SV-219712r401224_rule
V-219712
SRG-APP-000516-DB-000363
O112-BP-022900
CAT II
10
For each role assignment returned, issue:
From SQL*Plus:
alter user [username] default role all except [role];
If the user has more than one application administration role assigned, then you will have to remove assigned roles from default assignment and assign individually the appropriate default roles.
Run the SQL query:
select grantee, granted_role from dba_role_privs
where default_role='YES'
and granted_role in
(select grantee from dba_sys_privs where upper(privilege) like '%USER%')
and grantee not in
(<list of non-applicable accounts>)
and grantee not in (select distinct owner from dba_tables)
and grantee not in
(select distinct username from dba_users where upper(account_status) like '%LOCKED%');
(With respect to the list of special accounts that are excluded from this requirement, it is expected that the DBA will maintain the list to suit local circumstances, adding special accounts as necessary and removing any that are not supposed to be in use in the Oracle deployment that is under review.)
Review the list of accounts reported for this check and ensure that they are authorized application administration roles.
If any are not authorized application administration roles, this is a Finding.
V-219712
False
O112-BP-022900
Run the SQL query:
select grantee, granted_role from dba_role_privs
where default_role='YES'
and granted_role in
(select grantee from dba_sys_privs where upper(privilege) like '%USER%')
and grantee not in
(<list of non-applicable accounts>)
and grantee not in (select distinct owner from dba_tables)
and grantee not in
(select distinct username from dba_users where upper(account_status) like '%LOCKED%');
(With respect to the list of special accounts that are excluded from this requirement, it is expected that the DBA will maintain the list to suit local circumstances, adding special accounts as necessary and removing any that are not supposed to be in use in the Oracle deployment that is under review.)
Review the list of accounts reported for this check and ensure that they are authorized application administration roles.
If any are not authorized application administration roles, this is a Finding.
M
4057