UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DBA role should not be assigned excessive or unauthorized privileges.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15615 DG0085-ORACLE11 SV-24673r2_rule ECLP-1 Medium
Description
Oracle SYSDBA privileges include privileges to administer the database outside of database controls (when the database is shut down or open in restricted mode) in addition to all privileges controlled under database operation. Assignment of SYSDBA privileges in the Oracle password file to unauthorized persons can compromise all DBMS activities.
STIG Date
Oracle Database 11g Instance STIG 2015-03-26

Details

Check Text ( C-15804r2_chk )
From SQL*Plus:
select username from v$pwfile_users
where username not in
(select grantee from dba_role_privs where granted_role='DBA')
and username<>'INTERNAL'
and (sysdba = 'TRUE' or sysoper='TRUE');

If any accounts are listed and are not authorized by the IAO in the System Security Plan, this is a Finding.
Fix Text (F-2586r1_fix)
If a REMOTE_LOGIN_PASSWORDFILE is in use (='EXCLUSIVE'), list database accounts assigned SYSDBA and SYSOPER database privileges and review for appropriate authorization.

Document authorized SYSDBA and SYSOPER users in the System Security Plan.

From SQL*Plus:
select * from v$pwfile_users;

To revoke SYSDBA or SYSOPER from accounts:

From SQL*Plus:
revoke sysdba from [username];
revoke sysoper from [username];