OS DBA group membership should be restricted to authorized accounts.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-3845 | DO0145-ORACLE10 | SV-24852r1_rule | DCSD-1 | Low |
| Description |
|---|
| Oracle SYSDBA privileges include privileges to administer the database outside of database controls (when the database is shut down) in addition to all privileges controlled under database operation. Assignment of membership to the OS dba group to unauthorized persons can compromise all DBMS activities. |
| STIG | Date |
|---|---|
| Oracle 10 Database Installation STIG | 2014-01-14 |
Details
| Check Text ( C-29410r1_chk ) |
|---|
| Review the membership for the Oracle DBA host system OS group. On UNIX systems: cat /etc/group | grep -i dba [where dba is the default group name from Oracle] To display the group name if dba is not the default, use the command: cat $ORACLE_HOME/rdbms/lib/config.[cs] | grep SS_DBA_GRP On Windows Systems: Open Computer Management, expand System Tools, expand Local Users and Groups, select the Group folder. Double-click on the ORA_DBA group to view group members. Compare the list of members with the list of authorized DBA accounts documented in the System Security Plan with the IAO. If any users are assigned to the group that are not authorized by the IAO and documented in the System Security Plan for the system, this is a Finding. |
| Fix Text (F-26437r1_fix) |
|---|
| Document user accounts that are authorized by the IAO to be assigned DBA privileges in the System Security Plan. Remove any accounts assigned membership in the operating system DBA group that has not been authorized by the IAO. Develop, document and implement procedures for periodic review of accounts assigned membership to the DBA group. |