The Oracle software installation account should not be granted excessive host system privileges.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3842	DO0120-ORACLE10	SV-24463r1_rule	DCFA-1	Medium

Description
A compromise of the Oracle database process could be used to gain access to the host operating system under the security account of the process owner. Limitation of the privileges assigned to the process account can help contain access to other processes and host system resources. This can in turn help to limit any resulting malicious activity.

STIG	Date
Oracle Database 10g Installation STIG	2014-04-02

Details

Check Text ( C-29406r1_chk )
Review the Oracle process/owner account. For UNIX Systems: Log into the Oracle installation account and from a system prompt enter: groups If root is returned in the list, this is a Finding. For Windows Systems: Log in using an account with administrator privileges. Open the Services snap-in. If the Oracle services are not assigned a dedicated OS account (view the Log on As tab), this is a Finding. If the account is assigned group membership to other than the local administrator account and Oracle DBA groups, this is a Finding. View user rights assigned to the service accounts. If Deny Logon Locally is not assigned to the Oracle service account, this is a Finding. If the service account is a domain rather than local user account, confirm with the DBA that domain resources are required and that the account is not assigned to any domain groups not required for Oracle operation (e.g. the domain users or domain administrators groups). If the service account is a domain account and the account is assigned to domain groups not required for Oracle operations, this is a Finding.

Check Text ( C-29406r1_chk )

Review the Oracle process/owner account.

For UNIX Systems:

Log into the Oracle installation account and from a system prompt enter:

groups

If root is returned in the list, this is a Finding.

For Windows Systems:

Log in using an account with administrator privileges.

Open the Services snap-in.

If the Oracle services are not assigned a dedicated OS account (view the Log on As tab), this is a Finding.

If the account is assigned group membership to other than the local administrator account and Oracle DBA groups, this is a Finding.

View user rights assigned to the service accounts.

If Deny Logon Locally is not assigned to the Oracle service account, this is a Finding.

If the service account is a domain rather than local user account, confirm with the DBA that domain resources are required and that the account is not assigned to any domain groups not required for Oracle operation (e.g. the domain users or domain administrators groups).

If the service account is a domain account and the account is assigned to domain groups not required for Oracle operations, this is a Finding.

Fix Text (F-26433r1_fix)
Remove root privileges from the Oracle software owner account on UNIX systems. Create and assign a dedicated OS account for all Oracle processes (Windows). Grant the dedicated OS account Oracle DBA privileges and assign the Deny Logon Locally user right to the dedicated OS account.