STIGQter STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

Use of DBA accounts should be restricted to administrative activities.

DISA Rule

SV-24775r1_rule

Vulnerability Number

V-15632

Group Title

DBA account use

Rule Version

DG0124-ORACLE11

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Develop, document and implement policy and procedures for outlining the proper and improper use of DBA accounts.

The documentation should clearly state that DBA accounts are used to administer and maintain the database only.

DBA accounts are not to be used to create or alter application objects.

Application maintenance should always be performed by the application object owner or application administrator accounts.

Request acknowledgement of receipt of these restrictions by all users granted DBA responsibilities.

Check Contents

Review objects owned by custom DBA user accounts.

If any objects owned by DBA accounts are accessed by non-DBA users either directly or indirectly by other applications, this is a Finding.

Review documentation or instructions provided to DBAs to communicate proper and improper use of DBA accounts.

If such documentation does not exist or if DBAs do not indicate an understanding of this requirement, this is a Finding.

Vulnerability Number

V-15632

Documentable

False

Rule Version

DG0124-ORACLE11

Severity Override Guidance

Review objects owned by custom DBA user accounts.

If any objects owned by DBA accounts are accessed by non-DBA users either directly or indirectly by other applications, this is a Finding.

Review documentation or instructions provided to DBAs to communicate proper and improper use of DBA accounts.

If such documentation does not exist or if DBAs do not indicate an understanding of this requirement, this is a Finding.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

1367

Comments