DG0005-ORACLE11 - Only necessary privileges to the host system should be granted to DBA OS accounts - 'No dba account is a member of the root group'

Details

Database administration accounts are frequently granted more permissions to the local host system than are necessary. This allows inadvertent or malicious changes to the host operating system.


Solution

Revoke all host system privileges from the DBA group accounts and DBA user accounts not required for DBMS administration.

Revoke all OS group memberships that assign excessive privileges to the DBA group accounts and DBA user accounts.

Remove any directly applied permissions or user rights from the DBA group accounts and DBA user accounts.

You should document all DBA group accounts and individual DBA account assigned privileges in the System Security Plan.


Supportive Information

The following resource is also helpful.

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.


References


Source