STIGQter STIGQter: STIG Summary: Oracle Database 12c Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The DBMS must restrict access to system tables and other configuration information or metadata to DBAs or other authorized users.

DISA Rule

SV-237708r667156_rule

Vulnerability Number

V-237708

Group Title

SRG-APP-000243-DB-000374

Rule Version

O121-C2-003900

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Restrict accessibility of Oracle system tables and other configuration information or metadata to DBAs or other authorized users.

Check Contents

Review user privileges to system tables and configuration data stored in the Oracle database.

If non-DBA users are assigned privileges to access system tables and tables containing configuration data, this is a finding.

To obtain a list of users and roles that have been granted access to any dictionary table, run the query:
SELECT unique grantee from dba_tab_privs where table_name in
(select table_name from dictionary)
order by grantee;

To obtain a list of dictionary tables and assigned privileges granted to a specific user or role, run the query:
SELECT grantee, table_name, privilege from dba_tab_privs where table_name in
(select table_name from dictionary)
and grantee = '<applicable account>';

Vulnerability Number

V-237708

Documentable

False

Rule Version

O121-C2-003900

Severity Override Guidance

Review user privileges to system tables and configuration data stored in the Oracle database.

If non-DBA users are assigned privileges to access system tables and tables containing configuration data, this is a finding.

To obtain a list of users and roles that have been granted access to any dictionary table, run the query:
SELECT unique grantee from dba_tab_privs where table_name in
(select table_name from dictionary)
order by grantee;

To obtain a list of dictionary tables and assigned privileges granted to a specific user or role, run the query:
SELECT grantee, table_name, privilege from dba_tab_privs where table_name in
(select table_name from dictionary)
and grantee = '<applicable account>';

Check Content Reference

M

Target Key

4059

Comments