Use of DBA accounts should be restricted to administrative activities.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15632	DG0124-ORACLE11	SV-24775r1_rule	ECLP-1	Medium

Description
Use of privileged accounts for non-administrative purposes puts data at risk of unintended or unauthorized loss, modification or exposure. In particular, DBA accounts if used for non-administration application development or application maintenance can lead to miss-assignment of privileges where privileges are inherited by object owners. It may also lead to loss or compromise of application data where the elevated privileges bypass controls designed in and provided by applications.

Description

Use of privileged accounts for non-administrative purposes puts data at risk of unintended or unauthorized loss, modification or exposure. In particular, DBA accounts if used for non-administration application development or application maintenance can lead to miss-assignment of privileges where privileges are inherited by object owners. It may also lead to loss or compromise of application data where the elevated privileges bypass controls designed in and provided by applications.

STIG	Date
Oracle 11 Database Instance STIG	2014-01-14

Details

Check Text ( C-1254r1_chk )
Review objects owned by custom DBA user accounts. If any objects owned by DBA accounts are accessed by non-DBA users either directly or indirectly by other applications, this is a Finding. Review documentation or instructions provided to DBAs to communicate proper and improper use of DBA accounts. If such documentation does not exist or if DBAs do not indicate an understanding of this requirement, this is a Finding.

Check Text ( C-1254r1_chk )

Review objects owned by custom DBA user accounts.

If any objects owned by DBA accounts are accessed by non-DBA users either directly or indirectly by other applications, this is a Finding.

Review documentation or instructions provided to DBAs to communicate proper and improper use of DBA accounts.

If such documentation does not exist or if DBAs do not indicate an understanding of this requirement, this is a Finding.

Fix Text (F-2624r1_fix)
Develop, document and implement policy and procedures for outlining the proper and improper use of DBA accounts. The documentation should clearly state that DBA accounts are used to administer and maintain the database only. DBA accounts are not to be used to create or alter application objects. Application maintenance should always be performed by the application object owner or application administrator accounts. Request acknowledgement of receipt of these restrictions by all users granted DBA responsibilities.

Fix Text (F-2624r1_fix)

Develop, document and implement policy and procedures for outlining the proper and improper use of DBA accounts.

The documentation should clearly state that DBA accounts are used to administer and maintain the database only.

DBA accounts are not to be used to create or alter application objects.

Application maintenance should always be performed by the application object owner or application administrator accounts.

Request acknowledgement of receipt of these restrictions by all users granted DBA responsibilities.