UCF STIG Viewer Logo

The DBMS must automatically audit account termination.


Overview

Finding ID Version Rule ID IA Controls Severity
V-61573 O121-C2-002500 SV-76063r2_rule Medium
Description
When application accounts are terminated, user accessibility is affected. Accounts are utilized for identifying individual application users or for identifying the application processes themselves. In order to detect and respond to events affecting user accessibility and application processing, applications must audit account terminating actions and notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. Note that user authentication and account management should be done via an enterprise-wide mechanism whenever possible. Examples of enterprise-level authentication/access mechanisms include, but are not limited to, Active Directory and LDAP. However, notwithstanding how accounts are managed, Oracle auditing should always be configured to capture account termination.
STIG Date
Oracle Database 12c Security Technical Implementation Guide 2017-06-30

Details

Check Text ( C-62445r2_chk )
Check Oracle settings (and also OS settings and/or enterprise-level authentication/access mechanisms settings) to determine if account termination actions are being audited. If account termination actions are not being audited by Oracle, this is a finding.

If Standard Auditing is used:
To see if Oracle is configured to capture audit data, enter the following SQL*Plus command:
SHOW PARAMETER AUDIT_TRAIL
or the following SQL query:
SELECT * FROM SYS.V$PARAMETER WHERE NAME = 'audit_trail';
If Oracle returns the value 'NONE', this is a finding.

If Unified Auditing is used:
To see if Oracle is configured to capture audit data including account termination, enter the following SQL*Plus command:
SELECT ' Account termination is not being audited. '
FROM dual
WHERE (SELECT Count(*)
FROM (select policy_name , audit_option from audit_unified_policies
WHERE audit_option = 'DROP USER'
and policy_name in (select policy_name from audit_unified_enabled_policies where user_name='ALL USERS'))) = 0
OR (SELECT value
FROM v$option
WHERE parameter = 'Unified Auditing') != 'TRUE';

If Oracle returns "no rows selected", this is not a finding.
Fix Text (F-67489r2_fix)
Configure Oracle to audit account termination actions.

If Standard Auditing is used:
Use this process to ensure auditable events are captured:
ALTER SYSTEM SET AUDIT_TRAIL= SCOPE=SPFILE;
Audit trail type can be 'OS', 'DB', 'DB,EXTENDED', 'XML' or 'XML,EXTENDED'.
After executing this statement, it may be necessary to shut down and restart the Oracle database.

If Unified Auditing is used:
To ensure auditable events are captured:
Link the oracle binary with uniaud_on, and then restart the database. Oracle Database Upgrade Guide describes how to enable unified auditing. Reference V-61625 for information on how to configure a policy to audit account termination.

For more information on the configuration of auditing, refer to the following documents:
"Auditing Database Activity" in the Oracle Database 2 Day + Security Guide:
http://docs.oracle.com/database/121/TDPSG/tdpsg_auditing.htm#TDPSG50000
"Monitoring Database Activity with Auditing" in the Oracle Database Security Guide:
http://docs.oracle.com/database/121/DBSEG/part_6.htm#CCHEHCGI
"DBMS_AUDIT_MGMT" in the Oracle Database PL/SQL Packages and Types Reference:
http://docs.oracle.com/database/121/ARPLS/d_audit_mgmt.htm#ARPLS241
Oracle Database Upgrade Guide:
http://docs.oracle.com/database/121/UPGRD/afterup.htm#UPGRD52810