STIGQter STIGQter: STIG Summary: Oracle Database 11.2g Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The OS must limit privileges to change the DBMS software resident within software libraries (including privileged programs).

DISA Rule

SV-238481r667617_rule

Vulnerability Number

V-238481

Group Title

SRG-APP-000133-DB-000179

Rule Version

O112-OS-011200

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Restrict access to the DBMS software libraries to accounts that require access based on job function.

Check Contents

Review permissions that control access to the DBMS software libraries. The software library location may be determined from vendor documentation or service/process executable paths.

DBA accounts, the DBMS process account, the DBMS software installation/maintenance account, SA accounts, if access by them is required for some operational level of support such as backups, and the host system itself require access. Any others should be scrutinized and a reason for access provided by the DBA. If accounts that are not required and authorized to have access to the software library location do have access, this is a finding.

Check to see which users have been granted DBA. Work from a basis of least privilege. Provide the least amount of privilege required to accomplish the job.

SQL> select * from dba_role_privs where granted_role = 'DBA';

Vulnerability Number

V-238481

Documentable

False

Rule Version

O112-OS-011200

Severity Override Guidance

Review permissions that control access to the DBMS software libraries. The software library location may be determined from vendor documentation or service/process executable paths.

DBA accounts, the DBMS process account, the DBMS software installation/maintenance account, SA accounts, if access by them is required for some operational level of support such as backups, and the host system itself require access. Any others should be scrutinized and a reason for access provided by the DBA. If accounts that are not required and authorized to have access to the software library location do have access, this is a finding.

Check to see which users have been granted DBA. Work from a basis of least privilege. Provide the least amount of privilege required to accomplish the job.

SQL> select * from dba_role_privs where granted_role = 'DBA';

Check Content Reference

M

Target Key

4057

Comments