The OS must limit privileges to change the database management system (DBMS) software resident within software libraries (including privileged programs).

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-270515	SRG-APP-000133-DB-000179	O19C-00-007900	SV-270515r1065210_rule	2025-02-14	1

Description
If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. Accordingly, only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. Unmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations.

Description

If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. Accordingly, only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. Unmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations.

ℹ️ Check
Review permissions that control access to the DBMS software libraries. The software library location may be determined from vendor documentation or service/process executable paths. Typically, only the DBMS software installation/maintenance account or system administrator (SA) account requires access to the software library for operational support such as backups. Any other accounts should be scrutinized and the reason for access documented. Accounts should have the least amount of privilege required to accomplish the job. Below is one example for how to review accounts with access to software libraries for a Linux-based system: cat /etc/group \|grep -i dba --Example output: dba:x:102: --take above number and input in below grep command cat /etc/passwd \|grep 102 If any accounts are returned that are not required and authorized to have access to the software library location do have access, this is a finding.

ℹ️ Check

Review permissions that control access to the DBMS software libraries. The software library location may be determined from vendor documentation or service/process executable paths. Typically, only the DBMS software installation/maintenance account or system administrator (SA) account requires access to the software library for operational support such as backups. Any other accounts should be scrutinized and the reason for access documented. Accounts should have the least amount of privilege required to accomplish the job. Below is one example for how to review accounts with access to software libraries for a Linux-based system: cat /etc/group |grep -i dba --Example output: dba:x:102: --take above number and input in below grep command cat /etc/passwd |grep 102 If any accounts are returned that are not required and authorized to have access to the software library location do have access, this is a finding.

✔️ Fix
Restrict access to the DBMS software libraries to accounts that require access based on job function.