O121-BP-024100 - DBMS production application and data directories must be protected from developers on shared production/development DBMS host systems.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Developer roles must not be assigned DBMS administrative privileges to production DBMS application and data directories. The separation of production DBA and developer roles helps protect the production system from unauthorized, malicious or unintentional interruption due to development activities.

Solution

Create separate DBMS host OS groups for developer and production DBAs.

Do not assign production DBA OS group membership to accounts used for development.

Remove development accounts from production DBA OS group membership.

Recommend establishing a dedicated DBMS host for production DBMS installations. A dedicated host system in this case refers to an instance of the operating system at a minimum. The operating system may reside on a virtual host machine where supported by the DBMS vendor.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_12c_V2R3_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CAT|II, CCI|CCI-000366, Rule-ID|SV-219852r401224_rule, STIG-ID|O121-BP-024100, STIG-Legacy|SV-75977, STIG-Legacy|V-61487, Vuln-ID|V-219852

Plugin: Unix

Control ID: aaedaf5f37d9ff2fd9e99023017e07b6cb7fe41dfce35b0c6971c7a7cae9c778