Detections
Analytics

O19C-00-001700 - Oracle Database must protect against an individual who uses a shared account falsely denying having performed a particular action.

Information

Nonrepudiation of actions taken is required to maintain application integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message.

Nonrepudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document.

Authentication via shared accounts does not provide individual accountability for actions taken on the database management system (DBMS) or data. Whenever a single database account is used to connect to the database, a secondary authentication method that provides individual accountability is required. This scenario most frequently occurs when an externally hosted application authenticates individual users to the application and the application uses a single account to retrieve or update database information on behalf of the individual users.

When shared accounts are used without another means of identifying individual users, users may deny having performed a particular action.

This calls for inspection of application source code, which requires collaboration with the application developers. In many cases, the database administrator (DBA) is organizationally separate from the application developers and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the database administrator (DBA) must attempt to obtain assurances from the development organization that this issue has been addressed and must document what has been discovered.

Satisfies: SRG-APP-000080-DB-000063, SRG-APP-000815-DB-000160

Solution

Use accounts assigned to individual users. Configure DBMS to provide individual accountability at the DBMS level, and in audit logs, for actions performed under a shared database account.

Modify applications and data tables that are not capturing individual user identity to do so.

Create and enforce the use of individual user IDs for logging on to Oracle tools and third-party products.

If Oracle auditing is not already enabled, enable it.

If Standard Auditing is used:
If Oracle (or third-party) auditing is not already enabled, enable it. For Oracle auditing, use this query:

ALTER SYSTEM SET AUDIT_TRAIL=<audit trail type> SCOPE=SPFILE;

Audit trail type can be 'OS', 'DB', 'DB,EXTENDED', 'XML' or 'XML,EXTENDED'.

After executing this statement, it may be necessary to shut down and restart the Oracle database.

If Unified Auditing is used:
Link the oracle binary with uniaud_on, and then restart the database. Oracle Database Upgrade Guide describes how to enable unified auditing.

For more information on the configuration of auditing, refer to the following documents:

"Auditing Database Activity" in the Oracle Database 19c Security Guide:
https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/index.html

"Monitoring Database Activity with Auditing" in the Oracle Database Security Guide:
https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/index.html

"DBMS_AUDIT_MGMT" in the Oracle Database PL/SQL Packages and Types Reference:
https://docs.oracle.com/en/database/oracle/oracle-database/19/arpls/

Oracle Database Upgrade Guide:
https://docs.oracle.com/en/database/oracle/oracle-database/19/upgrd/index.html

If the site-specific audit requirements are not covered by the default audit options, deploy and configure Fine-Grained Auditing. For details, refer to Oracle documentation at the locations above.

If this level of auditing does not meet site-specific requirements, consider deploying the Oracle Audit Vault. The Audit Vault is a highly configurable option from Oracle made specifically for performing the audit functions. It has reporting capabilities as well as user-defined rules that provide additional flexibility for complex auditing requirements.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_19c_V1R1_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-10, CAT|III, CCI|CCI-000166, CCI|CCI-004045, Rule-ID|SV-270501r1064781_rule, STIG-ID|O19C-00-001700, Vuln-ID|V-270501

Plugin: OracleDB

Control ID: 69245240700169afcf31edb7e27f498ac17b7f498a3d5dd64867050bafc78685