4 Replies Latest reply: Jul 25, 2014 3:22 AM by MariaKarpa(MK) RSS

    PCI DSS Audit Compliance

      Hi all,

       

      11g2

      aix

       

      The IT audit required that SYS and SYSTEM are to be vaulted and not be used anymore. She required me to create a db user "mariakarpa1" and "mariakarpa2" as the counterpart SYS and SYSTEM.

      It this requirement possible and viable and duable?

       

       

      Thanks all,

      mk

        • 1. Re: PCI DSS Audit Compliance
          JudWilliford

          When your auditor used the term "vaulted", they were talking about taking measures so that these accounts are not available for use except under circumstances when no other account will work.  Oracle offers a product, Oracle Privileged Account Manager (OPAM) that will vault privileged accounts for DB and OS, and provide access management and traceability when they are used. 

           

          Without a solution like OPAM, you will have to lock up the SYS and SYSTEM accounts manually.  Then, you certainly can create individual DBA accounts that have the necessary privileges to do most every type of admin activity, and you can name them so that you have audit traceability to know who did what.  You can give an individual account most all the privileges of SYSTEM with the DBA role.  You can give an individual account most all the privileges of the SYS account with the combination of the DBA role and the SYSDBA privilege.  You will need to check out the SYS account from its vaulted state in some situations, such as when you need to create that PASSWORD_VERIFY_FUNCTION...!

          • 2. Re: PCI DSS Audit Compliance

            Thanks Jud,

             

            Yeah that is really the requirement. To lock&expire SYS and SYSTEM account.

             

            Then I will create "mariakarpa1" and grant dba, sysdba, sysoper to it.

            Then I will create "mariakarpa2" and grant dba to it.

             

            Is that all I need? How about our RMAN  backup/restore,  Dataguard broker, and physical standby? Can I manage them with the new sysdba account "mariakarpa1"?

             

            Thanks.

            • 3. Re: PCI DSS Audit Compliance
              Harm Joris ten Napel-Oracle

              hi,

               

              you can't lock SYS because it is externally authenicated, you can however stop remote sysdba logon by creating a passwordfile with nosysdba=y

              also if a user has been granted sysdba, that means an entry in the passwordfile (v$pwfile_users) only so that user can logon using her own

              username and password, when connected the effective user will still be SYS .

               

              greetings,

               

              Harm ten Napel

              • 4. Re: PCI DSS Audit Compliance

                I thank you all.

                 

                So only the SYSTEM account can be locked? and not the SYS?

                 

                Anyways I will just lock/expire the SYSTEM user. And inform the IT sec officer that SYS can not be locked. Anyways he can audit if I am using the SYS coz it is being logged when use.

                 

                So are these process correct:

                 

                A. Create a user that act as SYS.

                ========================

                connect / as sysdba

                create user mariakarpa1 identified by manager;

                grant sysdba to mariakarpa1;

                grant dba to mariakarpa1;

                grant sysoper to mariakarpa1;

                 

                B. Create a user that act as SYSTEM.

                ============================

                connect / as sysdba

                alter user SYSTEM account expire lock;

                create user mariakarpa2 identified by manager;

                grant dba to mariakarpa2;

                 

                Did I miss anything?

                 

                Is that all I need? How about our RMAN  backup/restore,  Dataguard broker, and physical standby? Can I manage them with the new sysdba account "mariakarpa1"?

                 

                 

                Thanks all,

                mk