STIGQter: STIG Summary: Oracle Database 11g Installation STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

The Oracle software installation account should not be granted excessive host system privileges.

DISA Rule

SV-24465r1_rule

Vulnerability Number

V-3842

Group Title

Oracle process account host system privileges

Rule Version

DO0120-ORACLE11

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Remove root privileges from the Oracle software owner account on UNIX systems.

Create and assign a dedicated OS account for all Oracle processes (Windows).

Grant the dedicated OS account Oracle DBA privileges and assign the Deny Logon Locally user right to the dedicated OS account.

Check Contents

Review the Oracle process/owner account.

For UNIX Systems:

Log into the Oracle installation account and from a system prompt enter:

groups

If root is returned in the list, this is a Finding.

For Windows Systems:

Log in using an account with administrator privileges.

Open the Services snap-in.

If the Oracle services are not assigned a dedicated OS account (view the Log on As tab), this is a Finding.

If the account is assigned group membership to other than the local administrator account and Oracle DBA groups, this is a Finding.

View user rights assigned to the service accounts.

If Deny Logon Locally is not assigned to the Oracle service account, this is a Finding.

If the service account is a domain rather than local user account, confirm with the DBA that domain resources are required and that the account is not assigned to any domain groups not required for Oracle operation (e.g. the domain users or domain administrators groups).

If the service account is a domain account and the account is assigned to domain groups not required for Oracle operations, this is a Finding.

Vulnerability Number

V-3842

Documentable

False

Rule Version

DO0120-ORACLE11

Severity Override Guidance

Review the Oracle process/owner account.

For UNIX Systems:

Log into the Oracle installation account and from a system prompt enter:

groups

If root is returned in the list, this is a Finding.

For Windows Systems:

Log in using an account with administrator privileges.

Open the Services snap-in.

If the Oracle services are not assigned a dedicated OS account (view the Log on As tab), this is a Finding.

If the account is assigned group membership to other than the local administrator account and Oracle DBA groups, this is a Finding.

View user rights assigned to the service accounts.

If Deny Logon Locally is not assigned to the Oracle service account, this is a Finding.

If the service account is a domain rather than local user account, confirm with the DBA that domain resources are required and that the account is not assigned to any domain groups not required for Oracle operation (e.g. the domain users or domain administrators groups).

If the service account is a domain account and the account is assigned to domain groups not required for Oracle operations, this is a Finding.

Check Content Reference

M

Responsibility

Database Administrator

Target Key

1368

Comments