From Oracle Database 11g Instance STIG
Part of DBMS services dedicated custom account
Shared accounts do not provide separation of duties nor allow for assignment of least privileges for use by database processes and services. Without separation and least privilege, the exploit of one service or process is more likely to be able to compromise another or all other services.
Ask the DBA/SA to demonstrate process ownership for the Oracle DBMS software. On UNIX Systems (enter at command prompt): ps ef | grep -i pmon | grep -v grep (all database processes) ps ef | grep -i tns | grep -v grep (all listener processes) ps ef | grep -i dbsnmp | grep -v grep (Oracle Intelligent Agents) Sample output (database processes): oracle 5593 1 0 08:15 ? 00:00:00 ora_pmon_oraprod1 Sample output (listener processes): oracle 5505 1 0 08:15 ? 00:00:00 /var/opt/oracle/product/10.2.0/db_1/bin/tnslsnr LISTENER -inherit Sample output (agent processes): oracle 1734 1 0 08:16 ? 00:00:00 /var/opt/oracle/product/10.2.0/db_1/bin/dbsnmp In the above samples, the occurrence of "oracle" indicate the user account that owns the process. If any Oracle processes are not using a dedicated OS account, this is a Finding. For Windows Systems: Log in using account with administrator privileges. Open the Services snap-in. Review the Oracle processes. All Oracle processes should be run (Log On As) by a dedicated Oracle Windows OS account and not as LocalSystem. If any Oracle service is not run by a dedicated Oracle Windows OS account, this is a Finding. If any Oracle service is run as LocalSystem, this is a Finding.
On UNIX Systems: Ensure the Oracle Owner account is used for all Oracle processes. The Oracle SNMP agent (Intelligent or Management Agent) is required (by Oracle Corp per MetaLink Note 548928.1) to use the Oracle Process owner account. On Windows Systems: Create and assign a dedicated Oracle Windows OS account for all Oracle processes.
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer