DG0005-ORACLE11 - Only necessary privileges to the host system should be granted to DBA OS accounts - 'Oracle DBA is only a member of ORA_DBA and Users group'
Database administration accounts are frequently granted more permissions to the local host system than are necessary. This allows inadvertent or malicious changes to the host operating system.
Revoke all host system privileges from the DBA group accounts and DBA user accounts not required for DBMS administration. Revoke all OS group memberships that assign excessive privileges to the DBA group accounts and DBA user accounts. Remove any directly applied permissions or user rights from the DBA group accounts and DBA user accounts. You should document all DBA group accounts and individual DBA account assigned privileges in the System Security Plan.