Access to the Oracle SYS and SYSTEM accounts should be restricted to authorized DBAs.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-2511 | DO0140-ORACLE11 | SV-24850r1_rule | IAGA-1 | Medium |
| Description |
|---|
| The Oracle SYS account has all database privileges assigned to it (SYSDBA). This account is used to manage the database availability status (startup and shutdown). The SYS account is used by any DBMS account that connects to the database with SYSDBA privileges. Direct use of the SYS account does not provide a level of individual accountability for actions taken during its use and does not provide individual accountability. To preserve accountability, direct access to the SYS account should be logged manually and its use monitored closely. |
| STIG | Date |
|---|---|
| Oracle 11 Database Instance STIG | 2014-01-14 |
Details
| Check Text ( C-29409r1_chk ) |
|---|
| Review the policy and procedures for use of the Oracle default accounts including direct use of the Oracle SYS and SYSTEM accounts with the IAO and DBA. If a policy does not exist for their use, this is a Finding. If procedures, automated or manual, for logging default account use are not defined or implemented, this is a Finding. If monitoring use of default accounts do not exist or is not implemented, this is a Finding. |
| Fix Text (F-26436r1_fix) |
|---|
| Design, document and implement policy and procedures for use, logging and monitoring of Oracle default accounts in the System Security Plan. Ensure those granted access to the accounts are aware of the accounts and the policies and procedures for them. |