UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Each database user, application or process should have an individually assigned account.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15613 DG0078-ORACLE11 SV-24663r1_rule IAIA-1 IAIA-2 Medium
Description
Use of accounts shared by multiple users, applications, or processes limit the accountability for actions taken in or on the data or database. Individual accounts provide an opportunity to limit database authorizations to those required for the job function assigned to each individual account.
STIG Date
Oracle Database 11g Instance STIG 2015-03-26

Details

Check Text ( C-1068r1_chk )
Review DBMS account names against the list of authorized DBMS accounts in the System Security Plan.

If any accounts indicate use by mulitiple persons that are not mapped to a specific person, this is a Finding.

If any applications or processes share an account that could be assigned an individual account or are not specified as requiring a shared account, this is a Finding.

Note: Privileged installation accounts may be required to be accessed by DBA or other administrators for system maintenance. In these cases, each use of the account must be logged in some manner to assign accountability for any actions taken during the use of the account.
Fix Text (F-2541r1_fix)
Create individual accounts for each user, application, or other process that requires a database connection.

Document any accounts that are shared where separation is not supported by the application or for maintenance support.

Design, develop and implement a method to log use of any account to which more than one person has access.

Restrict interactive access to shared accounts to the fewest persons possible.