STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017: STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:SV-24355r2_rule
V-3727
Database applications use DDL statements to modify
DG0015-ORACLE11
CAT III
10
Document known object creation that supports dynamic object assignment in the System Security Plan and authorize with the IAO.
Coordinate with the application designer to modify the application to use static objects with temporary data rather than using temporary objects.
You may use the following code to periodically monitor for recently created objects:
select created, owner, object_name, object_type
from dba_objects
where owner not in
('SYS', 'SYSTEM', 'ORDSYS', 'XDB', 'OLAPSYS', 'ODM')
and object_type <> 'SYNONYM'
and created >= sysdate-30 -- Lists objects created within last 30 days
order by created, owner, object_name;
If the database being reviewed is not a production database, this check is Not a Finding.
From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts):
select created, owner, object_name, object_type
from dba_objects
where owner not in
('SYS', 'SYSTEM', 'ORDSYS', 'XDB', 'OLAPSYS', 'ODM')
and object_type <> 'SYNONYM'
order by created, owner, object_name;
View the list of objects retuned.
If any object-creation dates do not coincide with the software maintenance and upgrade logs or are not objects documented as supporting dynamic object creation functions, then investigate the circumstances under which the object was created.
If the object is created using static definitions to store temporary data or indicates that the application uses unauthorized DDL statements, this is a Finding.
V-3727
True
DG0015-ORACLE11
If the database being reviewed is not a production database, this check is Not a Finding.
From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts):
select created, owner, object_name, object_type
from dba_objects
where owner not in
('SYS', 'SYSTEM', 'ORDSYS', 'XDB', 'OLAPSYS', 'ODM')
and object_type <> 'SYNONYM'
order by created, owner, object_name;
View the list of objects retuned.
If any object-creation dates do not coincide with the software maintenance and upgrade logs or are not objects documented as supporting dynamic object creation functions, then investigate the circumstances under which the object was created.
If the object is created using static definitions to store temporary data or indicates that the application uses unauthorized DDL statements, this is a Finding.
M
Information Assurance Officer
1367