STIGQter STIGQter: STIG Summary: Oracle Database 11.2g Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

Administrative privileges must be assigned to database accounts via database roles.

DISA Rule

SV-238444r667506_rule

Vulnerability Number

V-238444

Group Title

SRG-APP-000133-DB-000362

Rule Version

O112-C2-004000

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Create roles for administrative function assignments. Assign the necessary privileges for the administrative functions to a role.

Check Contents

Review accounts for direct assignment of administrative privilege. Connected as SYSDBA, run the query:

SELECT grantee, privilege
FROM dba_sys_privs
WHERE grantee IN
(
SELECT username
FROM dba_users
WHERE username NOT IN
(
'XDB', 'SYSTEM', 'SYS', 'LBACSYS',
'DVSYS', 'DVF', 'SYSMAN_RO',
'SYSMAN_BIPLATFORM', 'SYSMAN_MDS',
'SYSMAN_OPSS', 'SYSMAN_STB', 'DBSNMP',
'SYSMAN', 'APEX_040200', 'WMSYS',
'SYSDG', 'SYSBACKUP', 'SPATIAL_WFS_ADMIN_USR',
'SPATIAL_CSW_ADMIN_US', 'GSMCATUSER',
'OLAPSYS', 'SI_INFORMTN_SCHEMA',
'OUTLN', 'ORDSYS', 'ORDDATA', 'OJVMSYS',
'ORACLE_OCM', 'MDSYS', 'ORDPLUGINS',
'GSMADMIN_INTERNAL', 'MDDATA', 'FLOWS_FILES',
'DIP', 'CTXSYS', 'AUDSYS',
'APPQOSSYS', 'APEX_PUBLIC_USER', 'ANONYMOUS',
'SPATIAL_CSW_ADMIN_USR', 'SYSKM',
'SYSMAN_TYPES', 'MGMT_VIEW',
'EUS_ENGINE_USER', 'EXFSYS', 'SYSMAN_APM'
)
)
AND privilege NOT IN ('UNLIMITED TABLESPACE')
ORDER BY 1, 2;

If any administrative privileges have been assigned directly to a database account, this is a finding.

(The list of special accounts that are excluded from this requirement may not be complete. It is expected that the DBA will edit the list to suit local circumstances, adding other special accounts as necessary, and removing any that are not supposed to be in use in the Oracle deployment that is under review.)

Vulnerability Number

V-238444

Documentable

False

Rule Version

O112-C2-004000

Severity Override Guidance

Review accounts for direct assignment of administrative privilege. Connected as SYSDBA, run the query:

SELECT grantee, privilege
FROM dba_sys_privs
WHERE grantee IN
(
SELECT username
FROM dba_users
WHERE username NOT IN
(
'XDB', 'SYSTEM', 'SYS', 'LBACSYS',
'DVSYS', 'DVF', 'SYSMAN_RO',
'SYSMAN_BIPLATFORM', 'SYSMAN_MDS',
'SYSMAN_OPSS', 'SYSMAN_STB', 'DBSNMP',
'SYSMAN', 'APEX_040200', 'WMSYS',
'SYSDG', 'SYSBACKUP', 'SPATIAL_WFS_ADMIN_USR',
'SPATIAL_CSW_ADMIN_US', 'GSMCATUSER',
'OLAPSYS', 'SI_INFORMTN_SCHEMA',
'OUTLN', 'ORDSYS', 'ORDDATA', 'OJVMSYS',
'ORACLE_OCM', 'MDSYS', 'ORDPLUGINS',
'GSMADMIN_INTERNAL', 'MDDATA', 'FLOWS_FILES',
'DIP', 'CTXSYS', 'AUDSYS',
'APPQOSSYS', 'APEX_PUBLIC_USER', 'ANONYMOUS',
'SPATIAL_CSW_ADMIN_USR', 'SYSKM',
'SYSMAN_TYPES', 'MGMT_VIEW',
'EUS_ENGINE_USER', 'EXFSYS', 'SYSMAN_APM'
)
)
AND privilege NOT IN ('UNLIMITED TABLESPACE')
ORDER BY 1, 2;

If any administrative privileges have been assigned directly to a database account, this is a finding.

(The list of special accounts that are excluded from this requirement may not be complete. It is expected that the DBA will edit the list to suit local circumstances, adding other special accounts as necessary, and removing any that are not supposed to be in use in the Oracle deployment that is under review.)

Check Content Reference

M

Target Key

4057

Comments