Title: The DBMS must support the organizational requirements for automatically monitoring, auditing, and alerting on atypical usage of accounts.
Vulnerability ID: V-32200
IA Controls: None
Description: Atypical account usage is behavior that is not part of normal usage cycles, for example, user account activity occurring after hours or on weekends.
A comprehensive account management process will ensure an audit trail which documents the use of application user accounts and as required, notifies administrators and/or application owners exists.
Monitoring, auditing, and alerting greatly reduces the risk that compromised user accounts will continue to be used by unauthorized persons and provides logging that can be used for forensic purposes.
Alerting on atypical usage need not be real-time. Alerts can take many forms and may include emails, pages, database flags, or others deemed appropriate by the organization, and may be generated via a centralized log repository.
Check Text: Check DBMS settings, OS settings, and/or enterprise level authentication/access mechanisms settings to determine if atypical database account usage is being automatically monitored, audited, and alerted on. Verify the type of alert is documented in the system security plan, if alert types are not documented, this is a finding.
If atypical database account usage is not being monitored, audited, and alerted on, this is a finding.
Fix Text: Configure DBMS, OS, and/or enterprise level authentication/access mechanisms to monitor, audit, and alert on atypical database account usage.[divider]