DG0060-ORACLE11 - All database non-interactive, n-tier connection, and shared accounts that exist should be documented and approved by the IAO.

Information

Group authentication does not provide individual accountability for actions taken on the DBMS or data. Whenever a single database account is used to connect to the database, a secondary authentication method that provides individual account ability is required. This scenario most frequently occurs when an externally hosted application authenticates individual users to the application and the application uses a single account to retrieve or update database information on behalf of the individual users.

Solution

Use accounts assigned to individual users where feasible.

Design applications to provide individual accountability (audit logs) for actions performed under a single database account.

Implement other DBMS automated procedures that provide individual accountability.

Where appropriate, implement manual procedures to use manual logs and monitor entries against account usage to ensure procedures are followed.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_11g_Y21M10_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2, CAT|II, Rule-ID|SV-24632r1_rule, STIG-ID|DG0060-ORACLE11, Vuln-ID|V-2424

Plugin: OracleDB

Control ID: 6426385bc9c0b072b777458fda1194080f8e02dff9d7d5c799e93749c33542c7