STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

Access to the Oracle SYS and SYSTEM accounts should be restricted to authorized DBAs.

DISA Rule

SV-24850r1_rule

Vulnerability Number

V-2511

Group Title

Oracle default account access

Rule Version

DO0140-ORACLE11

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Design, document and implement policy and procedures for use, logging and monitoring of Oracle default accounts in the System Security Plan.

Ensure those granted access to the accounts are aware of the accounts and the policies and procedures for them.

Check Contents

Review the policy and procedures for use of the Oracle default accounts including direct use of the Oracle SYS and SYSTEM accounts with the IAO and DBA.

If a policy does not exist for their use, this is a Finding.

If procedures, automated or manual, for logging default account use are not defined or implemented, this is a Finding.

If monitoring use of default accounts do not exist or is not implemented, this is a Finding.

Vulnerability Number

V-2511

Documentable

False

Rule Version

DO0140-ORACLE11

Severity Override Guidance

Review the policy and procedures for use of the Oracle default accounts including direct use of the Oracle SYS and SYSTEM accounts with the IAO and DBA.

If a policy does not exist for their use, this is a Finding.

If procedures, automated or manual, for logging default account use are not defined or implemented, this is a Finding.

If monitoring use of default accounts do not exist or is not implemented, this is a Finding.

Check Content Reference

I

Responsibility

Information Assurance Officer

Target Key

1367

Comments