Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-15108 | DG0194-ORACLE10 | SV-24839r1_rule | ECPC-1 ECPC-2 | Medium |
Description |
---|
The developer role does not include need-to-know or administrative privileges to production databases. Assigning excess privileges can lead to unauthorized access to sensitive data or compromise of database operations. |
STIG | Date |
---|---|
Oracle Database 10g Installation STIG | 2014-04-02 |
Check Text ( C-29400r1_chk ) |
---|
If the DBMS or DBMS host is not shared by production and development activities, this check is Not a Finding. Review policy and procedures documented or noted in the System Security Plan and evidence of monitoring of developer privileges on shared development and production DBMS and DBMS host systems. If developer privileges are not monitored every three months or more frequently, this is a Finding. NOTE: Though shared production/non-production DBMS installations was allowed under previous database STIG guidance, doing so may place it in violation of OS, Application, Network or Enclave STIG guidance. Ensure that any shared production/non-production DBMS installations meets STIG guidance requirements at all levels or mitigate any conflicts in STIG guidance with your DAA. |
Fix Text (F-26425r1_fix) |
---|
Develop, document and implement procedures to monitor DBMS and DBMS host privileges assigned to developers on shared production and development systems to detect unauthorized assignments every three months or more often. Recommend establishing a dedicated DBMS host for production DBMS installations (See Checks DG0109 and DG0110). A dedicated host system in this case refers to an instance of the operating system at a minimum. The operating system may reside on a virtual host machine where supported by the DBMS vendor. |