SV-24465r1_rule
V-3842
Oracle process account host system privileges
DO0120-ORACLE11
CAT II
10
Remove root privileges from the Oracle software owner account on UNIX systems.
Create and assign a dedicated OS account for all Oracle processes (Windows).
Grant the dedicated OS account Oracle DBA privileges and assign the Deny Logon Locally user right to the dedicated OS account.
Review the Oracle process/owner account.
For UNIX Systems:
Log into the Oracle installation account and from a system prompt enter:
groups
If root is returned in the list, this is a Finding.
For Windows Systems:
Log in using an account with administrator privileges.
Open the Services snap-in.
If the Oracle services are not assigned a dedicated OS account (view the Log on As tab), this is a Finding.
If the account is assigned group membership to other than the local administrator account and Oracle DBA groups, this is a Finding.
View user rights assigned to the service accounts.
If Deny Logon Locally is not assigned to the Oracle service account, this is a Finding.
If the service account is a domain rather than local user account, confirm with the DBA that domain resources are required and that the account is not assigned to any domain groups not required for Oracle operation (e.g. the domain users or domain administrators groups).
If the service account is a domain account and the account is assigned to domain groups not required for Oracle operations, this is a Finding.
V-3842
False
DO0120-ORACLE11
Review the Oracle process/owner account.
For UNIX Systems:
Log into the Oracle installation account and from a system prompt enter:
groups
If root is returned in the list, this is a Finding.
For Windows Systems:
Log in using an account with administrator privileges.
Open the Services snap-in.
If the Oracle services are not assigned a dedicated OS account (view the Log on As tab), this is a Finding.
If the account is assigned group membership to other than the local administrator account and Oracle DBA groups, this is a Finding.
View user rights assigned to the service accounts.
If Deny Logon Locally is not assigned to the Oracle service account, this is a Finding.
If the service account is a domain rather than local user account, confirm with the DBA that domain resources are required and that the account is not assigned to any domain groups not required for Oracle operation (e.g. the domain users or domain administrators groups).
If the service account is a domain account and the account is assigned to domain groups not required for Oracle operations, this is a Finding.
M
Database Administrator
1368