STIGQter STIGQter: STIG Summary: Oracle Database 11.2g Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

Application object owner accounts must be disabled when not performing installation or maintenance actions.

DISA Rule

SV-219723r401224_rule

Vulnerability Number

V-219723

Group Title

SRG-APP-000516-DB-000363

Rule Version

O112-BP-024000

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Disable any application object owner accounts.

From SQL*Plus:
alter user [username] account lock;

Enable application object owner accounts only for installation and maintenance.

DBA are special purpose accounts and do not require disabling although they may own objects.

For application objects that require routine maintenance, e.g. index objects, to maintain performance, consider allowing a special purpose account to own the index or enable the application owner account for the duration of the routine maintenance function only.

Check Contents

Run the SQL query:

select distinct o.owner from dba_objects o, dba_users u
where o.owner not in
(
<list of non-applicable accounts>
)
and o.object_type <> 'SYNONYM'
and o.owner = username
and upper(account_status) not like '%LOCKED%';

(With respect to the list of special accounts that are excluded from this requirement, it is expected that the DBA will maintain the list to suit local circumstances, adding special accounts as necessary and removing any that are not supposed to be in use in the Oracle deployment that is under review.)

To obtain a list of users assigned DBA privileges, run the query:

select grantee from dba_role_privs where granted_role = ’DBA’;

If any records are returned, then verify the account is an authorized application object owner account or a default account installed to support an Oracle product.

Verify that any objects owned by custom DBA accounts are for the personal use of that DBA.

If any objects are used to support applications or any functions other than DBA functions, this is a Finding.

Any unauthorized object owner accounts are not a finding under this check as they are noted as findings under check O112-C2-011000.

Any other accounts listed are a Finding.

Vulnerability Number

V-219723

Documentable

False

Rule Version

O112-BP-024000

Severity Override Guidance

Run the SQL query:

select distinct o.owner from dba_objects o, dba_users u
where o.owner not in
(
<list of non-applicable accounts>
)
and o.object_type <> 'SYNONYM'
and o.owner = username
and upper(account_status) not like '%LOCKED%';

(With respect to the list of special accounts that are excluded from this requirement, it is expected that the DBA will maintain the list to suit local circumstances, adding special accounts as necessary and removing any that are not supposed to be in use in the Oracle deployment that is under review.)

To obtain a list of users assigned DBA privileges, run the query:

select grantee from dba_role_privs where granted_role = ’DBA’;

If any records are returned, then verify the account is an authorized application object owner account or a default account installed to support an Oracle product.

Verify that any objects owned by custom DBA accounts are for the personal use of that DBA.

If any objects are used to support applications or any functions other than DBA functions, this is a Finding.

Any unauthorized object owner accounts are not a finding under this check as they are noted as findings under check O112-C2-011000.

Any other accounts listed are a Finding.

Check Content Reference

M

Target Key

4057

Comments