DG0109-ORACLE11 - The DBMS should not be operated without authorization on a host system supporting other application services.

Information

In the same way that added security layers can provide a cumulative positive effect on security posture, multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit to one application can lead to an exploit of other applications sharing the same security context. For example, an exploit to a web server process that leads to unauthorized administrative access to the host system can most likely lead to a compromise of all applications hosted by the same system. A DBMS not installed on a dedicated host is threatened by other hosted applications. Applications that share a single DBMS may also create risk to one another. Access controls defined for one application by default may provide access to the other application's database objects or directories. Any method that provides any level of separation of security context assists in the protection between applications.

Solution

A dedicated host system in this case refers to an instance of the operating system at a minimum.

The operating system may reside on a virtual host machine where supported by the DBMS vendor.

Remove any unauthorized processes or services and install on a separate host system.

Where separation is not supported, update the System Security Plan to provide the technical requirement for having the application share a host with the DBMS.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_11g_Y21M10_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7a., CAT|II, Rule-ID|SV-24715r1_rule, STIG-ID|DG0109-ORACLE11, Vuln-ID|V-15146

Plugin: Unix

Control ID: f076c2d026268987d738d0b87c185f858850cd37c39791cf2be8db56ace6c091