Need help!

For PCI compliance, we installed an IBM logging solution (TCIM) and apparently during installation we accepted the vendor default accounts. The vendor stated the following:

"The OS and Oracle cearoot accounts are created during installation. These account names are provided as defaults when the user installing the software does not provide a customized username for Windows or Oracle.

The Windows cearoot account can be renamed. Unfortunately, the Oracle cearoot account cannot be changed due to software restrictions."

The servers are on the backend behind the firewall, but nontheless, we are stuck with a vendor-default account for the database. Does anyone have any suggestions for compensating controls that we could use in order to be compliant.

Generally, it is sufficient to determine that the default or vendor supplied password has been changed to a value unique to the installation.

If these accounts don't have passwords, you have bigger issues with the product as it would appear insecure by design.

Other things to consider is are these account blocked from interactive/shell login permission and, say, network address filtering etc as possible compensating control?

lyalc

Who has access to this logging server? Is it on a management VLAN? If you provide me with more details it should be possible to create a compensating control.