STIGQter STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017: All database non-interactive, n-tier connection, and shared accounts that exist should be documented and approved by the IAO.

DISA Rule

SV-24632r1_rule

Vulnerability Number

V-2424

Group Title

All database non-interactive, n-tier connection, a

Rule Version

DG0060-ORACLE11

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Use accounts assigned to individual users where feasible.

Design applications to provide individual accountability (audit logs) for actions performed under a single database account.

Implement other DBMS automated procedures that provide individual accountability.

Where appropriate, implement manual procedures to use manual logs and monitor entries against account usage to ensure procedures are followed.

Check Contents

From SQL*Plus:
select username from dba_users order by username;

Review the list of database account names to determine usage of all non-standard account names or account names that do not appear to be assigned to individuals.

For example, accounts named BATCHJOB, FMAPP, FMAPP-ADMIN do not have the appearance of assignment to an individual interactive user.

An account name like JDOE appears to be assigned to an individual.

Review the list of account names against those listed in the System Security Plan or authorized user list.

Consult the IAO or DBA to make a final determination on whether accounts are shared accounts or not.

If shared accounts are not documented as such and are not approved, this is a Finding.

Vulnerability Number

V-2424

Documentable

False

Rule Version

DG0060-ORACLE11

Severity Override Guidance

From SQL*Plus:
select username from dba_users order by username;

Review the list of database account names to determine usage of all non-standard account names or account names that do not appear to be assigned to individuals.

For example, accounts named BATCHJOB, FMAPP, FMAPP-ADMIN do not have the appearance of assignment to an individual interactive user.

An account name like JDOE appears to be assigned to an individual.

Review the list of account names against those listed in the System Security Plan or authorized user list.

Consult the IAO or DBA to make a final determination on whether accounts are shared accounts or not.

If shared accounts are not documented as such and are not approved, this is a Finding.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

1367

Comments