All database non-interactive, n-tier connection, and shared accounts that exist should be documented and approved by the IAO.

From Oracle Database 11g Instance STIG

Part of All database non-interactive, n-tier connection, a

SV-24632r1_rule All database non-interactive, n-tier connection, and shared accounts that exist should be documented and approved by the IAO.

Vulnerability discussion

Group authentication does not provide individual accountability for actions taken on the DBMS or data. Whenever a single database account is used to connect to the database, a secondary authentication method that provides individual account ability is required. This scenario most frequently occurs when an externally hosted application authenticates individual users to the application and the application uses a single account to retrieve or update database information on behalf of the individual users.

Check content

From SQL*Plus: select username from dba_users order by username; Review the list of database account names to determine usage of all non-standard account names or account names that do not appear to be assigned to individuals. For example, accounts named BATCHJOB, FMAPP, FMAPP-ADMIN do not have the appearance of assignment to an individual interactive user. An account name like JDOE appears to be assigned to an individual. Review the list of account names against those listed in the System Security Plan or authorized user list. Consult the IAO or DBA to make a final determination on whether accounts are shared accounts or not. If shared accounts are not documented as such and are not approved, this is a Finding.

Fix text

Use accounts assigned to individual users where feasible. Design applications to provide individual accountability (audit logs) for actions performed under a single database account. Implement other DBMS automated procedures that provide individual accountability. Where appropriate, implement manual procedures to use manual logs and monitor entries against account usage to ensure procedures are followed.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer