DG0102-ORACLE11 - DBMS processes or services should run under custom, dedicated OS accounts - 'pmon services are using correct service account'

Information

Shared accounts do not provide separation of duties nor allow for assignment of least privileges for use by database processes and services. Without separation and least privilege, the exploit of one service or process is more likely to be able to compromise another or all other services.

Solution

On UNIX Systems:

Ensure the Oracle Owner account is used for all Oracle processes.

The Oracle SNMP agent (Intelligent or Management Agent) is required (by Oracle Corp per MetaLink Note 548928.1) to use the Oracle Process owner account.

On Windows Systems:

Create and assign a dedicated Oracle Windows OS account for all Oracle processes.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_11g_Y21M10_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-5, 800-53|AC-6, CAT|II, Rule-ID|SV-24702r2_rule, STIG-ID|DG0102-ORACLE11, Vuln-ID|V-15141

Plugin: Unix

Control ID: 6db36a6ded797f311a6637a516c728b559d2505d32d76d8f4a7be3e36121e426