3!M߉>8@Lƒ c?e;_TCn IDAT+ u NJq. >HYUqxIφ0\#I!)RUe026°s@ޫCrRYI;W^ SR5Tk& gCvW@_]%>Y$gi`֢ 3&_},GI@ dWCT7m)r/M@JwʞQlZ|Z*9oM1Fʌu1UdgITa5`i9NBԌ@:3dK%eFmTMȍV QBc|_|%PXRz (EkNε'η2Ln"^s GHjo:T8+:$' !Xh9c2`]JWA=G `k ~~fn p'@6>=Zޡ._ 2nS4L̴E?6uT: |Q0x S39YBT ;ZLCL-lM'=q`2)WYl̃XK#W>dF~J ,0LJ?N3BI%.FbƮ ]I:2U)l&3`uoo\38:4_o% @*oہzHta x]~t}<]8SV&~ژLJs1x{QN^*J'2Ep:2ZDd2np/$N^ZC^=U- Ju`>dMلVˢsbwK_8*(kȺkU uK|Z{ߑnGɩqlL^$E3Hy24EDbܛ'W:#*hEgʬC΀ԃYvkI3Iop?zh7⣑|=?K 6#nN۶l%}X:% ڽE ]Jh|cVzOouW I="SIw*uSom-j*Ҍr&h]J>v]l~!O;> 4]T&U:(V:چ|ҀP2>`\jx69H~5).b)PN@jP uc7N8w7hWweܤr$Ϯ BZ!2@Ό0o@9[%1a :+CqhpwgXH~N.aJoxhwp0:ZM,L, : 57AG'ϐ"QPEp[9 E#eMu*\2=rZu; ~,_ '?@A ʯv(.Uۿ4~^ju V"_LmG{u q\NrCMesd'*R6Q Š)j.,ڡ2׉E xӋP\q*v#ke6`UPeTJ#&Y>~R -bD@00XU_w2*3"Xq./K_RP&( W8>Of6ZOw/XB;M~5rM$g± {T.h@nCZJ zJƛB\>βb` pڌZ<h\u{2K̻k2q2 N<>N>XT=Qd`t>͢$Ac'=ض{Yt(.#vp~^j Nz"Q 5!wr^*_L׃uRǶzYx Bcsh<$ftJԌ4;C6ïҭx48mBD@n'U{k4N&2H HSJӿ8#,*x^IzKJf[EK~6qbT-ފk ‰E_,LTqgkq35K7aAGɯ>\dßٴ{w`Q/GXS1[2HT:ҰV( L~ۈ)Gpns5CUH+Y Δ_;qfث!`0A(l!'+G n? fG(G<|*C@'Mљ{T]y R9$iz٬I[fFt2 䪅)=?|7JYOt%e?!k[\)?D|#KHcqNbu9 n+uIuG4KlM/&%B@J8go%(7 ?P#S^o/c{3|SIn+CIW#Y5o;|^N]*G sF=|,ҴvuOIHV8௞8:YM6BbB}a;6Ej?4(`*t`AUРvf|[뇍HdBlCq:ӣ$ S NJϩ2hg?7iy}Ƴ-x*Y)wm ?~vX3S[[A BD#.&ݥkz<+~sdɎF0FUL؈. ppWn^NҸ->P{=JPz{խYM75d"-kxqbL5 (@`*KNM7d5YVlḽ>Jx_`@C 0}8#?A +gh4OPSTAA1/&:WJ7&Y˱`'_ _ E6Sjp@KoD&ei;PY}'8<2]:M|*fp>5E{¼1kǸy<;x>>0~15%Ė}7^Ta=5pѰ¹7??l1֧5ؘٿg$gcQDp_u7K(H|8 ~\p8;7ˑ0d֛Mn#zHO`eMY/ IUFis\U(tQ^mZ#)/khV'}N'i9{ ۧ.c\h^3ռ%+? #;6-3dN'P$ޞ!u!Bݞd;~w„-~ls A#~j8)Y5vvqTT BL*[HT !ʐ$/k 'e?E}FDA;i|YzdߝlS&x_ s7R%}[rV*ѰݸkwXط6iMN3-ŗ /9LqF*n>"?ݳ#<'e^odB_BiPxH\9.9IBaВyhh鬹`"Пud Tnh9v%hP"!p L%jipX'pCy- g8VY^w=tuZ~0e58Q0DN^4KotQT'/`]a2}>ˊ˾dASTFIx>tu .|ӜX=;߲:99*i ϭxy[)[QHzr0>`EG!9YpN#gxXRjd+ar9ҫ5IMh,S dzA]|n:Bb" e43el 8"\&&ݥ?xXfp11,M"Q=1@0dƁll>ҪS*ƺܱ<BXٚ_AE}h1B}4? @ Kӡ]CPZzugټԏU<*iEbCb53Sn>NP k%dyy)Aʅ,,Ze~B?,r+6 _ij%Ŝ׉!W@Bqw')IE.¸5zR|`e% 'HFk Ye$n1IAkV1%DͱIbT#hn0wʝvo){wK矁mTm| ><> Ѯ)eEdx>W'js /o8IU\ky\xvrYڲp!^e~s\>3|h7wmܟpTl7^ \-O$[8;,tr5%M*S˜?:E{cR#wǍPJz9-ţfBs,lj!}{bL:1c'RV2x] Q9 L8 ĘZMLM$L*K`nd7YeU)Y}=F %7-H_-wVQlgkɛ%x7!n)@#Q_FmuRN% Ut3߉3y(`PgDfrHB] !!&8^~ pW%2P8A:܏ xTENqyH (0::ā~u wmWVݳASRx!iz;m\a*8vZvCf yYE՞.{g?-i6zXyØ\7؍OBhei6M2r08yh; k'{Iw8Jm4 4dyZr|VP8LAţ3,tjA_4 f}]-,SJ), _.c RajAvX ˦T-ք:\߶|Ы kfFJU8tA_.ޮa6\Jkz2\l\JmHس}8o922 "RfISG4{S\2&Ϛ3y2kdqZWܡ%HVN:B_HJyl)NJ%aFBEeߢRi+ĬGF'*>R0PrMN+[V(i_&.6IX[Sn]oڔ6ڛ5fzF[|Cزb6LIV;qp)C2?Q q{:2zJӺ6Bk r爄\>ڔ1oW>1J_A8O:cu\~W;s@M|:6W$2)LHvxS等jJ~󅲦{rfWbu([Q1,Wd]nVA Ѹ2mLÁy,/ۼCʛU);Zc7rWhQ3}VRTO/ej`֍@PEB#0 oܞz~ d:0n~ce1.1T J0l""EiOZYN"v56a%2dQN =VtZBO*,;33g3q\ηZ]Pz"R Nϗ4W h(S}(\“ɧswt9> p(1nbMBg\DU%,st_{\p;U5&$2C>Xt6qܕP*.JiyW>dX7C:#xܒ9 s;Sz<-M BN~yy:_T[-#VzBDnʛX_4FmH6D>Jf.;f0 ˍFz:ߤgYi9ԞHV_XD̑꬙]4yΛiYU@jO#x$PӳlGϐ$f}Խf%?(cLB۞ȓc5!`~SbH?jryUU16O29p?$7J=>t$s᭒>zٖːx٬>&}Ϸ[F,zΌiVJ>],a_ӉK:Dמ#Ĥ}~S g&ӋlQS+,Zf;jF+ FL a}}⇥zy1E3IqǓ9/oQ䘟H'1S7%uHZoƢϒE-!F12*7U8u@/\X)ή3]cBYR;y 2TTog,T4ר[ǭ[b\V? /N~E:ݘɗ6Ϻ?aav` Hs X 'c 464|X$ё&Sә6sR蓉o]ÓUxJJ4&kzLߖD*CVS|KۇTlaJ0pfA36cf =Jqd_OSg3 >4ȗa@*n v׿M;v\4.Y?){S>a6~IxH 8ӈmmfpoi3ԛ,dPF.M7| x)}?o׸kn'^=v4Da"6Qu09XLZ FZR3U'YyכCfJra!_tG =||5+mkrw-RH})Lŏ;b3k6R~ѱ I&ARSޭ;Pք@RG ~uo{"jCڒ^7,ڸ۬"tdH$SggEDG65oSw;ogxZ47QV93 |Z~tweBA=0~ q0vu^6QqL¤4D˵[kz_(,Qӳ=ʟ2OuE'⟤*$[AR;w:hw:X0M68D+wL l W܁͵^=Iý?MiM]b+:G"8 JbXڞLVUw{wuVQGT'rśwt<>E)[ ?GST0\oTu0sa)?R-Ǭa=īE%2L&m6\#Ysl35w~S|HZr u&ƾ)Z~ZLMfhiۀq؊ zHnԇT́Bs{@qn[Z˼`$;pSV-:u{g p+q`+>\]oZ_}|;lP;uy) )rKLlzB^Lv:R:(i1NGjSwl Z6i@]1NrX0֯*>,E*H%,<&R/ .򩛅Mp+YV|5ެI\҇##z<2e*5B /s/bfV*]O|)3!s@[x "w.ђBWE0)c !S/T=ze$᣹f0Z!&gͶ!͂T/i{-wɘV U"7 ~StO54d C7}##-H[<$KB|ROۦkD/ g(9l O$¨V%Zc_P Yyy&~cA.%k~ӕU UD}W?sAH èlI?NDH>B'vDFYW KkH) UIwn#*iW/>9!U'/\ʰ|8P)e;>Ypʏ@3@_ET]6)h#&8؇0('F#T:Q_8A#~UJA~aifu8C ~[KÍhj*k'8W!|XBlFf$2cꂆ*{Cjbi/İʁUL@fG6P;eU#P-n&)Gi@,Iv)I?6#'dǤ:4UU~SAv )GHGy-4-|.3@U0Elv|gLj_5+ddF݅ +oq=@k#!%B[Z1yIgrŔuhl:ѻͤ(&j0pK[Y.5&[|Crf_P08m%/Q;?|cNk[Ӗ]/DXY"Y(cP(E|&SKd o]R佰 64S]ܧl1sU[8.mx^z:'}N t36XLg-|:όMp`vCHlQv>!7<0L1=u $R%GxA\s2C6sS&kc)8c bWOz Mti 9 (*O5 @TnOeEWxƔ%YP #q ƣF3fHz-vu_CZc6ij?Ԫ;S5w^!Y9S/6UnФa;kh5Xl,+{;X`N6v]Ù J?Hx~6=*N>#g5:YWCló+׌@0ݤl4`"/>txWa3c{ 4խ9G/I=-0P[ꅭYOmfJ!QKL(ؖmc\0ERM"?;XٓckS)?v/%Kw)JpL4tT+{?xʘG)c|seհ07!GBV-Z6U9$ "4˱v4˄GD _(]H.3i) (| @Q%QgK_@C)y(2 !>$ٶ< !j ;#歱;W|y4GkrH >kO*OBs3cGE+*1rz߷ [no ?h|O8h(?Q}ɼ=k%_NXK}K @i:z԰i^ BS1g}TBR$( njcQ`<.e>֥`b$&Cה5f|)-bȖ5Z3l| [$D2=a8O= ug" NjVޠtsM',85⊊e tɼ~@J0v07dx@mwbYV&)f Y7(B CJ΄/<i)@ykh>u\ꩽJ}p QvRl{kwh2"P M%!\bx2@z彗 `xH"5Z|<Σnmj VY`':1%P,߰\BϔJ}tW-_)3mznUbfr&Jbj5ݔc~'9arx/6 Q8[udU96 K:/ITH?c۾́Yl&Wv}.,ujj@R.W5"급L`Slb^c/OD`R(ՑUk-[$oyg}t-G3N"g 11r[JRLD|QG~EKaiqf N蔶N~DiҲMstpI~uuWg+T`_16Xג" @vdtyp ,9kAȥipߣ#ְݕմө<ң=bbwV&r_;I2JCy*YՃƄ,r..&`VRuQ3BBЊ-^9ζXr.畕x"x$ψߙR @n~};/ӛ.,-N$9yڛOʘ9آe?2;;\ݯo}͍4G1{;*QyxDHr;2* 'ͥ X_qDT"suC2ezSG}\IUBG#IQ9A *UMI:Ʒ])@rr"8?]bSOf4 c:m?lױ 픱>DҜ?7uf=)ҥϣ;(UWKS yKzJd /i63OdfZe{R-YS- $߻sC\6Zrjr61_AC>'*4ѥ߶mNxS[5!~U m{ti)aڷI) vFyٔ{6R()?~ܵ}\m>mz})=t^}_-̧pD'nRUh}d܇.·!:"=>j\HY'{!b6ᇂ`T6)3tlGd4s/ϔɗՄʼ@3xc՛|ʷ/B#Bk#ysUev JwXMˉ-&#vp|He`N\"D9If7,_G4IOrub ~mES^k׮١U;Jt *4i0oE@r8KQoPf*]"ʳ-O贵T,KG̽u)4G=c!ȕ9 /%x8 ޻_I=☓4Edy4SG)pxYi] SELECT * from v$VERSION1. Currently (3/24/2010) supported versions are as follows: 8i: 8.1.7.4 9i (Release 1) 9.0.1.4 9i: (Release 2) 9.2.0.1 - 9.2.0.8 10g (Release 1): 10.1.0.2 - 10.1.0.5 10g (Release 2): 10.2.0.1 - 10.2.0.4 11g (Release 1): 11.1.0.6 - 11.1.0.7 ORA9W-11Verify that all installed Oracle products have up-to-date patch levels. Each organization responsible for the management of a database shall ensure that the DBMS version has all appropriate patches applied. But Fix Patches should be applied as needed.{1. Determine patch level(s) of installed Oracle product(s) from following command: % $ORACLE_HOME/OPatch/opatch lsinventory1. Visit the following web site to determine the currently available patches for each installed Oracle product: http://www.oracle.com/technology/deploy/security/alerts.htmORA9W-12[Verify that login information is encrypted for old versions of Oracle database, i.e., that the initialization parameter DBLINK_ENCRYPT_LOGIN is set to TRUE. The DBLINK_ENCRYPT_LOGIN parameter, when set to TRUE, prevents unencrypted passwords from being sent to remote servers. This parameter has been unsupported as of Version 9, Release 2 (9.2).1. For database versions 9.0.1 and earlier, perform the following query: SQL> SELECT VALUE FROM v$PARAMETER 2 WHERE NAME='dblink_encrypt_login'; 2. View the init.ora file for each Oracle instance that is version 9.0.1 or earlier.h1. This query must return TRUE. 2. The following statement must be present: DBLINK_ENCRYPT_LOGIN = TRUEORA9W-13AU-12Verify that auditing is enabled, i.e., that the initialization parameter AUDIT_TRAIL is set to TRUE, OS, or DB. The AUDIT_TRAIL parameter specifies where the Oracle database writes the audit trail information. The valid values are TRUE, OS, and DB. 1. Perform the following query: SQL> SELECT VALUE FROM v$PARAMETER 2 WHERE NAME='audit_trail'; 2. View the init.ora file for each Oracle instance.1. This query must return TRUE, OS, or DB. 2. One of the following statements must be present: AUDIT_TRAIL = TRUE AUDIT_TRAIL = OS AUDIT_TRAIL = DBORA9W-14Verify that resource limit enforcement is enabled, i.e., that the initialization parameter RESOURCE_LIMIT is set to true. The RESOURCE_LIMIT parameter specifies whether or not enforcement of resource limits is enabled.1. Perform the following query: SQL> SELECT VALUE FROM v$PARAMETER 2 WHERE NAME='resource_limit'; 2. View the init.ora file for each Oracle instance.b1. This query must return TRUE. 2. The following statement must be present: RESOURCE_LIMIT = TRUEORA9W-15SC-2Verify that only server-based authentication is used, i.e., that the initialization parameter REMOTE_OS_AUTHENT is set to FALSE. The parameter REMOTE_OS_AUTHENT, when set to TRUE, allows the authentication of remote clients by the host operating system.1. Perform the following query: SQL> SELECT VALUE FROM v$PARAMETER 2 WHERE NAME='remote_os_authent'; 2. View the init.ora file for each Oracle instance.g1. This query must return FALSE. 2. The following statement must be present: REMOTE_OS_AUTHENT = FALSEORA9W-16Verify that client-based operating system roles are not used, i.e., that the initialization parameter REMOTE_OS_ROLES is set to FALSE. The parameter REMOTE_OS_ROLES, when set to TRUE, allows the operating system roles to be used from remote clients. Roles on a DBMS shall be locally defined and shall implement specific< business purposes defined by the Enterprise Life Cycle (ELC) documentation of the ELC project that uses the DBMS.1. Perform the following query: SQL> SELECT VALUE FROM v$PARAMETER 2 WHERE NAME='remote_os_roles'; 2. View the init.ora file for each Oracle instance.e1. This query must return FALSE. 2. The following statement must be present: REMOTE_OS_ROLES = FALSEORA9W-17AU-4LVerify that role management is not performed by the operating system, i.e., that the initialization parameter OS_ROLES is set to FALSE. The parameter OS_ROLES, when set to TRUE, allows operating system roles to be used. Role information must be stored, managed, and protected in the database rather than files external to the DBMS.1. Perform the following query: SQL> SELECT VALUE FROM v$PARAMETER 2 WHERE NAME='os_roles'; 2. View the init.ora file for each Oracle instance.^1. This query must return FALSE. 2. The following statement must be present: OS_ROLES = FALSEORA9W-18Verify that a valid and protected directory is designated for I/O with the host operating system, i.e., that the UTL_FILE_DIR initialization parameter is well defined. The parameter UTL_FILE_DIR was added to support Oracle packages that allow the reading and writing of external text files to an operating system file. This parameter shall be set to a specific operating system directory where application procedures/programs can read and write files. This means the directory shall exist and have the permissions correctly set to allow Oracle background processes to write to the directory; otherwise, errors will occur. The UTL_FILE_DIR parameter shall not be set to a "*" value.1. Perform the following query: SQL> SELECT VALUE FROM v$PARAMETER 2 WHERE NAME='utl_file_dir'; 2. View the init.ora file for each Oracle instance.1. This query must return the full path to a valid, protected directory. 2. he following statement must be present: UTL_FILE_DIR = where is the full path to a directory meeting the specified restrictions.ORA9W-19xVerify that distinct SELECT privileges shall be required of users executing UPDATE or DELETE functions, i.e., that the SQL92_SECURITY initialization parameter is set to TRUE. The initialization parameter SQL92_SECURITY when set to TRUE, specifies that SELECT privileges are required during an UPDATE or DELETE function when a WHERE clause specifying column values is present.Perform the following query: SQL> SELECT VALUE FROM v$PARAMETER 2 WHERE NAME='sql92_security'; 2. View the init.ora file for each Oracle instance.b1. This query must return TRUE. 2. The following statement must be present: SQL92_SECURITY = TRUEORA9W-20eVerify that SYSTEM privileges are restricted such that access to objects in the dictionary and SYS schemas is restricted, i.e., that the O7_DICTIONARY_ACCESSIBILITY initialization parameter is set to FALSE. The O7_DICTIONARY_ACCESSIBILITY parameter controls SYSTEM privileges. If the parameter is set to TRUE, access to objects in the YS schema is allowed.Perform the following query: SQL> SELECT VALUE FROM v$PARAMETER 2 WHERE NAME='O7_DICTIONARY_ACCESSIBILITY'; 2. View the init.ora file for each Oracle instance.r 1. This query must return FALSE. 2. The following statement must be present: O7_DICTIONARY_ACCESSIBILITY = FALSEORA9W-21Verify that multiple databases cannot use the same password file, i.e., that REMOTE_LOGIN_PASSWORDFILE is set to either EXCLUSIVE or NONE The REMOTE_LOGIN_PASSWORDFILE initialization parameter specifies whether Oracle uses a password file and how many databases can use the password file. Setting the parameter to NONE signifies that Oracle should ignore any password file; EXCLUSIVE signifies that the password file can be used by only a single database.Perform the following query: SQL> SELECT VALUE FROM v$PARAMETER 2 WHERE NAME='remote_login_passwordfile'; 2. View the init.ora file for each Oracle instance. 1. This query must return either EXCLUSIVE or NONE. 2. One of the following statements must be present: REMOTE_LOGIN_PASSWORDFILE = EXCLUSIVE REMOTE_LOGIN_PASSWORDFILE = NONEORA9W-22On Oracle database version 9.2 and later, verify that actions made by the SYS, SYSDBA, and SYSOPER accounts are audited, i.e., that the AUDIT_SYS_OPERATIONS initialization parameter is set to TRUE. The AUDIT_SYS_OPERATIONS initialization parameter introduced with Oracle version 9.2 enables auditing of actions performed by SYS, SYSDBA, or SYSOPER accounts. The audit records generated are stored in the OS audit file in the Windows event log.For Oracle database versions 9.2 and later, perform the following query: SQL> SELECT VALUE FROM v$PARAMETER 2 WHERE NAME='audit_sys_operations'; 2. View the init.ora file for each Oracle instance that is version 9.2 or later;.h1. This query must return TRUE. 2. The following statement must be present: AUDIT_SYS_OPERATIONS = TRUEORA9W-23&Verify that database links are required to be defined with the same name as the database to which they connect, i.e., that the GLOBAL_NAMES initialization parameter is set to TRUE. This setting prevents inadvertent connections to the wrong database and simplifies management of database links.1. Perform the following query: SQL> SELECT VALUE FROM v$PARAMETER 2 WHERE NAME='global_names'; 2. View the init.ora file for each Oracle instance. 1. This query must return TRUE. 2. View the init.ora file for each Oracle instance; the following statement must be present: GLOBAL_NAMES = TRUEORA9W-24Verify that the internal Oracle DBMS parameter _TRACE_FILES_PUBLIC is set to FALSE. Setting _TRACE_FILES_PUBLIC to TRUE allows all database accounts access to trace files.31. View the init.ora file for each Oracle instance.H 1. The following statement must be present: _TRACE_FILES_PUBLIC = FALSEORA9W-25eVerify that the number of roles that may be active for any database session is no larger than necessary, i.e., that the MAX_ENABLED_ROLES parameter is set to the lowest value consistent with required database operation. Setting this parameter may provide additional assurance that application roles are being enabled and disabled in accordance with design.1. Perform the following query: SQL> SELECT VALUE FROM v$PARAMETER 2 WHERE NAME='max_enabled_roles'; 2. View the init.ora file for each Oracle instance.1. MAX_ENABLED_ROLES must be set to the lowest setting consistent with required database operation. 2. The following statement must be present: MAX_ENABLED_ROLES = where is the lowest positive integer consistent with required database operation.ORA9W-26DVerify that the Oracle database cannot register with a listener located on a separate host machine, i.e., that the REMOTE_LISTENER parameter is set to a null string value. The configuration and management of a remote listener may be outside the security domain of the database host system, and shall therefore, not be used.1. Perform the following query: SQL> SELECT VALUE FROM v$PARAMETER 2 WHERE NAME='remote_listener'; 2. View the init.ora file for each Oracle instance.l1. This query must return a null value. 2. The following statement must be present: REMOTE_LISTENER = FALSEORA9W-27pVerify that a valid and protected directory is designated for writing and storing database session trail files, i.e., that the USER_DUMP_DEST initialization parameter is well defined. The USER_DUMP_DEST parameter specifies the host directory where database session trace files are written. The USER_DUMP_DEST parameter shall be set to a valid and protected directory.1. Perform the following query: SQL> SELECT VALUE FROM v$PARAMETER 2 WHERE NAME='user_dump_dest'; 2. View the init.ora file for each Oracle instance. 1. This query must return the full path to a valid, protected directory. 2. The following statement must be present: USER_DUMP_DEST = where is the full path to a valid, protected directory.ORA9W-28sVerify that a valid and protected directory is designated for writing and storing alert log and trace files for Oracle background processes,< i.e., that the BACKGROUNG_DUMP_DEST initialization parameter is well defined. The BACKGROUNG_DUMP_DEST parameter specifies the host directory where the Oracle alert log and trace files for Oracle background processes are written.1. Perform the following query: SQL> SELECT VALUE FROM v$PARAMETER 2 WHERE NAME='background_dump_dest'; 2. View the init.ora file for each Oracle instance.1. This query must return the full path to a valid, protected directory. 2. The following statement must be present: BACKGROUNG_DUMP_DEST = where is the full path to a valid, protected directory.ORA9W-296Verify that redo log archiving is enabled at instance startup, i.e., that the LOG_ARCHIVE_START parameter is set to TRUE. The LOG_ARCHIVE_START parameter determines whether redo log archiving is started at the time of instance startup. The database must be in archive log mode for this setting to take effect.Perform the following query: SQL> SELECT VALUE FROM v$PARAMETER 2 WHERE NAME='log_archive_start'; 2. View the init.ora file for each Oracle instance.e1. This query must return TRUE. 2. The following statement must be present: LOG_ARCHIVE_START = TRUEORA9W-306In the event that archive logging is enabled, verify that a valid and protected directory is designated for writing and storing redo log archives, i.e., that the LOG_ARCHIVE_DEST initialization parameter is well defined. The LOG_ARCHIVE_DEST parameter requires that ARCHIVELOG mode be enabled on the database.1. Perform the following query: SQL> SELECT VALUE FROM v$PARAMETER 2 WHERE NAME='log_archive_dest'; 2. View the init.ora file for each Oracle instance.1. This query must return the full path to a valid, protected directory. 2. The following statement must be present: LOG_ARCHIVE_DEST = where is the full path to a directory meeting the specified restrictions.ORA9W-31SIn the event that archive logging is enabled, verify that a valid and protected backup directory is designated for writing and storing redo log archives, i.e., that the LOG_ARCHIVE_DUPLEX_DEST(_n) initialization parameter is well defined. The LOG_ARCHIVE_DUPLEX_DEST(_n) parameter requires that ARCHIVELOG mode be enabled on the database.1. Perform the following query: SQL> SELECT VALUE FROM v$PARAMETER 2 WHERE NAME='log_archive_duplex_dest(_n)'; where (_n) is either not present or replaced by _1, _2,.... 2. View the init.ora file for each Oracle instance._1. This query must return the full path to a valid, protected directory for each result. 2. The following statement(s) must be present: LOG_ARCHIVE_DUPLEX_DEST(_n) = where (_n) is either not present or replaced by _1, _2,... and is the full path to a directory meeting the specified restrictions, for each such line.ORA9W-32xVerify that an arbitrary OS user account will be unable to log in to a database account of the same name without a password, i.e., that the OS_AUTHENT_PREFIX is set to a string other than OPS$. Setting the OS_AUTHENT_PREFIX parameter to a value other than OPS$ prevents an OS account from being able to access a database account by the same name without providing a password.1. Perform the following query: SQL> SELECT VALUE FROM v$PARAMETER 2 WHERE NAME='os_authent_prefix'; 2. View the init.ora file for each Oracle instance.1. This query must return a value other than OPS$. 2. The following statement must be present: OS_AUTHENT_PREFIX = where is a text value than OPS$.ORA9W-33IA-4For Oracle client workstations, verify that password encryption is enabled for logins via network connections to Oracle servers, i.e. that the ORA_ENCRYPT_LOGIN environment variable is set to TRUE. Oracle password information in a connection request shall be encrypted.1. On an Oracle client workstations only: View the sqlnet.ora file; the following statement must be present: ORA_ENCRYPT_LOGIN = TRUE?1. The following statement is present: ORA_ENCRYPT_LOGIN = TRUEORA9W-34Verify that the value of the registry key specifying domain name prefix requirement is set to TRUE. Database accounts authenticated externally by a Windows system must be identified by the respective domain name prefix.Windows hosts running Oracle database versions prior 8.1.x only: 1. From REGEDT32: Select HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE\HOMEID\. Double click on key OSAUTH_PREFIX_DOMAIN. ,1. The value in the string box must be TRUE.ORA9W-35Verify that password file authentication for database administrative accounts is disabled. Because administrative accounts do not allow for individual accountability via auditing, password file authentication shall not allow for remote administrative sessions.If REMOTE_LOGIN_PASSWORDFILE (See test ID 12) is set to NONE, this check is not applicable. 1. Perform the following query: SQL> SELECT VALUE FROM v$PARAMETER 2 WHERE NAME='log_archive_duplex_dest(_n)'; where (_n) is either not present or replaced by _1, _2,.... 1. If REMOTE_LOGIN_PASSWORDFILE is not set to NONE, it must be set to EXCLUSIVE and the following query must return no data, i.e. "no rows selected": SQL> SELECT * FROM v$PWFILE_USERSORA9W-36Verify that default accounts unnecessary for the daily operation of the database are either deleted or locked and expired. This check is based on a list of Oracle-recommended settings for default accounts.1. For each username/status pair below, perform the following query: SQL> SELECT username, account_status 2 FROM dba_users 3 WHERE username = ''; ADAMS, AURORA$JIS$UTILITY$, AURORA$ORB$UNAUTHENTICATED, BLAKE, CLARK, CTXSYS, DBSNMP, HR, JONES, LBACSYS, MDSYS, OE, OLAPDBA, OLAPSVR, OLAPSYS, ORDPLUGINS, ORDSYS, OSE$HTTP$ADMIN, OUTLN, PM, QS, QS_ADM, QS_CB, QS_CBADM, QS_CS, QS_ES, QS_OS, QS_WS, SCOTT, SH, SYS, SYSTEM1.If exists on the Oracle database installation, the resulting ACCOUNT_STATUS value must match below: OPEN for: AURORA$JIS$UTILITY$, AURORA$ORB$UNAUTHENTICATED, DBSNMP, OPENOSE$HTTP$ADMIN, OSE$HTTP$ADMIN, OUTLN, SCOTT, SYS, SYSTEM EXPIRED & LOCKED for: ADAMS, BLAKE, CLARK, CTXSYS, HR, JONES, LBACSYS, MDSYS, OE, OLAPDBA, OLAPSVR, OLAPSYS, ORDPLUGINS, ORDSYS, PM, QS, QS_ADM, QS_CB, QS_CBADM, QS_CS, QS_ES, QS_OS, QS_WS, SHORA9W-37SC-14Verify that a password is set for all listeners running on the system. No password is set on the listener by default. A listener password shall be set. Failing to set a password on the listener could result in unauthorized users starting, stopping, and configuring the listener service. The password shall be stored in encrypted format within the listener.ora file. This is accomplished by using the change_password function of the LSNRCTL utility.f1. Run the following command: C:\>find /I "passwords_listener" $ORACLE_HOME/network/admin/listener.ora\1. A line of output resembling the following must be present: PASSWORDS_LISTENER = XXXXXXXXXORA9W-38Verify that the ADMIN_RESTRICTIONS option is enabled in the listener.ora file. The Oracle listener by default allows dynamic configuration via the LSNRCTL utility. Dynamic configuration leaves the listener vulnerable to unauthorized modification should the listener not be protected by a password or the password be compromised. Dynamic configuration shall be disabled by specifying the parameter ADMIN_RESTRICTIONS_listener_name in the listener.ora file.h1. Run the following command: C:\>find /I "admin_restrictions_" $ORACLE_HOME/network/admin/listener.orag1. A line of output, for each active listener, must be present: ADMIN_RESTRICTIONS_listener_name = TRUEORA9W-39Verify that Oracle profiles are configured correctly. User profiles are used to restrict system resource use as well as define some security parameters. The DEFAULT profile is used when no other profile is specified for the database account. The DEFAULT profile should be modified to secure database accounts that are not assigned a specific profile. Any custom profiles in the database should also have these security parameters set.`1. Perform the following query: SQL> S< ELECT PROFILE,RESOURCE_NAME, LIMIT 2 FROM dba_profiles';1. The following RESOURCE_NAME and LIMIT pairs must be present for each profile returned: IDLE_TIME 15 PASSWORD_LIFE_TIME 90 PASSWORD_REUSE_MAX 10 PASSWORD_REUSE_TIME 365 FAILED_LOGIN_ATTEMPTS 90ORA9W-40AC-3Verify that Oracle files and directories have correct ownership. All files and directories installed by Oracle should be owned by the installation account, except for the Oracle Listener and Intelligent Agent processes, both of which must have unique user IDs associated with them.1. In Windows Explorer, right-click on the file name of an Oracle-installed file. Then select Properties; select the Security tab; click the Advanced button under the Permissions section; and select the Owner tab. V1. All Oracle files and directories must be owned by the BUILTIN/Administrators group.ORA9W-41Verify that the ORACLE_BASE\ORACLE_HOME group and permissions are set correctly. The ORACLE_BASE\ORACLE_HOME directory must have "Full Control" granted to the Administrators and System groups; the Authenticated Users group must be granted Read, Execute, and List Contents permissions.RVerify that the ORACLE_BASE\ORACLE_HOME group and permissions are set correctly. The ORACLE_BASE\ORACLE_HOME directory must have "Full Control" granted to the Administrators and System groups; the Authenticated Users group must be granted Read, Execute, and List Contents permissions.ORA9W-42Verify that access to all Oracle database parameter files is restricted to the software owner and DBAs. Database and parameter files must have their access restricted to users with administrator privileges.iVerify that access to all Oracle database parameter files is restricted to the software owner and DBAs. fDatabase and parameter files must have their access restricted to users with administrator privileges.ORA9W-43Verify that access to the remote logon password file is restricted to the software owner and DBAs. Oracle stores encrypted forms of the internal SYS password, as well as account passwords for users granted the SYSDBA or SYSOPER roles in a special password file. Read access to this file must be restricted to authorized users. Permissions entries must only be defined for local administrators.dVerify that access to the remote logon password file is restricted to the software owner and DBAs. &Oracle stores encrypted forms of the internal SYS password, as well as account passwords for users granted the SYSDBA or SYSOPER roles in a special password file. Read access to this file must be restricted to authorized users. Permissions entries must only be defined for local administrators.ORA9W-44$Verify that access to the listener.ora file is restricted to the software owner and DBAs. The listener.ora file contains listener configuration parameters and the listener password. Access to this file must be restricted to the Oracle owner, the Oracle TNSLISTENER service account, and DBAs.[Verify that access to the listener.ora file is restricted to the software owner and DBAs. The listener.ora file contains listener configuration parameters and the listener password. Access to this file must be restricted to the Oracle owner, the Oracle TNSLISTENER service account, and DBAs.ORA9W-454Verify that access to the support files for the Oracle Intelligent Agent is restricted to the software owner and DBAs. The files dbsnmp_rw.ora and dbsnmp_ro.ora files, if present, may contain the password of the DBSNMP database account. Access to these files must be restricted to the Oracle owner and DBAs.xVerify that access to the support files for the Oracle Intelligent Agent is restricted to the software owner and DBAs. The files dbsnmp_rw.ora and dbsnmp_ro.ora files, if present, may contain the password of the DBSNMP database account. Access to these files must be restricted to the Oracle owner and DBAs.ORA9W-46zVerify that access to the sqlnet.ora file (and protocol.ora file for Oracle database version 8 and 8i) is restricted to the software owner and DBAs. The sqlnet.ora file (and protocol.ora file for Oracle database version 8 and 8i) contains network configuration information for the host database and listener. Access to this file must be restricted to the Oracle owner and DBAs.YVerify that access to the sqlnet.ora file is restricted to the software owner and DBAs. The sqlnet.ora file contains network configuration information for the host database and listener. Access to this file must be restricted to the Oracle owner and DBAs.ORA9W-47bVerify that access to log and trace file directories is restricted to the software owner and DBAs. Log and trace file directories found under the $ORACLE_HOME directory may contain information useful for the unauthorized access to database contents. Access to these directories and the files they contain must be restricted to the Oracle owner and DBAs.Log and trace file directories found under the $ORACLE_HOME directory may contain information useful for the unauthorized access to database contents. Access to these directories and the files they contain must be restricted to the Oracle owner and DBAs.ORA9W-48Verify that access to Oracle registry keys is restricted to local administrators. Access to registry keys under HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE must be restricted to local administrator.QVerify that access to Oracle registry keys is restricted to local administrators.kAccess to registry keys under HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE must be restricted to local administrator.ORA9W-49[Verify that the minimum level of statement auditing is configured and recorded "by access."1. Perform the following query: SQL> SELECT AUDIT_OPTION,SUCCESS,FAILURE 2 FROM DBA_STMT_AUDIT_OPTS 3 UNION SELECT PRIVILEGE,SUCCESS,FAILURE 5 FROM DBA_PRIV_AUDIT_OPTS;1. The following AUDIT_OPTIONS/PRIVILEGES must be returned with SUCCESS and FAILURE values of BY ACCESS: ALTER [ANY CLUSTER, ANY DIMENSION, ANY INDEX, ANY LIBRARY, ANY OUTLINE, ANY PROCEDURE, ANY ROLE, ANY SEQUENCE, ANY SNAPSHOT, ANY TABLE, ANY TRIGGER, ANY TYPE, DATABASE, PROFILE, RESOURCE COST, ROLLBACK SEGMENT, SEQUENCE, SESSION, SYSTEM, TABLE, TABLESPACE, USER] ANALYZE ANY, AUDIT ANY, BACKUP ANY TABLE, BECOME USER, COMMENT ANY TABLE, COMMENT TABLE CREATE ANY [CLUSTER, CONTEXT, DIMENSION, DIRECTORY, INDEX, LIBRARY, OUTLINE, PROCEDURE, SEQUENCE] DROP [ANY CLUSTER, ANY DIMENSION, ANY DIRECTORY, ANY INDEX, ANY LIBRARY, ANY OUTLINE, ANY PROCEDURE, ANY ROLE, ANY SEQUENCE, ANY SNAPSHOT, ANY TABLE, ANY TRIGGER, ANY TYPE, ANY VIEW, PROFILE, PUBLIC SYNONYM, ROLLBACK SEGMENT, TABLESPACE, USER] ENQUEUE ANY QUEUE, FORCE [ANY TRANSACTION, TRANSACTION], GLOBAL QUERY REWRITE, GRANT [ANY PRIVILEGE, ANY ROLE, DIRECTORY, PROCEDURE, SEQUENCE, TABLE, TYPE], MANAGE [ANY QUEUE, TABLESPACE]ORA9W-50Verify that all database objects are audited for RENAME actions. The only database object auditing required is RENAME actions on all objects.d1. Perform the following query: SQL> SELECT COUNT(*) FROM DBA_OBJ_AUDIT_OPTS 2 WHERE REN = '-/-';+1. The value of the count must be zero (0).ORA9W-51Verify that required measures are taken to protect audit trails. Access to auditing information must be restricted to database administrators. Any manual alteration to the auditing table must itself be audited.j1. Perform the following query: SQL> SELECT DEL,UPD FROM DBA_OBJ_AUDIT_OPTS 2 WHERE OBJECT_NAME='AUD$';41. The DEL and UPD values returned must both be A/A.ORA9W-52Verify that a minimum set of PUBLIC execute privileges have been revoked. Because all Oracle database accounts are assigned the PUBLIC role, this role should not be granted any unnecessary privileges.)1. Perform the following query: SQL> SELECT TABLE_NAME FROM DBA_TAB_PRIVS 2 WHERE GRANTEE='PUBLIC' AND 3 PRIVILEGE='EXECUTE' 4 AND TABLE_NAME IN ( 5 'UTL_SMTP', 'UTL_TCP', 'UTL_HTTP', 6 'UTL_FILE', 7 'DBMS_RANDOM', 'DBMS_LOB', 'DBMS_SQL', 8 'DBMS_JOB', 'DBMS_BACKUP_RESTORE');A1. This query must not return any data, i.e., "no rows selected."ORA9W-53Verify that no syste< m privileges are granted to the PUBLIC role. Because all Oracle database accounts are assigned the PUBLIC role, this role should not be granted any system privileges.e1. Perform the following query: SQL> SELECT PRIVILEGE FROM DBA_SYS_PRIVS 2 WHERE GRANTEE='PUBLIC';ORA9W-54Verify that no object privileges are granted to the PUBLIC role. Because all Oracle database accounts are assigned the PUBLIC role, this role should not be granted any object privileges. 1. Perform the following query: SQL> SELECT * FROM DBA_TAB_PRIVS 2 WHERE GRANTEE='PUBLIC' AND 3 OWNER NOT IN ( 4 'SYS', 'CTXSYS', 'MDSYS', 'ODM', 5 'OLAPSYS', 'MTSYS', 6 'ORDPLUGINS', 'ORDSYS', 7 'SYSTEM', 'WKSYS', 8 'REMISS', 'XDB', 'LBACSYS');ORA9W-55Verify that no administrative privileges are granted in conjunction with any roles. DBAs, application owners, and application administrators should be the only database accounts with the privilege to assign permissions to other users.1. Perform the following query: SQL> SELECT GRANTEE,GRANTED_ROLE FROM 2 DBA_ROLE_PRIVS WHERE 3 ADMIN_OPTION='YES' AND GRANTEE NOT IN ( 4 'SYS','SYSTEM','DBA', 5 'AQ_ADMINISTRATOR_ROLE', 6 'MDSYS','LBACSYS');ORA9W-56Verify that no administrative privileges are granted in conjunction with other granted privileges. DBAs, application owners, and application administrators should be the only database accounts with the privilege to assign permissions to other users.1. Perform the following query: SQL> SELECT GRANTEE,PRIVILEGE FROM 2 DBA_SYS_PRIVS WHERE 3 ADMIN_OPTION='YES' AND 4 GRANTEE NOT IN ('SYS,'SYSTEM', 4 'DBA','AQ_ADMINISTRATOR_ROLE', 5 'MDSYS','LBACSYS');ORA9W-57Verify that no object privileges are granted to non-system user accounts and roles. Only DBAs shall be granted the privileges necessary to create objects in a production environment.Y1. Perform the following query: SQL> SELECT GRANTEE || ' ' || OWNER || 2 ' ' || TABLE_NAME FROM 3 DBA_TAB_PRIVS WHERE GRANTABLE='YES' 4 AND GRANTEE NOT IN ( 5 'SYS','SYSTEM','DBA','OLAPSYS','CTXSYS', 6 'PUBLIC','LBACSYS') AND 7 TABLE_NAME NOT IN ( 8 SELECT SYNONYM_NAME FROM DBA_SYNONYMS 9 WHERE SYNONYM_NAME=TABLE_NAME);ORA9W-58AC-6Verify that no predefined roles are assigned to custom database accounts. Oracle predefined roles shall be restricted to Oracle default accounts with the exception of the DBA role.W1. Perform the following query: SQL> SELECT GRANTEE,GRANTED_ROLE FROM 2 DBA_ROLE_PRIVS WHERE GRANTED_ROLE IN ( 3 'AQ_ADMINISTRATOR_ROLE','AQ_USER_ROLE', 4 'CONNECT','CTXAPP','DBSNMP', 5 'DELETE_CATALOG_ROLE', 6 'EXECUTE_CATALOG_ROLE', 7 'EXP_FULL_DATABASE', 8 'GLOBAL_AQ_USER_ROLE','HS_ADMIN_ROLE', 9 'IMP_FULL_DATABASE','JAVA_ADMIN', 10 'JAVADEBUGPRIV', 11 'JAVAIDPRIV','JAVASYSPRIV', 12 'JAVAUSERPRIV', 13 'OEM_MONITOR','OLAP_DBA', 14 'OSDBA','OSOPER','OUTLN', 15 'PLUSTRACE','RECOVERY_CATALOG_OWNER', 16 'RESOURCE','SELECT_CATALOG_ROLE', 17 'SNMPAGENT', 18 'SYS','SYSDBA','SYSOPER','SYSTEM', 19 'TIMESERIES_DBA', 20 'TIMESERIES_DEVELOPER', 21 'TKPRFER','WKADMIN', 22 'WKUSER','WM_ADMIN_ROLE') 23 AND GRANTEE NOT IN ( 24 'SYS','SYSTEM','DBA', 25 'EXP_FULL_DATABASE', 26 'IMP_FULL_DATABASE', 27 'EXECUTE_CATALOG_ROLE', 28 'JAVASYSPRIV','OEM_MONITOR', 29 'OUTLN','WKSYS', 30 'OSE$HTTP$ADMIN','ORDPLUGINS','LBACSYS', 31 'WKUSER','ORDSYS', 32 'SELECT_CATALOG_ROLE', 33 'CTXSYS','AURORA$JIS$UTILITY$', 34 'DBSNMP');ORA9W-59wVerify that no default application administration roles are granted to non-system user accounts. Application administration roles are determined by the granting of CREATE USER, ALTER USER, and DROP USER privileges. These roles must not be enabled by default upon connection to the database, but may be enabled/disabled as required by the application administration function.}1. Perform the following query: SQL> SELECT GRANTEE || ' ' || GRANTED_ROLE 2 FROM DBA_ROLE_PRIVS 3 WHERE DEFAULT_ROLE='YES' 4 AND GRANTED_ROLE IN ( 4 SELECT GRANTEE FROM DBA_SYS_PRIVS 5 WHERE PRIVILEGE LIKE '%USER%' 6 AND GRANTEE NOT IN 7 ('CTXSYS','DBA','IMP_FULL_DATABASE', 8 'MDSYS','SYS','WKSYS') 9 ) AND GRANTEE NOT IN ( 10 'DBA','SYS','SYSTEM');ORA9W-60Verify that no system privileges are granted directly to non-default users and roles. System privileges must not be granted directly to any user or application user roles.1. Perform the following query: SQL> SELECT GRANTEE,PRIVILEGE FROM 2 DBA_SYS_PRIVS WHERE PRIVILEGE <> 3 'CREATE SESSION' AND GRANTEE NOT IN ( 4 'AQ_ADMINISTRATOR_ROLE','AQ_USER_ROLE', 5 'AURORA$ORG$UNAUTHENTICATED', 6 'CONNECT','CTXAPP', 7 'DBA','DBSNMP','DELETE_CATALOG_ROLE', 8 'EXECUTE_CATALOG_ROLE', 9 'EXP_FULL_DATABASE', 10 'HS_ADMIN_ROLE','IMP_FULL_DATABASE', 11 'JAVA_ADMIN', 'JAVADEBUGPRIV', 12 'JAVAIDPRIV','JAVASYSPRIV', 13 'MDSYS','OEM_ADVISOR', 14 'OEM_MONITOR','OSDBA', 15 'OSOPER','OUTLN','PLUSTRACE', 16 'RECOVERY_CATALOG_OWNER','RESOURCE', 17 'SCHEDULER_ADMIN', 18 'SELECT_CATALOG_ROLE', 19 'SNMPAGENT','SYS','SYSDBA','SYSOPER', 20 'SYSTEM','TIMESERIES_DBA', 21 'TIMESERIES_DEVELOPER', 22 'TKPROFER','TSMSYS')ORA9W-61Verify that no object privileges are granted directly to non-default user accounts. Object privileges must only be granted to users through role assignments.1. Perform the following query: SQL> SELECT DISTINCT GRANTEE FROM 2 DBA_TAB_PRIVS WHERE GRANTEE NOT IN 3 (SELECT ROLE FROM DBA_ROLES) AND 4 GRANTEE NOT IN 5 (SELECT USERNAME FROM DBA_USERS) AND 6 GRANTEE <> 'PUBLIC';ORA9W-62Verify that no users and roles are granted the revoke, index, and reference privileges. The DBA shall restrict assignment of the alter, index, and references object privileges to DBAs, object owners, and predefined roles..1. Perform the following query: SQL> SELECT GRANTEE || ' ' || PRIVILEGE 2 || ' ' || OWNER || ' ' || TABLE_NAME 3 FROM DBA_TAB_PRIVS WHERE ( 4 PRIVILEGE LIKE '%ALTER%' OR 5 PRIVILEGE LIKE '%INDEX%' OR 6 PRIVILEGE LIKE '%REFERENCES%' 7 ) AND GRANTEE<>'SYSTEM' AND 8 GRANTOR<>'MDSYS';ORA9W-63Verify that users do not have access to DBA data. The DBA shall ensure that access to DBA views and tables is restricted to DBAs and batch processing accounts.1. Perform the following query: SQL> SELECT GRANTEE || ' ' || PRIVILEGE 2 || ' ' || 3 TABLE_NAME FROM DBA_TAB_PRIVS 4 WHERE (OWNER='SYS' OR TABLE_NAME LIKE 5 'DBA_') AND GRANTEE NOT IN ( 6 'AQ_ADMINISTRATOR_ROLE','AQ_USER_ROLE', 7 'AURORA%JIS%UTILITY%','DBA','DBSNMP', 8 'EXECUTE_CATALOG_ROLE', 9 'EXP_FULL_DATABASE', 10 'HS_ADMIN_ROLE','IMP_FULL_DATABASE', 11 'ORDSYS','OSE$HTTP$ADMIN','OUTLN', 12 'PUBLIC','SELECT_CATALOG_ROLE', 13 'SNMPAGENT','SYSTEM', 14 'DELETE_CATALOG_ROLE', 15 'GATHER_SYSTEM_STATISTICS', 16 'LOGSTDBY_ADMINISTRATOR','MDSYS','ODM', 17 'OEM_MONITOR','OLAPSYS', 18 'WKUSER','WMSYS', 19 'WM_ADMIN_ROLE','XDB','TRACESVR') AND 20 GRANTEE NOT IN (SELECT GRANTEE FROM 21 DBA_ROLE_PRIVS WHERE 22 GRANTED_ROLE='DBA')ORA9W-64"Verify that all non-default object owner user accounts are disabled. The DBA shall ensure that the application object owner account is used only for update and maintenance of the application objects. The DBA shall ensure that custom application owner accounts are disabled when not in use.1. Perform the following query: SQL> SELECT DISTINCT OWNER 2 FROM DBA_OBJECTS,DBA_USERS 3 WHERE OWNER NOT IN ( 4 'SYS','SYSTEM','MDSYS','CTXSYS', 5 'ORSYS','ORDPLUGINS', 6 'AURORA$JIS$UTILITY$','ODM', 6 'ODM_MTR','OLAPDBA','OLAPSYS','MTSSYS', 7 'OSE$HTTP$ADMIN','OUTLN','LBACSYS', 8 'PUBLIC','DBSNMP','RMAN','WKSYS', 9 'WMSYS','XDB') AND OWNER=USERNAME AND 10 ACCOUNT_STATUS<>LOCKED;ORA9W-65&Verify that the EXTPROC module is disabled, if its use is unnecessary. Oracle EXTPROC functionality shall be disabled if it is not explicitly required to support a business application. The EXTPROC component has a known vulnerability that allows unauthenti< cated access via the Oracle Listener.#Determine, from a knowledgeable DBA, if the EXTPROC module is in use to support a business application. If its use is justified, then this test item passes. If not: 1. Examine the listener.ora and tnsnames.ora files under $ORACLE_HOME/network/admin. 2. View the $ORACLE_HOME/bon directory.If its use is justified, then this test item passes. If not: 1. None of the following strings are present: icache_extproc, plsextproc, and extproc. 2. There is no executable extproc.ORA9W-66Verify that a non-default port number is in use for the Oracle Listener. [CONFLICT IN POLICY] IRS requires standard port usage to better support firewall and intrusion detection monitoring. Oracle default ports shall be used to support Oracle network communications when traversing network firewalls. (Note: this is mostly in reference to Oracle's "random port assignments" feature. [N.B. IANA has not licensed port 1521 to Oracle Corp, therefore it cannot be considered a true "standard port."] Center for Internet Security (from Security Benchmark for Oracle 9i/10g): "Standard ports are well known and can be used by attackers to verify applications running on a server."41. View the $ORACLE_HOME/install/portlist.ini file. N1. The value of the 'Oracle Net Listener' parameter must not be equal to 1521.ORA9W-67Verify that listener connection timeouts are enabled. The DBA shall ensure a connection timeout limit is set with the minimum number of seconds appropriate for the application. The requisite parameters shall be specified in the listener.ora and sqlnet.ora files.t1. View the $ORACLE_HOME/network/admin/listener.ora file. 2. View the $ORACLE_HOME/network/admin/sqlnet.ora file.1. The INBOUND_CONNECT_TIMEOUT_listener_name parameter is set to three (3) or less, but greater than zero (0). 2. The SQLNET.INBOUND_CONNECT_TIMEOUT parameter is set to three (3) or less, but greater than zero (0).ORA9W-68Verify that network address restrictions are enabled. Access to the database from the network can be restricted based on TCP/IP network address. TCP/IP address restrictions shall be defined on systems unless such restrictions are not feasible.71. View the $ORACLE_HOME/network/admin/sqlnet.ora file.1. The following lines must be present: tcp.validnode_checking = YES tcp.invited_nodes = (list of IP addresses, hostnames) tcp.excluded_nodes = (list of IP addresses, hostnames)ORA9W-69Verify that the XML DB feature is disabled, unless it is necessary in which case required event logging must be in place. The Oracle DB feature offers access to database resources using standard Internet protocols. If Oracle XML DB is not required, then it shall be disabled; if it is required, logging shall be enabled by setting the log-level for all enabled protocols to log unsuccessful logins.Determine, from a knowledgeable DBA, if Oracle XML DB is required and in use. 1. If it is not in use, then view the $ORACLE_HOME/dbs/init$ORACLE_SID.ora file. OR 2. If Oracle XML DB use is justified, then view the xdbconfig.xml file. 1. No lines of the following type are present: DISPATCHERS="(PROTOCOL=TCP)(SERVICE=XDB)" OR 2. The following line is present within the and tags: 1ORA9W-70Verify that Oracle Enterprise Management components have been removed if they are not required. The Oracle Intelligent Agent is used by the Oracle Enterprise Manager to provide centralized database management both locally and remotely. Because this functionality offers administrative action on the local database and is available via the network, it is vulnerable to attack. The DBA shall disable the Oracle Intelligent Agent on databases accessible via the Internet.1. Perform the following query: SQL> SELECT * FROM DBA_ROLES 2 WHERE ROLE='SNMPAGENT'; 2. Execute the following from the command line: % file $ORACLE_HOME/bin/dbsnmp1. This query must not return any data, i.e., "no rows selected." 2. This command must return an error similar to "No such file or directory."ORA9W-71Verify that no static or fixed user database accounts have their unencrypted passwords inside the database link table. Applications shall not create or use public database links, with the exception of database links required for replication.\1. Perform the following query: SQL> SELECT NAME FROM LINK$ 2 WHERE PASSWORD IS NOT NULL;ORA9W-72Verify that multiple copies of the database's control and redo files exist. To prevent loss of service resulting from disk failure, multiple copies of Oracle control and redo log files shall be employed.1. Perform the following query: SQL> SELECT NAME FROM v$CONTROLFILE; 2.Perform the following query: SQL> SELECT MEMBER FROM v$LOGFILE;k1. At least two control file paths must be returned. 2. At least two redo log file paths must be returned.ORA9W-73Verify that the SQL*Plus HOST command is disabled. The HOST command provides system access to database users. The DBA shall restrict access to the HOST command to authorized DBAs.r1. Perform the following query: SQL> SELECT CHAR_VALUE 2 FROM PRODUCT_USER_PROFILE 3 WHERE ATTRIBUTE='HOST';.1. This query must return the string DISABLED.ORA9W-74Verify that no users have the SYSTEM tablespace as their default or temporary tablespace. To prevent the SYSTEM tablespace from becoming full, the DBA shall ensure that no non-default users have the SYSTEM tablespace as their default or temporary tablespace.1. Perform the following query: SQL> SELECT USERNAME FROM DBA_USERS 2 WHERE USERNAME NOT IN 3 ('OUTLN','SYS','SYSTEM') 4 AND (DEFAULT_TABLESPACE='SYSTEM' OR 5 TEMPORARY_TABLESPACE='SYSTEM');B 1. This query must not return any data, i.e., "no rows selected."ORA9W-75Verify that ARCHIVELOG mode is enabled. The Oracle ARCHIVELOG feature allows for database recovery via the redo log files. The DBA shall enable ARCHIVELOG mode.E1. Perform the following query: SQL> SELECT LOG_MODE FROM v$DATABASE;?1. This query must return ARCHIVELOG as the value for LOG_MODE.ORA9W-76Verify that the Oracle trace utility does not exist on the system. The Oracle trace utility can have a negative impact on database performance and disk space usage.@1. View the following directory: $ORACLE_HOME/otrace/admin/*.dat41. No files with the extension of dat (*.dat) exist.Test Procedures This SCSEM is used by the IRS Office of Safeguards to evaluate compliance with IRS Publication 1075 for agencies that have implemented a jOracle 9i database (Windows or UNIX) to receive, store, process or transmit Federal Tax Information (FTI).ORA9U-01ORA9U-02ORA9U-03ORA9U-04ORA9U-05ORA9U-06ORA9U-07ORA9U-08ORA9U-09ORA9U-10ExamineORA9U-11ORA9U-12ORA9U-13ORA9U-14ORA9U-15ORA9U-16ORA9U-17ORA9U-18ORA9U-19ORA9U-20ORA9U-21ORA9U-22On Oracle database version 9.2 and later, verify that actions made by the SYS, SYSDBA, and SYSOPER accounts are audited, i.e., that the AUDIT_SYS_OPERATIONS initialization parameter is set to TRUE. The AUDIT_SYS_OPERATIONS initialization parameter introduced with Oracle version 9.2 enables auditing of actions performed by SYS, SYSDBA, or SYSOPER accounts. The audit records generated are stored in the OS audit file in the $ORACLE_HOME/rdbms/admin directory.ORA9U-23SC-4Perform the following query: SQL> SELECT VALUE FROM v$PARAMETER 2 WHERE NAME='global_names'; 2. View the init.ora file for each Oracle instance. This query must return TRUE. View the init.ora file for each Oracle instance; the following statement must be present: GLOBAL_NAMES = TRUEORA9U-24ORA9U-25ORA9U-26SC-7ORA9U-27-Verify that a valid and protected directory is designated for writing and storing the audit trail, i.e., that the AUDIT_FILE_DEST initialization parameter is well defined. The AUDIT_FILE_DEST parameter specifies the directory where the Oracle database audit trail shall be written on the host system.1. Perform the following query: SQL> SELECT VALUE FROM v$PARAMETER 2 WHERE NAME='audit_file_dest'; 2. View the i< nit.ora file for each Oracle instance.X1. This query must return the full path to a valid, protected directory. 2. The following statement must be present: AUDIT_FILE_DEST = where is the full path to a valid, protected directory. (Note that the AUDIT_TRAIL initialization parameter must be set to OS for the AUDIT_FILE_DEST setting to take effect.)ORA9U-28ORA9U-29ORA9U-30Verify that a valid and protected directory is designated for writing and storing Oracle core files, i.e., that the CORE_DUMP_DEST initialization parameter is well defined. The CORE_DUMP_DEST parameter specifies the host directory where the Oracle core files are written.1. Perform the following query: SQL> SELECT VALUE FROM v$PARAMETER 2 WHERE NAME='core_dump_dest'; 2. View the init.ora file for each Oracle instance.1. This query must return the full path to a valid, protected directory. 2. The following statement must be present: CORE_DUMP_DEST = where is the full path to a valid, protected directory.ORA9U-31ORA9U-32ORA9U-33ORA9U-34AC-14ORA9U-35SC-9ORA9U-36AC-17ORA9U-371. For each username/status pair below, perform the following query: SQL> SELECT username, account_status 2 FROM dba_users 3 WHERE username = ''; USERNAME ACCOUNT_STATUS ADAMS, AURORA$JIS$UTILITY$, AURORA$ORB$UNAUTHENTICATED, BLAKE, CLARK, CTXSYS, DBSNMP, HR, JONES, LBACSYS, MDSYS, OE, OLAPDBA, OLAPSVR, OLAPSYS, ORDPLUGINS, ORDSYS, OSE$HTTP$ADMIN, OUTLN, PM, QS, QS_ADM, QS_CB, QS_CBADM, QS_CS, QS_ES, QS_OS, QS_WS, SCOTT, SH, SYS, SYSTEMORA9U-38g1. Run the following command: % egrep -i passwords_listener \ > $ORACLE_HOME/network/admin/listener.oraORA9U-39h1. Run the following command: % egrep -i admin_restrictions_ \ > $ORACLE_HOME/network/admin/listener.oraORA9U-40ORA9U-415Verify that Oracle files and directories have correct ownership. All files and directories installed by Oracle should be owned by the installation account and the installation group, except for the Oracle Listener and Intelligent Agent processes, both of which must have unique user IDs associated with them.61. Run the following commands for each Oracle-based filesystem: % ls -lR /u01 | egrep -v 'oracle|total|^$|:$' % ls -lR /u01 | egrep -v 'oinstall|total|^$|:$' (In this example, /u01 is the Oracle filesystem, the installation owner is assumed to be oracle, and the installation group is assumed to be oinstall.)1. The results of these commands should only return the Listener, nmb, and nmo binaries. The Listener binary should be owned by a user account made solely for the purpose of owning/running the Oracle listener. The nmb and nmo must be owned by root for operational reasons.ORA9U-42KVerify that all database files, redo logs, and control files have permission mode 640 or more restrictive; these files typically have .dbf, .log, and .ctl extensions, respectively. To maintain discretionary access to data, all database files, redo logs, and control files must be readable only by the oracle account and dba group.1. Locate all database files, redo logs, and control files with a find command similar to the following: % find XXX -type f -name "*.dbf" -o -name "*.log" \ > -o -name "*.ctl" (Here, XXX is all of the Oracle-based filesystems)1. For each result of this command, check the permissions and ownership. The permission mode for each file must be 640 or more restrictive, the owner must be oracle, and the group owner must be dba.ORA9U-43Verify that the main Oracle binary directory has its permission mode set to 755. The $ORACLE_HOME/bin directory must be writable by the Oracle software owner and executable by all users.<1. Perform the following command: % ls -ld $ORACLE_HOME/bin/1. This directory must have its permission mode set to 755, be owned by oracle, and group owned by dba. (For Oracle Database versions earlier than 9.2, the permission mode must be set to 751.)ORA9U-44Verify that Oracle files requiring the SUID to be set for normal operation are configured correctly. The files listed require the SUID bit to be set in accordance with the IRS UNIX IRM.1. Perform the following command: % ls -l $ORACLE_HOME/bin/dbsnmp 2. Perform the following commands. % ls -l $ORACLE_HOME/bin/oidldapd % ls -l $ORACLE_HOME/bin/oracle % ls -l $ORACLE_HOME/bin/oradismn1. If long list output is returned, the permission mode must correspond to mode 4750; the owner must be root; and the group owner must be dba. (the 4 represents setuid bit is set) 2. If long list output is returned, the permissions code must correspond to mode 4751; the owner must be oracle; and the group owner must be dba. (the 4 represents setuid bit is set)ORA9U-45Verify that all other executables in the $ORACLE_HOME/bin directory are writable only by oracle and group-executable. All other Oracle executables in the $ORACLE_HOME/bin directory must have their permission mode set to 750.1. Execute the following script from the command line: % for i in `ls $ORACLE_HOME/bin`; do > file $ORACLE_HOME/bin/$i | \ > egrep -s executable && > ls -lL $i | egrep -v rwxr-x--- > donem1. This command must not return any output other than the following: nmb, nmo, oidldapd, oracle, and oradism.ORA9U-46Verify that the main Oracle library directory has its permission mode set to 750. The $ORACLE_HOME/lib directory must be writable by the Oracle software owner.;1 Perform the following command: % ls -ld $ORACLE_HOME/lib/g1. This directory must have its permission mode set to 750, be owned by oracle, and group owned by dba.ORA9U-47Verify that all files in the main Oracle library directory have their permission modes set to 644. The contents of $ORACLE_HOME/lib must be readable and writable by oracle and readable by all other users.1 Execute the following script from the command line: % for i in `ls $ORACLE_HOME/lib`; do > ls -lLd $ORACLE_HOME/lib/$i | \ > egrep -v rw-r--r-- > done, 1. This command must not return any output.ORA9U-48Verify that the main Oracle log directory has its permission mode set to 750. Access to the $ORACLE_HOME/rdbms/log directory must be restricted to the oracle account and dba group.B1. Perform the following command: % ls -ld $ORACLE_HOME/rdbms/log/ORA9U-49Verify that product subdirectories containing logging information have their permission modes set to 750. Access to the $ORACLE_HOME/rdbms and $ORACLE_HOME/sqlplus directories must be restricted to the oracle account and dba group.^1. Perform the following commands: % ls -ld $ORACLE_HOME/rdbms/ % ls -ld $ORACLE_HOME/sqlplus/m 1. This directories must have their permission modes set to 750, be owned by oracle, and group owned by dba.ORA9U-50Verify that all files in product subdirectories containing logging information have their permission modes set to 644. The contents of $ORACLE_HOME/rdbms and $ORACLE_HOME/sqlplus must read-writable by oracle and readable by all other users.1. Execute the following commands: % ls -lL $ORACLE_HOME/rdbms | egrep '^-' | \ > egrep -v 'rw-r--r--' % ls -lL $ORACLE_HOME/sqlplus | egrep '^-' | \ > egrep -v 'rw-r--r--'-1. These commands must not return any output.ORA9U-51Verify that the Oracle trace directory has its permission mode set to 730. Access to the $ORACLE_HOME/network/trace directory must be restricted to the oracle account, with limited access granted to the dba group.F1. Perform the following command: % ls -ld $ORACLE_HOME/network/trace/g1. This directory must have its permission mode set to 730, be owned by oracle, and group owned by dba.ORA9U-52Verify that all files in product admin subdirectories containing logging information have their permission modes set to 644. The contents of $ORACLE_HOME/rdbms/admin and $ORACLE_HOME/sqlplus/admin must read-writable by oracle and readable by all other users.1. Execute the following commands: % ls -lL $ORACLE_HOME/rdbms/admin | \ > egrep '^-' | \ > egrep -v 'rw-r--r--' % ls -lL $ORACLE_HOME/sqlplus/admin | \ > egrep '^-' | \ > egrep -v 'rw-r--r--'ORA9U-53Verify that each parent direc<tory in the $ORACLE_HOME path has a permission mode of 755. All parent directories of the $ORACLE_HOME directory must be writable by their owners, and world readable/executable.1. Execute the following script from the command line: % opath= % for I in `echo $ORACLE_HOME | \ > sed 's/\// /g'`; do > opath=$opath/$i > ls -ld $opath | grep -v drwxr-xr-x > done.1. There must not be output from this command.ORA9U-545Verify that access to all Oracle database parameter files is restricted to the software owner and DBAs. Access to the Oracle initialization parameter files, i.e. init.ora, init.ora, spfile.ora, and spfile.ora, must have their permissions modes set to 640, be owned by oracle and group-owned by dba.1. Locate all database initialization parameter files. These are typically found in the $ORACLE_HOME/dbs/ directory, but may be found elsewhere. Perform the following command: % ls -l h 1. These files must have their permission modes set to 640, be owned by oracle, and group owned by dba.ORA9U-55Verify that access to the remote logon password file is restricted to the software owner and DBAs. Oracle stores encrypted forms of the internal SYS password, as well as account passwords for users granted the SYSDBA or SYSOPER roles in a special password file. Read access to this file must be restricted to authorized users. This file must have its permission mode must be set to 640, be owned by oracle, and group-owned by dba.1. Locate the remote logon password file. This is typically located at $ORACLE_HOME/dbs/orapwd.ora, but may be found elsewhere. Perform the following command: % ls -l b1. This file must have its permission mode set to 640, be owned by oracle, and group owned by dba.ORA9U-561. Locate the listener.ora file. This is typically located at $ORACLE_HOME/network/admin/listener.ora, but may be found elsewhere. Perform the following command: % ls -l c 1. This file must have its permission mode set to 640, be owned by oracle, and group owned by dba.ORA9U-571. Locate the dbsnmp_rw.ora and dbsnmp_ro.ora files. These are typically located in the $ORACLE_HOME/network/admin/ directory, but may be found elsewhere. Perform the following command for each file: % ls -l g1. These files must have their permission modes set to 640, be owned by oracle, and group owned by dba.ORA9U-581. Locate the sqlnet.ora file. This is typically located at $ORACLE_HOME/network/admin/sqlnet.ora, but may be found elsewhere. Perform the following command: % ls -l 1. This file must have its permission mode set to 640, be owned by oracle, and group owned by dba. (For Oracle database versions 8 and 8i, this check must also be performed on the protocol.ora file.)ORA9U-591. Perform the following command: % ls -l $ORACLE_HOME/ where is each of the following directories: admin/bdump/, admin/cdump/, admin/create/, admin/udump/, ctx/log/, hs/log/, ldap/log/, network/log/, otrace/admin/, and sysman/log/1. All files with the log and trc file extensions must have their permission modes set to 640, be owned by oracle, and group-owned by dba.ORA9U-60AU-2ORA9U-61ORA9U-62ORA9U-63AC-22ORA9U-64ORA9U-65ORA9U-66ORA9U-67ORA9U-68ORA9U-69ORA9U-70ORA9U-71ORA9U-72ORA9U-73ORA9U-74ORA9U-75ORA9U-76ORA9U-77SC-5ORA9U-78ORA9U-79ORA9U-80ORA9U-81ORA9U-82ORA9U-83ORA9U-84ORA9U-85ORA9U-86ORA9U-87I1. Perform the following command: % ls -l $ORACLE_HOME/otrace/admin/*.dat21. This command must not return any file listings.Update to new template.Booz Allen HamiltonC% DISA Oracle 9 Database Security Checklist, Version 8, Release 1.7B% DISA Generic Database Security Checklist, Version 8, Release 1.6AC-21, AU-13, AU-14, CP-3, CP-8, CP-9, CP-10, IA-8, PE-9, PE-10, PE-11, PE-12, PE-13, PE-14, PE-15, PM-1, PM-3, PM-5, PM-6, PM-7, PM-8,AT-1, AT-2, CP-7, IR-1, IR-2, IR-4, IR-5, IR-6, MP-1, MP-2, MP-3, MP-4, MP-5, MP-6, MP-7, PE-1, PE-2, PE-3, PE-4, PE-5, PE-6, PE-7, PE-8, PE-16, OPE-17, PE-18, PM-4, PS-1, PS-2, PS-3, PS-4, PS-5, PS-6, PS-7, PS-8, SA-9, SI-12PM-9, PM-10, PM-11, SA-12, SA-13, SA-14, SC-16, SC-20, SC-22, SC-25, SC-26, SC-27, SC-28, SC-29, SC-30, SC-31, SC-33, SC-34, SI-8, SI-137Out of Scope Controls - Unselected NIST 800-53 Controls % Released: February 12, 2013% NIST Control Name&Full name which describes the NIST ID.hMinor update to correct worksheet locking capabilities. Added back NIST control name to Test Cases Tab.NIST Control NameTransmission ConfidentialityAccount Management%Audit Review, Analysis, and ReportingNetwork DisconnectSeparation of DutiesProtection of Audit Information Time StampsLeast FunctionalityAuthenticator ManagementFlaw RemediationAudit GenerationAudit Storage CapacityLeast PrivilegeInformation in Shared ResourcesBoundary Protection:Permitted Actions without Identification or Authentication Remote AccessIdentifier ManagementAccess EnforcementAuditable EventsPublicly Accessible Content Public Access ProtectionsDenial of Service ProtectionApplication Partitioning % SCSEM Version: 1.2^ q5]A~3 :Q@z(82<C' ' xU"wy%A, 1b}7;9/AF MK QfV\0!b?fj "p@Zuxy$fԇ ysVPت,qJ tJOb=h: M 0  N 7[=!ccB T8 ,w   dMbP?_*+%# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N&?'?(?)?MAdobe PDFS odLetterPRIV ''''0\KhCFFSMTJAdobe PDF ConverterResolution1200dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne0EBDAStandard"d??&cU} $ }  } $ } $} $ ,;;h@@     @@ k  j  " s  {  ^  "   l  m  n  o  p  "    .  .  /  . i . ? .  C  "           "   BX22&222&222222&22222222&22222& !"#$%&')`*`+`  ! ! " " # # $ %D% &a &c& 'b 'd ) * +J2222 .  (     A:??:The official logo of the IRSPicture 1The official logo of the IRS"ÞPK!9^[Content_Types].xmlAN0EH%NY tA*T0'E2 JMN vi{ɖz$cȢ*%2鉣-uAg>zӶ/3[0߀:r5a8>GT8Wr>wOo?aΫǮUv_PK!+2mdrs/picturexml.xmlU[o0~`r @%U4۪.`ؑ&HU{iʓ}}߹Cю*ͤ(qx`DE%k&6%2!&\ ZC "V*B`(qk̶}]#Jno#UG lƯx(R_o%n)5ރgr>)h\4XpQOWڷAG$JZWl0hi r7#,F{'&49Έ#q3n˪ݳ^ |w $P/A:0ϊ R$UpF0~}a5X;aSd['wGrsݖ/ӹYOm׌CuIUW/Ue5U{)j@e9.[!HiR}(3:x: he^`m`P0dQ`Tҭ{tBŢ*ܸ@NY),fť0'A}N?ۖYɃ|؋tr׋K4YN2kEꚊi 7رJI-sUwCOǧ0 x>i^heVX!QFN˧Aa~AyHwL1 Kl_|e-pH1C+qv g?dgPK!+ܹvdrs/downrev.xmlT]O0M1N:F6)d!~EAvvi Lz9:հ ZW- L^Rjp3ԹlF?`6qnzԗh7*1.PI3-j*驴%ϭp0bdJ80NJGZ/~|KQ.sNAD aJ]2 t/Ŭ }3P.x/ ^0&}FaMGvpq<(("PK-!9^[Content_Types].xmlPK-! 1_rels/.relsPK-!+2m.drs/picturexml.xmlPK-!+ܹvMdrs/downrev.xmlPK b pi]& `>@dw&&yK SafeguardReports@IRS.govyK Xmailto:SafeguardReports@IRS.govyX;H,]ą'c''yK *http://www.irs.gov/uac/Safeguards-ProgramyK lhttp://www.irs.gov/uac/Safeguards-ProgramyX;H,]ą'c:''Link to IRS Safeguards d ?Identify OS or App Version and include Service Packs and BuildsaeX 3Insert unique identifier for the computer or deviceBudsH #Insert tester name and organization odeO *Insert City, State and address or building Sheet1gg\ T8 &<#*00  dMbP?_*+%# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N&?'?(?)?MAdobe PDFS ocLetterPRIV ''''0\KhCFFSMTJAdobe PDF ConverterResolution1200dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne0EBDAStandard"c??&cU} $ &hrrrrrrr r @  @ @ @@@@ @ @ F    t  " e  f  " q r E  E  vwwwwyvwwwwy  { }y { }y  | u~y | u~y    y   yx  +;+PassAZM 7%P D%By  + ;+PassAZM  7% P D % B  y   +;+FailAZM 7%F D%By  +  ;+FailAZM  7% F D % B  y  +;+InfoAZM7%I D%By  +  ;+InfoAZM 7% I D % B  y  *;+N/AAZy  *  ;+N/AAZ  y "sttttzsttttz xxxxx u vx           x w% ;nB!S@ DD%S@;nB w% ;+B! U@ D D % U@;6B xxxxxx xxxxx xxxxx xxxxx xxxxx xxxxx xxxxx xxxxx xxxxx B X222&22&FF$PPjJJJ&Bz(#`$`%` # $ % f(PH  0(   >@d  ; 0(   ;0(     ; 0(   ;0(   {+{ {+{{+{ {+{ Sheet9gg\ T8 #<F H  dMbP?_*+%# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N&?'?(?)?MAdobe PDFS odLetterPRIV0''''0\KhCFFSMTJAdobe PDF ConverterResolution1200dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne0EBDAStandard"d??&cU} $ } $ } $ #   @ @@@@@@@@@@ #  G  !     "   x   y   z  "  {  "  $  9  H       I  :  4 _  ` 5  J  K      L 6  M      N ;  O      P  g  < h  Q      R 8  S  T  W  U      V B X2222&222&2&2H<HHH<<H<H<HH<H<<< @!"@ >  X  !    ! Y! " = " "7" (H<PH00(  >@dA w Sheet6gg\ T8 XPbs|  dMbP?_*+%# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N&?'?(?)?MAdobe PDFS oALetterPRIV0''''0\KhCFFSMTJAdobe PDF ConverterResolution1200dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne0EBDAStandard"A??&cU} m } } } $} I } } } $ } } } $  X                                  1  ! b  @      %  A "| % %c %} #~ # # " % %d %} # # # " % %e %} # # # " % %f %} # # # " % %g %} # # # " % %h % # $ # " $ $i % $ # $ " # #j % # # #  " % %k & ' # #  " % %l & ' # #  " % %l & ' # #  " % %k & ' # #  " % %m & ' # # " % %d & ' # # " % %z & ' # # " % %z & ' # # " % %n & ' # # " % %d & ' # # " % %d & ' # # " % %d & ' # # " % %d & ' # # " % %d & ' # # " % %d & ' # # " % %n & ' # # " % %z & ' # # " % %z & ' # # " % %n & ' # # " % %d & ' # # " % %n & ' # # " % %d & ' # # Dl,ttttttttttttttttttttttttttttt ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ?  " % %d & ' # #  !" !% !%d !& !' !#  !# ! ""  "%  "%t "& "'  "# "#" #" #% #%n #& #' #( #*# $" $% $%z $& $' $# $#$ %" %%  %%t %& %' %( %(% &" &% &%x && &' &# &# & '"! '% '%x '& ''" '## '#$' ("% (% (%d (& ('& (#' (#(( )") )%* )%u )& )'+ )), )(-) *". *% *%d *& *'/ *)0 *(1* +"2 +% +%d +& +'3 +)4 +(5+ ,"6 ,% ,%d ,& ,'7 ,)8 ,(9, -": -% -%d -& -'; -)< -(=- ."> .% .%d .& .'? .)@ .(A. /"B /% /%d /& /'C /)D /(E/ 0"F 0% 0%d 0& 0'G 0)G 0(H0 1"I 1% 1%d 1& 1'J 1)K 1(L1 2"M 2% 2%d 2& 2'N 2#O 2#P2 3"Q 3% 3%d 3& 3'R 3#S 3#T3 4"U 4% 4%d 4& 4'V 4#W 4#X4 5"Y 5% 5%x 5& 5'Z 5#[ 5#\5 6"] 6% 6%x 6& 6'^ 6#_ 6#\6 7"` 7% 7%x 7& 7'a 7#b 7#\7 8"c 8% 8%g 8& 8'd 8#e 8#\8 9"f 9% 9%g 9& 9'g 9#h 9#\9 :"i :% :%g :& :'j :#k :#\: ;"l ;%m ;%o ;& ;'n ;#o ;#\; <"p <% <%d <& <'q <#r <#\< ="s =% =%d =& ='t =#u =#\= >"v >%m >%o >& >'w >#x >#\> ?"y ?%m ?%o ?& ?'z ?#{ ?#\? Dlttttttttttttttttttttttttttttttt@ A B C D E F G H I J K L M N Q R S T U V W  @"| @%m @%o @& @'} @#~ @#\@ A" A%m A%o A& A' A# A#\A B" B% B%z B& B' B# B#B C" C% C%n C& C' C# C#C D" D% D%f D& D' D# D#D E" E% E%n E& E' E# E#E F" F% F%z F& F' F# F#F G" G% G%z G& G' G# G#G H" H% H%d H& H' H# H#\H I" I% I%d I& I' I# I#I J" J%m J%o J& J' J# J#J K" K% K%z K& K' K# K#K L" L% L%m L& L' L# L#L M" M% M%n M& M' M# M#M N N2N0 Q" R S T U V W0tttttttttttttt4&@ (  R  C ]F! d ZR  C ]F! d ZR  C ]F! d ZR  C ]F! d ZR  C ]F! d ZR  C ]F! d ZR  C ]F! d ZR   C ]F ! d ZR   C  ]F ! d ZR   C   ]F ! d ZR   C   ]F ! d >@Z A M M ;M d  *Pass;M d  ?@Fail;M d  Info{+{M {+{M {+{M /  %VWM/  %RUMgg\ T8  cO  dMbP?_*+%# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N&?'?(?)?MAdobe PDFS oALetterPRIV0''''0\KhCFFSMTJAdobe PDF ConverterResolution1200dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne0EBDAStandard"A??&cU} $ } } } $} I } } } $ } } } $  c                                  1  ! b  @      %  A " % %c %} #~ # # " % %d %} # # # " % %e %} # # # " % %f %} # # # " % %g %} # # # " % %h % # $ # " $ $i % $ # $ " # #j % # # #  " % %k & # # #  " % %l & # # #  " % %l & # # #  " % %k & # # #  " % %m & # # # " % %n & # # # " %m %o & # # # " %m %o & # # # " % %g & # # # " %m %o & # # # " %m %o & # # # " %m %o & # # # " % %k & # # # " % %m & # # # " % %p & # # # " % %h & # # # " % %d & # # # " % %q & # # # " % %h & # # # " % %h & # # # " % %h & # # # " % %h & # # # Dl,ttttttttttttttttttttttttttttt ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ?  " % %m & # # #  !" !% !%h !& !# !# !#! "" "% "%h "& "# "# "#" #" #% #%r #& ## ##  ## # $" $% $%c $& $#  $# $#$ %" %% %%s %& %# %# %#% &" &%  &%t && &# &# &#& '" '%* '%u '& '# '# '# ' (" (%* (%u (& (#" (# (#$( )" )%* )%u )& )#& )#' )#() *" *%* *%u *& *# *# *#* +" +%* +%u +& +# +# +#+ ," ,%* ,%u ,& ,# ,# ,#, -" -%* -%u -& -# -# -#- ." .%* .%u .& .# .# .#. /" /%* /%u /& /# /# /#/ 0" 0%* 0%u 0& 0# 0# 0# 0 1"  1%* 1%u 1& 1#  1#  1#1 2"  2%* 2%u 2& 2# 2# 2#2 3" 3%* 3%u 3& 3# 3# 3#3 4" 4% 4%h 4& 4# 4# 4#4 5" 5% 5%h 5& 5# 5# 5#5 6" 6%* 6%u 6& 6# 6# 6#6 7"  7%* 7%u 7& 7#! 7#" 7##7 8"$ 8%* 8%u 8& 8#% 8#& 8#'8 9"( 9%* 9%u 9& 9#; 9#) 9#*9 :"+ :%* :%u :& :#? :#, :#-: ;". ;%* ;%u ;& ;#C ;#/ ;#0; <"1 <% <%h <& <#G <#2 <#3< ="4 =%5 =%v =& =#N =#O =#P= >"6 >%5 >%v >& >#R >#S >#T> ?"7 ?% ?%h ?& ?#V ?#W ?#X? Dlttttttttttttttttttttttttttttttt@ A B C D E F G H I J K L M N O P Q R S T U V W X Y \ ] ^ _  @"8 @%9 @%w @& @#Z @#[ @#\@ A": A%9 A%w A& A#^ A#_ A#\A B"; B%9 B%w B& B#a B#b B#\B C"< C% C%g C& C#d C#e C#\C D"= D% D%g D& D#g D#h D#\D E"> E%m E%o E& E#j E#k E#\E F"? F%m F%o F& F#n F#o F#\F G"@ G%m G%o G& G#q G#r G#\G H"A H%m H%o H& H#t H#u H#\H I"B I%m I%o I& I#w I#x I#\I J"C J%m J%o J& J#z J#{ J#\J K"D K% K%g K& K#} K#~ K#\K L"E L% L%d L& L# L# L#\L M"F M% M%x M& M# M# M#M N"G N%H N%y N& N# N# N#N O"I O% O%f O& O# O# O#O P"J P%H P%y P& P# P# P#P Q"K Q% Q%q Q& Q# Q# Q#Q R"L R%m R%o R& R# R# R#R S"M S% S%d S& S# S# S#\S T"N T% T%h T& T# T# T#T U"O U%m U%o U& U# U# U#U V"P V% V%z V& V# V# V#V W"Q W% W%m W& W# W# W#W X"R X% X%n X& X# X#S X#TX Y Y2Y0 \" ] ^ _@Dttttttttttttttttttttttttt4` a b  ` a b f(&P (  R  C ]F! d ZR  C ]F! d ZR  C ]F! d ZR  C ]F! d ZR  C ]F! d ZR  C ]F! d ZR  C ]F! d ZR   C ]F ! d ZR   C  ]F ! d ZR   C   ]F ! d ZR  C   ]F! d >@Z A X X ;X d  *Pass;X d  ?@Fail;X d  Info{+{X {+{X {+{X /  %]`X/  %abXgg\ T8    dMbP?_*+%# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N&?'?(?)?MAdobe PDFS odLetterPRIV0''''0\KhCFFSMTJAdobe PDF ConverterResolution1200dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne0EBDAStandard"d??&cU} $ } $ } $  @ @ @ @ @@@@@@ &  '  Z  [  \  W  X  " ]  ,  Y  \  " " +  *  ]  ^  _  `  " (  )  Z  [  " 82222222&2222&&222222&2222>@dA w Sheet7gg\ T8   dMbP?_*+%# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N&?'?(?)?MAdobe PDFS odLetterPRIV0''''0\KhCFFSMTJAdobe PDF ConverterResolution1200dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne0EBDAStandard"d??&cU} $ } mT} mr      0  - . / B+?,@ -3 V+?~ ,@ -U V^@,@ 1a V     082<2 PH`0(  >@dA w Sheet8gg\ Oh+'0 hp    IRS Office of Safeguards SCSEM$IT Security Compliance EvaluationBooz Allen Hamiltonusgcb, stig, pub1075The IRS strongly recommends agencies test all SCSEM settings in a development or test environment prior to deployment in production. In some cases a security setting may impact a systems functionality and usability. Consequently, it is important to perform testing to determine the impact on system security, functionality, and usability. Ideally, the test system configuration should match the production system configuration. Prior to making changes to the production system, agencies should back up all critical data files on the system and if possible, make a full backup of the system to ensure it can be restored to its pre-SCSEM state if necessary.Michael CarusoMicrosoft Excel@/p+@s@2ۨY ՜.+,D՜.+, `h|  X securityOffice of SafeguardsInternal Revenue Service  DashboardResults Instructions9i for Windows 9i for UNIX Appendix Change Log'9i for UNIX'!Print_Area'9i for Windows'!Print_AreaAppendix!Print_Area'Change Log'!Print_AreaDashboard!Print_AreaInstructions!Print_AreaResults!Print_Area'9i for UNIX'!Print_Titles'9i for Windows'!Print_Titles  Worksheets Named Ranges 0v~_PID_LINKBASE _PID_HLINKS_NewReviewCycleAThttp://www.irs.gov/uac/Safeguards-ProgramA *http://www.irs.gov/uac/Safeguards-Program7 mailto:SafeguardReports@IRS.gov  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstvwxyz{|~Root Entry FWorkbookSummaryInformation(uDocumentSummaryInformation8}