Unauthorized user accounts should not exist.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-2508 | DG0070-ORACLE11 | SV-24647r1_rule | Medium |
| Description |
|---|
| Unauthorized user accounts provide unauthorized access to the database and may allow access to database objects. Only authorized users should be granted database accounts. |
| STIG | Date |
|---|---|
| Oracle Database 11g Instance STIG | 2017-06-29 |
Details
| Check Text ( C-29171r1_chk ) |
|---|
| Review procedures for ensuring authorization of new or re-assigned DBMS user accounts. Requests for user account access to the DBMS should include documented approval by an authorized requestor. Procedures should also include notification for a change in status, particularly cause for revocation of account access, to any DBMS accounts. Review the user accounts listed either in the script report or manually against the authorized user list. From SQL*Plus: select username from dba_users order by username; If procedures for DBMS user account authorization are incomplete or not implemented, this is a Finding. If any accounts listed are not clearly authorized, this is a Finding. |
| Fix Text (F-26183r1_fix) |
|---|
| Develop, document and implement procedures for authorizing creation, changes and deletions of user accounts. Monitor user accounts to verify that they remain authorized. |