SV-219786r397846_rule
V-219786
SRG-APP-000267-DB-000163
O112-C2-020000
CAT II
10
i) For each end-user-facing application that displays DBMS-generated error messages, configure or recode it to suppress these messages.
(If the application is coded in Oracle PL/SQL, the EXCEPTION block can be used to suppress or divert error messages. Most other programming languages provide comparable facilities, such as TRY ... CATCH.)
ii) For each unauthorized user of each tool, remove the ability to access it. For each tool where access to DBMS error messages is not required and can be configured, suppress the messages. For each role/user that needs access to the error messages, or needs a tool where the messages cannot be suppressed, document the need in the system security plan.
Check DBMS settings and custom database code to determine if error messages are ever displayed to unauthorized individuals:
i) Review all end-user-facing applications that use the database, to determine whether they display any DBMS-generated error messages to general users. If they do, this is a finding.
ii) Review whether the database is accessible to users who are not authorized system administrators or database administrators, via the following types of software:
iia) Oracle SQL*Plus
iib) Reporting and analysis tools
iic) Database management and/or development tools, such as, but not limited to, Toad.
iid) Application development tools, such as, but not limited to, Oracle JDeveloper, Microsoft Visual Studio, PowerBuilder, or Eclipse.
If the answer to the preceding question (ii through iid) is Yes, inquire whether, for each role or individual with respect to each tool, this access is required to enable the user(s) to perform authorized job duties. If No, this is a finding. If Yes, continue:
For each tool in use, determine whether it is capable of suppressing DBMS-generated error messages, and if it is, whether it is configured to do so.
Determine whether the role or individual, with respect to each tool, needs to see detailed DBMS-generated error messages. If No, and if the tool is not configured to suppress such messages, this is a finding. If Yes, determine whether the role/user's need to see such messages is documented in the System Security Plan. If so, this is not a finding. If not, this is a finding.
V-219786
False
O112-C2-020000
Check DBMS settings and custom database code to determine if error messages are ever displayed to unauthorized individuals:
i) Review all end-user-facing applications that use the database, to determine whether they display any DBMS-generated error messages to general users. If they do, this is a finding.
ii) Review whether the database is accessible to users who are not authorized system administrators or database administrators, via the following types of software:
iia) Oracle SQL*Plus
iib) Reporting and analysis tools
iic) Database management and/or development tools, such as, but not limited to, Toad.
iid) Application development tools, such as, but not limited to, Oracle JDeveloper, Microsoft Visual Studio, PowerBuilder, or Eclipse.
If the answer to the preceding question (ii through iid) is Yes, inquire whether, for each role or individual with respect to each tool, this access is required to enable the user(s) to perform authorized job duties. If No, this is a finding. If Yes, continue:
For each tool in use, determine whether it is capable of suppressing DBMS-generated error messages, and if it is, whether it is configured to do so.
Determine whether the role or individual, with respect to each tool, needs to see detailed DBMS-generated error messages. If No, and if the tool is not configured to suppress such messages, this is a finding. If Yes, determine whether the role/user's need to see such messages is documented in the System Security Plan. If so, this is not a finding. If not, this is a finding.
M
4057