From Oracle Database 11g Instance STIG
Part of Oracle DBA role assignment
The DBA role is very powerful and access to it should be restricted. Verify that any database account granted the DBA role is explicitly authorized by the IAO. In addition to full access to database objects, access to the DBA role by unauthorized accounts may provide full access to the server. Verify that individual DBA accounts are created for each DBA and that the DBA accounts are used only for DBA functions.
From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts): select grantee from dba_role_privs where granted_role='DBA' and grantee not in ('SYS', 'SYSTEM', 'SYSMAN', 'CTXSYS', 'WKSYS'); If any accounts are listed, review against the list of DBA accounts authorized by the IAO in the System Security Plan. If any accounts are assigned the DBA role and are not authorized by the IAO, this is a Finding. If any DBA roles are assigned to developer accounts and this is a production database, this is a Finding. If any DBA roles are assigned to shared accounts, this is a Finding.
Authorize and document all DBA role authorizations in the System Security Plan. Revoke DBA role membership from unauthorized accounts. Revoke DBA role membership from any accounts assigned to a developer job function on a shared production / development database.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer