UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DBMS must protect against an individual using a group account from falsely denying having performed a particular action.


Overview

Finding ID Version Rule ID IA Controls Severity
V-32347 SRG-APP-000080-DB-000063 SV-42684r1_rule Low
Description
Non-repudiation of actions taken is required in order to maintain application integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. Group authentication does not provide individual accountability for actions taken on the DBMS or data. Whenever a single database account is used to connect to the database, a secondary authentication method that provides individual accountability is required. This scenario most frequently occurs when an externally hosted application authenticates individual users to the application and the application uses a single account to retrieve or update database information on behalf of the individual users. When group accounts are utilized without another means of identifying individual users, users may deny having performed a particular action.
STIG Date
Database Security Requirements Guide 2012-07-02

Details

Check Text ( C-40795r2_chk )
Review DBMS settings to determine whether users can be identified as individuals when using group accounts. If the individual user who is using a group account cannot be identified, this is a finding.

Review auditing to determine whether auditing includes details identifying the individual user when using group accounts. If auditing logs do not specify the individual user who performed an audited action using a group account, this is a finding.
Fix Text (F-36261r1_fix)
Use accounts assigned to individual users where feasible.
Configure DBMS to provide individual accountability at the DBMS level, and in audit logs, for actions performed under a shared database account.