UCF STIG Viewer Logo

DBMS processes or services should run under custom, dedicated OS accounts.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15141 DG0102-ORACLE11 SV-24702r2_rule Medium
Description
Shared accounts do not provide separation of duties nor allow for assignment of least privileges for use by database processes and services. Without separation and least privilege, the exploit of one service or process is more likely to be able to compromise another or all other services.
STIG Date
Oracle Database 11g Instance STIG 2017-06-29

Details

Check Text ( C-29295r1_chk )
Ask the DBA/SA to demonstrate process ownership for the Oracle DBMS software.

On UNIX Systems (enter at command prompt):

ps ef | grep -i pmon | grep -v grep (all database processes)
ps ef | grep -i tns | grep -v grep (all listener processes)
ps ef | grep -i dbsnmp | grep -v grep (Oracle Intelligent Agents)

Sample output (database processes):

oracle 5593 1 0 08:15 ? 00:00:00 ora_pmon_oraprod1

Sample output (listener processes):

oracle 5505 1 0 08:15 ? 00:00:00 /var/opt/oracle/product/10.2.0/db_1/bin/tnslsnr LISTENER -inherit

Sample output (agent processes):

oracle 1734 1 0 08:16 ? 00:00:00 /var/opt/oracle/product/10.2.0/db_1/bin/dbsnmp

In the above samples, the occurrence of "oracle" indicate the user account that owns the process.

If any Oracle processes are not using a dedicated OS account, this is a Finding.

For Windows Systems:

Log in using account with administrator privileges.

Open the Services snap-in.

Review the Oracle processes.

All Oracle processes should be run (Log On As) by a dedicated Oracle Windows OS account and not as LocalSystem.

If any Oracle service is not run by a dedicated Oracle Windows OS account, this is a Finding.

If any Oracle service is run as LocalSystem, this is a Finding.
Fix Text (F-26327r1_fix)
On UNIX Systems:

Ensure the Oracle Owner account is used for all Oracle processes.

The Oracle SNMP agent (Intelligent or Management Agent) is required (by Oracle Corp per MetaLink Note 548928.1) to use the Oracle Process owner account.

On Windows Systems:

Create and assign a dedicated Oracle Windows OS account for all Oracle processes.