Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-3809 | DG0053-ORACLE11 | SV-24628r1_rule | ECAN-1 | Medium |
Description |
---|
Many sites distribute a single client database connection configuration file to all site database users that contains network access information for all databases on the site. Such a file provides information to access databases not required by all users that may assist in unauthorized access attempts. |
STIG | Date |
---|---|
Oracle Database 11g Installation STIG | 2015-12-21 |
Check Text ( C-29154r1_chk ) |
---|
Review documented and implemented procedures contained or noted in the System Security Plan for providing database client connection information to users and user workstations. Oracle client connection information is stored in the file: $ORACLE_HOME/network/admin/tnsnames.ora (UNIX) %ORACLE_HOME%\network\admin\tnsnames.ora (Windows) If procedures do not indicate and implement restrictions in distribution of connection definitions to personnel/machines authorized to connect to the database, this is a Finding. |
Fix Text (F-26165r1_fix) |
---|
Develop, document and implement procedures to distribute client connection definitions or definition files that contain only connection definitions authorized for that user or user workstation. Include or note these procedures in the System Security Plan. |