Access to default accounts used to support replication must be restricted to authorized DBAs.


Overview

Finding ID Version Rule ID IA Controls Severity
V-61411 O121-BP-021200 SV-75901r1_rule Medium
Description
Replication database accounts are used for database connections between databases. Replication requires the configuration of these accounts using the same username and password on all databases participating in the replication. Replication connections use fixed user database links. This means that access to the replication account on one server provides access to the other servers participating in the replication. Granting unauthorized access to the replication account provides unauthorized and privileged access to all databases participating in the replication group.
STIG Date
Oracle Database 12c Security Technical Implementation Guide 2015-12-21

Details

Check Text ( C-62301r1_chk )
From SQL*Plus:

select 'The number of replication objects defined is: '||
count(*) from all_tables
where table_name like 'REPCAT%';

If the count returned is 0, then Oracle Replication is not installed and this check is not a finding.

Otherwise:

From SQL*Plus:

select count(*) from sys.dba_repcatlog;

If the count returned is 0, then Oracle Replication is not in use and this check is not a finding.

If any results are returned, ask the ISSO or DBA if the replication account (the default is REPADMIN, but may be customized) is restricted to ISSO-authorized personnel only.

If it is not, this is a finding.

If there are multiple replication accounts, confirm that all are justified and documented with the ISSO.

If they are not, this is a finding.

Note: Oracle Database Advanced Replication is deprecated in Oracle Database 12c. Use Oracle GoldenGate to replace all features of Advanced Replication, including multimaster replication, updatable materialized views, hierarchical materialized views, and deployment templates.
Fix Text (F-67327r1_fix)
Change the password for default and custom replication accounts and provide the password to ISSO-authorized users only.