STIGQter STIGQter: STIG Summary: Oracle Database 12c Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The DBMS must enforce approved authorizations for logical access to the system in accordance with applicable policy.

DISA Rule

SV-220266r395499_rule

Vulnerability Number

V-220266

Group Title

SRG-APP-000033-DB-000084

Rule Version

O121-C2-002700

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

If Oracle Database Vault is in use, use it to configure the correct access privileges for each type of user.

If Oracle Database Vault is not in use, configure the correct access privileges for each type of user using Roles and Profiles.

For more information on the configuration of Database Vault, refer to the following documents:
Database Vault Administrator's Guide:
https://docs.oracle.com/database/121/DVADM/toc.htm

Check Contents

Check DBMS settings to determine whether users are restricted from accessing objects and data they are not authorized to access. If appropriate access controls are not implemented to restrict access to authorized users and to restrict the access of those users to objects and data they are authorized to see, this is a finding.

The easiest way to isolate access is by using the Oracle Database Vault. To check to see if the Oracle Database Vault is installed, issue the following query:

SQL> SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';

If Oracle Database Vault is installed, review its settings for appropriateness and completeness of the access it permits and denies to each type of user. If appropriate and complete, this is not a finding.

If Oracle Database Vault is not installed, review the roles and profiles in the database and the assignment of users to these for appropriateness and completeness of the access permitted and denied each type of user. If appropriate and complete, this is not a finding.

If the access permitted and denied each type of user is inappropriate or incomplete, this is a finding.

Following are code examples for reviewing roles, profiles, etc.

Find out what role the users have:
select * from dba_role_privs where granted_role = '<role>'

List all roles given to a user:
select * from dba_role_privs where grantee = '<username>';

List all roles for all users:
column grantee format a32
column granted_role format a32
break on grantee
select grantee, granted_role from dba_role_privs;

Use the following query to list all privileges given to a user:
select
lpad(' ', 2*level) || granted_role "User roles and privileges"
from
(
/* THE USERS */
select
null grantee,
username granted_role
from
dba_users
where
username like upper('<enter_username>')
/* THE ROLES TO ROLES RELATIONS */
union
select
grantee,
granted_role
from
dba_role_privs
/* THE ROLES TO PRIVILEGE RELATIONS */
union
select
grantee,
privilege
from
dba_sys_privs
)
start with grantee is null
connect by grantee = prior granted_role;

List which tables a certain role gives SELECT access to using the query:
select * from role_tab_privs where role='<role>' and privilege = 'SELECT';

List all tables a user can SELECT from using the query:
select * from dba_tab_privs where GRANTEE ='<username>' and privilege = 'SELECT';

List all users who can SELECT on a particular table (either through being given a relevant role or through a direct grant - e.g., grant select on a table to Joe). The result of this query should also show through which role the user has this access or whether it was a direct grant.

select
Grantee,'Granted Through Role' as Grant_Type,
role,
table_name
from role_tab_privs rtp, dba_role_privs drp
where rtp.role = drp.granted_role
and table_name = '<TABLENAME>'
union
select
Grantee,
'Direct Grant' as Grant_type,
null as role,
table_name
from dba_tab_privs
where table_name = '<TABLENAME>';

Vulnerability Number

V-220266

Documentable

False

Rule Version

O121-C2-002700

Severity Override Guidance

Check DBMS settings to determine whether users are restricted from accessing objects and data they are not authorized to access. If appropriate access controls are not implemented to restrict access to authorized users and to restrict the access of those users to objects and data they are authorized to see, this is a finding.

The easiest way to isolate access is by using the Oracle Database Vault. To check to see if the Oracle Database Vault is installed, issue the following query:

SQL> SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';

If Oracle Database Vault is installed, review its settings for appropriateness and completeness of the access it permits and denies to each type of user. If appropriate and complete, this is not a finding.

If Oracle Database Vault is not installed, review the roles and profiles in the database and the assignment of users to these for appropriateness and completeness of the access permitted and denied each type of user. If appropriate and complete, this is not a finding.

If the access permitted and denied each type of user is inappropriate or incomplete, this is a finding.

Following are code examples for reviewing roles, profiles, etc.

Find out what role the users have:
select * from dba_role_privs where granted_role = '<role>'

List all roles given to a user:
select * from dba_role_privs where grantee = '<username>';

List all roles for all users:
column grantee format a32
column granted_role format a32
break on grantee
select grantee, granted_role from dba_role_privs;

Use the following query to list all privileges given to a user:
select
lpad(' ', 2*level) || granted_role "User roles and privileges"
from
(
/* THE USERS */
select
null grantee,
username granted_role
from
dba_users
where
username like upper('<enter_username>')
/* THE ROLES TO ROLES RELATIONS */
union
select
grantee,
granted_role
from
dba_role_privs
/* THE ROLES TO PRIVILEGE RELATIONS */
union
select
grantee,
privilege
from
dba_sys_privs
)
start with grantee is null
connect by grantee = prior granted_role;

List which tables a certain role gives SELECT access to using the query:
select * from role_tab_privs where role='<role>' and privilege = 'SELECT';

List all tables a user can SELECT from using the query:
select * from dba_tab_privs where GRANTEE ='<username>' and privilege = 'SELECT';

List all users who can SELECT on a particular table (either through being given a relevant role or through a direct grant - e.g., grant select on a table to Joe). The result of this query should also show through which role the user has this access or whether it was a direct grant.

select
Grantee,'Granted Through Role' as Grant_Type,
role,
table_name
from role_tab_privs rtp, dba_role_privs drp
where rtp.role = drp.granted_role
and table_name = '<TABLENAME>'
union
select
Grantee,
'Direct Grant' as Grant_type,
null as role,
table_name
from dba_tab_privs
where table_name = '<TABLENAME>';

Check Content Reference

M

Target Key

4059

Comments