STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

Application user privilege assignment should be reviewed monthly or more frequently to ensure compliance with least privilege and documented policy.

DISA Rule

SV-24668r1_rule

Vulnerability Number

V-3821

Group Title

DBMS application user privilege assignment review

Rule Version

DG0080-ORACLE11

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Develop, document and implement policy and procedures for periodic review of database user accounts and privilege assignments.

Include methods to provide evidence of review in the procedures to verify reviews occur in accordance with the procedures.

Check Contents

Review policy, procedures and implementation evidence to determine if periodic reviews of user privileges by the IAO are being performed.

Evidence may consist of email or other correspondence that acknowledges receipt of periodic reports and notification of review between the DBA and IAO or other auditors as assigned.

If policy and procedures are incomplete or no evidence of implementation exists, this is a Finding.

Vulnerability Number

V-3821

Documentable

False

Rule Version

DG0080-ORACLE11

Severity Override Guidance

Review policy, procedures and implementation evidence to determine if periodic reviews of user privileges by the IAO are being performed.

Evidence may consist of email or other correspondence that acknowledges receipt of periodic reports and notification of review between the DBA and IAO or other auditors as assigned.

If policy and procedures are incomplete or no evidence of implementation exists, this is a Finding.

Check Content Reference

I

Responsibility

Database Administrator

Target Key

1367

Comments