O121-BP-025500 - Replication accounts must not be granted DBA privileges.

Information

Replication accounts may be used to access databases defined for the replication architecture. An exploit of a replication on one database could lead to the compromise of any database participating in the replication that uses the same account name and credentials. If the replication account is compromised and it has DBA privileges, the database is at additional risk to unauthorized or malicious action.

Solution

Restrict privileges assigned to replication accounts to the fewest possible privileges.

Remove DBA roles from replication accounts.

Create and use custom replication accounts assigned least privileges for supporting replication operations.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_12c_V3R2_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-219866r961863_rule, STIG-ID|O121-BP-025500, STIG-Legacy|SV-76003, STIG-Legacy|V-61513, Vuln-ID|V-219866

Plugin: OracleDB

Control ID: d2422d7fccdc2187f40f410769cfa9652b61b9b22b4f33d5100a04fc32628e5b