Documentation - V-270501

Title

Oracle Database must protect against an individual who uses a shared account falsely denying having performed a particular action.

Description

<VulnDiscussion>Nonrepudiation of actions taken is required to maintain application integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. Nonrepudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a mess...

Fix Text (Documentation Requirement)

Use accounts assigned to individual users. Configure DBMS to provide individual accountability at the DBMS level, and in audit logs, for actions performed under a shared database account. Modify applications and data tables that are not capturing individual user identity to do so. Create and enforce the use of individual user IDs for logging on to Oracle tools and third-party products. If Oracle auditing is not already enabled, enable it. If Standard Auditing is used: If Oracle (or third-party) auditing is not already enabled, enable it. For Oracle auditing, use this query: ALTER SYSTEM SET AUDIT_TRAIL=<audit trail type> SID='*' SCOPE=SPFILE; Audit trail type can be 'OS', 'DB', 'DB,EXTENDED', 'XML' or 'XML,EXTENDED'. After executing this statement, it may be necessary to shut down a...