UCF STIG Viewer Logo

DBMS processes or services must run under custom, dedicated OS accounts.


Overview

Finding ID Version Rule ID IA Controls Severity
V-61579 O121-C2-003400 SV-76069r3_rule Medium
Description
Separation of duties is a prevalent Information Technology control that is implemented at different layers of the information system, including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. Separation of duties requires that the person accountable for approving an action is not the same person who is tasked with implementing or carrying out that action. The DBMS must run under a custom dedicated OS account. When the DBMS is running under a shared account, users with access to that account could inadvertently or maliciously make changes to the DBMS's settings, files, or permissions.
STIG Date
Oracle Database 12c Security Technical Implementation Guide 2020-06-12

Details

Check Text ( C-62451r2_chk )
Check OS settings to determine whether DBMS processes are running under a dedicated OS account. Sometimes, external jobs must run as an operating system user. The Scheduler enables assignment of OS credentials to external jobs.

When necessary, external jobs may be run as OS user, for example, root. When this is the case, the need should be documented and approved.

If the DBMS processes are running under shared accounts, other than an account documented and approved, this is a finding.

The Oracle Installation documentation recommends that a user account named ORACLE is created and is identified as the software owner when database software is installed.

Log on to the system as the software owner, typically ORACLE, the $ORACLE_HOME environment variable will point to the Oracle software. Enter the following commands to see if ORACLE is the software owner:

$ cd $ORACLE_HOME
$ ls -l (shows the directories - oracle is the owner and oinstall is the group. The example list below has been truncated)
drwxr-xr-x 2 oracle oinstall 4096 Nov 21 08:42 addnode
drwxr-xr-x 8 oracle oinstall 4096 Nov 21 08:41 apex
drwxr-xr-x 9 oracle oinstall 4096 Nov 21 08:39 assistants
drwxr-xr-x 2 oracle oinstall 4096 Nov 21 09:17 bin
drwxr-xr-x 7 oracle oinstall 4096 Nov 21 08:42 ccr
drwxr-xr-x 3 oracle oinstall 4096 Nov 21 08:42 cdata
drwxr-xr-x 5 oracle oinstall 4096 Nov 21 09:04 cfgtoollogs
drwxr-xr-x 4 oracle oinstall 4096 Nov 21 08:42 clone
drwxr-xr-x 6 oracle oinstall 4096 Nov 21 08:39 crs
drwxr-xr-x 6 oracle oinstall 4096 Nov 21 08:42 css
drwxr-xr-x 11 oracle oinstall 4096 Nov 21 08:42 ctx
drwxr-xr-x 7 oracle oinstall 4096 Nov 21 08:39 cv
drwxr-xr-x 2 oracle oinstall 4096 Dec 16 13:11 dbs
drwxr-xr-x 2 oracle oinstall 4096 Nov 21 08:42 dc_ocm
drwxr-xr-x 5 oracle oinstall 4096 Nov 21 08:45 deinstall
drwxr-xr-x 3 oracle oinstall 4096 Nov 21 08:39 demo
drwxr-xr-x 3 oracle oinstall 4096 Nov 21 08:39 diagnostics

$ ps -ef | grep ora_ (shows all of the oracle processes owned by the oracle user. The example list below has been truncated)

oracle 1786 1 0 13:11 ? 00:00:00 ora_pmon_stig
oracle 1788 1 0 13:11 ? 00:00:00 ora_psp0_stig
oracle 1790 1 1 13:11 ? 00:00:08 ora_vktm_stig
oracle 1794 1 0 13:11 ? 00:00:00 ora_gen0_stig
oracle 1796 1 0 13:11 ? 00:00:00 ora_mman_stig
oracle 1800 1 0 13:11 ? 00:00:00 ora_diag_stig
oracle 1802 1 0 13:11 ? 00:00:00 ora_dbrm_stig
oracle 1804 1 0 13:11 ? 00:00:00 ora_vkrm_stig
oracle 1806 1 0 13:11 ? 00:00:00 ora_dia0_stig
oracle 1808 1 0 13:11 ? 00:00:00 ora_dbw0_stig
oracle 1810 1 0 13:11 ? 00:00:00 ora_lgwr_stig
oracle 1812 1 0 13:11 ? 00:00:00 ora_ckpt_stig
oracle 1814 1 0 13:11 ? 00:00:00 ora_lg00_stig
oracle 1816 1 0 13:11 ? 00:00:00 ora_smon_stig
oracle 1818 1 0 13:11 ? 00:00:00 ora_lg01_stig
oracle 1820 1 0 13:11 ? 00:00:00 ora_reco_stig
oracle 1822 1 0 13:11 ? 00:00:00 ora_lreg_stig
oracle 1824 1 0 13:11 ? 00:00:00 ora_pxmn_stig
oracle 2137 2125 0 13:25 pts/1 00:00:00 grep ora_
Fix Text (F-67495r3_fix)
Create an OS account dedicated to Oracle DBMS processes, and allow only Oracle DBMS processes to run under the account.

Assign only the required external jobs to run under other than Oracle via the Scheduler.

Oracle Solaris environments can disable the "ora_dism" process which may be running as root.
Steps to disable DISM can be found here:

https://docs.oracle.com/cd/E58626_01/html/E58635/z4000a681398529.html#scrolltoc