STIGQter: STIG Summary: Oracle Database 11g Installation STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

OS DBA group membership should be restricted to authorized accounts.

DISA Rule

SV-24853r1_rule

Vulnerability Number

V-3845

Group Title

Oracle SYSDBA OS group membership

Rule Version

DO0145-ORACLE11

Severity

CAT III

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

Document user accounts that are authorized by the IAO to be assigned DBA privileges in the System Security Plan.

Remove any accounts assigned membership in the operating system DBA group that has not been authorized by the IAO.

Develop, document and implement procedures for periodic review of accounts assigned membership to the DBA group.

Check Contents

Review the membership for the Oracle DBA host system OS group.

On UNIX systems:

cat /etc/group | grep -i dba [where dba is the default group name from Oracle]

To display the group name if dba is not the default, use the command:

cat $ORACLE_HOME/rdbms/lib/config.[cs] | grep SS_DBA_GRP

On Windows Systems:

Open Computer Management, expand System Tools, expand Local Users and Groups, select the Group folder.

Double-click on the ORA_DBA group to view group members.

Compare the list of members with the list of authorized DBA accounts documented in the System Security Plan with the IAO.

If any users are assigned to the group that are not authorized by the IAO and documented in the System Security Plan for the system, this is a Finding.

OS DBA group membership should be restricted to authorized accounts.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Responsibility

Target Key

Comments