The DBMS must protect against an individual using a group account from falsely denying having performed a particular action.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32347	SRG-APP-000080-DB-000063	SV-42684r1_rule		Low

Description
Non-repudiation of actions taken is required in order to maintain application integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. Group authentication does not provide individual accountability for actions taken on the DBMS or data. Whenever a single database account is used to connect to the database, a secondary authentication method that provides individual accountability is required. This scenario most frequently occurs when an externally hosted application authenticates individual users to the application and the application uses a single account to retrieve or update database information on behalf of the individual users. When group accounts are utilized without another means of identifying individual users, users may deny having performed a particular action.

Description

Non-repudiation of actions taken is required in order to maintain application integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. Group authentication does not provide individual accountability for actions taken on the DBMS or data. Whenever a single database account is used to connect to the database, a secondary authentication method that provides individual accountability is required. This scenario most frequently occurs when an externally hosted application authenticates individual users to the application and the application uses a single account to retrieve or update database information on behalf of the individual users. When group accounts are utilized without another means of identifying individual users, users may deny having performed a particular action.

STIG	Date
Database Security Requirements Guide	2012-07-02

Details

Check Text ( C-40795r2_chk )
Review DBMS settings to determine whether users can be identified as individuals when using group accounts. If the individual user who is using a group account cannot be identified, this is a finding. Review auditing to determine whether auditing includes details identifying the individual user when using group accounts. If auditing logs do not specify the individual user who performed an audited action using a group account, this is a finding.

Check Text ( C-40795r2_chk )

Review DBMS settings to determine whether users can be identified as individuals when using group accounts. If the individual user who is using a group account cannot be identified, this is a finding.

Review auditing to determine whether auditing includes details identifying the individual user when using group accounts. If auditing logs do not specify the individual user who performed an audited action using a group account, this is a finding.

Fix Text (F-36261r1_fix)
Use accounts assigned to individual users where feasible. Configure DBMS to provide individual accountability at the DBMS level, and in audit logs, for actions performed under a shared database account.