UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

OS DBA group membership should be restricted to authorized accounts.


Overview

Finding ID Version Rule ID IA Controls Severity
V-3845 DO0145-ORACLE11 SV-24853r1_rule Low
Description
Oracle SYSDBA privileges include privileges to administer the database outside of database controls (when the database is shut down) in addition to all privileges controlled under database operation. Assignment of membership to the OS dba group to unauthorized persons can compromise all DBMS activities.
STIG Date
Oracle Database 11g Installation STIG 2017-06-29

Details

Check Text ( C-29411r1_chk )
Review the membership for the Oracle DBA host system OS group.

On UNIX systems:

cat /etc/group | grep -i dba [where dba is the default group name from Oracle]

To display the group name if dba is not the default, use the command:

cat $ORACLE_HOME/rdbms/lib/config.[cs] | grep SS_DBA_GRP

On Windows Systems:

Open Computer Management, expand System Tools, expand Local Users and Groups, select the Group folder.

Double-click on the ORA_DBA group to view group members.

Compare the list of members with the list of authorized DBA accounts documented in the System Security Plan with the IAO.

If any users are assigned to the group that are not authorized by the IAO and documented in the System Security Plan for the system, this is a Finding.
Fix Text (F-26438r1_fix)
Document user accounts that are authorized by the IAO to be assigned DBA privileges in the System Security Plan.

Remove any accounts assigned membership in the operating system DBA group that has not been authorized by the IAO.

Develop, document and implement procedures for periodic review of accounts assigned membership to the DBA group.