STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

DBMS processes or services should run under custom, dedicated OS accounts.

DISA Rule

SV-24702r2_rule

Vulnerability Number

V-15141

Group Title

DBMS services dedicated custom account

Rule Version

DG0102-ORACLE11

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

On UNIX Systems:

Ensure the Oracle Owner account is used for all Oracle processes.

The Oracle SNMP agent (Intelligent or Management Agent) is required (by Oracle Corp per MetaLink Note 548928.1) to use the Oracle Process owner account.

On Windows Systems:

Create and assign a dedicated Oracle Windows OS account for all Oracle processes.

Check Contents

Ask the DBA/SA to demonstrate process ownership for the Oracle DBMS software.

On UNIX Systems (enter at command prompt):

ps ef | grep -i pmon | grep -v grep (all database processes)
ps ef | grep -i tns | grep -v grep (all listener processes)
ps ef | grep -i dbsnmp | grep -v grep (Oracle Intelligent Agents)

Sample output (database processes):

oracle 5593 1 0 08:15 ? 00:00:00 ora_pmon_oraprod1

Sample output (listener processes):

oracle 5505 1 0 08:15 ? 00:00:00 /var/opt/oracle/product/10.2.0/db_1/bin/tnslsnr LISTENER -inherit

Sample output (agent processes):

oracle 1734 1 0 08:16 ? 00:00:00 /var/opt/oracle/product/10.2.0/db_1/bin/dbsnmp

In the above samples, the occurrence of "oracle" indicate the user account that owns the process.

If any Oracle processes are not using a dedicated OS account, this is a Finding.

For Windows Systems:

Log in using account with administrator privileges.

Open the Services snap-in.

Review the Oracle processes.

All Oracle processes should be run (Log On As) by a dedicated Oracle Windows OS account and not as LocalSystem.

If any Oracle service is not run by a dedicated Oracle Windows OS account, this is a Finding.

If any Oracle service is run as LocalSystem, this is a Finding.

Vulnerability Number

V-15141

Documentable

False

Rule Version

DG0102-ORACLE11

Severity Override Guidance

Ask the DBA/SA to demonstrate process ownership for the Oracle DBMS software.

On UNIX Systems (enter at command prompt):

ps ef | grep -i pmon | grep -v grep (all database processes)
ps ef | grep -i tns | grep -v grep (all listener processes)
ps ef | grep -i dbsnmp | grep -v grep (Oracle Intelligent Agents)

Sample output (database processes):

oracle 5593 1 0 08:15 ? 00:00:00 ora_pmon_oraprod1

Sample output (listener processes):

oracle 5505 1 0 08:15 ? 00:00:00 /var/opt/oracle/product/10.2.0/db_1/bin/tnslsnr LISTENER -inherit

Sample output (agent processes):

oracle 1734 1 0 08:16 ? 00:00:00 /var/opt/oracle/product/10.2.0/db_1/bin/dbsnmp

In the above samples, the occurrence of "oracle" indicate the user account that owns the process.

If any Oracle processes are not using a dedicated OS account, this is a Finding.

For Windows Systems:

Log in using account with administrator privileges.

Open the Services snap-in.

Review the Oracle processes.

All Oracle processes should be run (Log On As) by a dedicated Oracle Windows OS account and not as LocalSystem.

If any Oracle service is not run by a dedicated Oracle Windows OS account, this is a Finding.

If any Oracle service is run as LocalSystem, this is a Finding.

Check Content Reference

M

Responsibility

Database Administrator

Target Key

1367

Comments