STIGQter STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

Production databases should be protected from unauthorized access by developers on shared production/development host systems.

DISA Rule

SV-24391r2_rule

Vulnerability Number

V-3820

Group Title

Production data protection on a shared system

Rule Version

DG0077-ORACLE11

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Develop, document and implement procedures to review and maintain privileges granted to developers on shared production and development host systems and databases.

Recommend establishing a dedicated DBMS host for production DBMS installations (See Checks DG0109 and DG0110).

A dedicated host system in this case refers to an instance of the operating system at a minimum.

The operating system may reside on a virtual host machine where supported by the DBMS vendor.

Check Contents

Review the list of instances and databases installed on the host system with the DBA.

Ask which databases are production databases and which are for development.

For UNIX systems, use the ps -ef|grep pmon command to see the list of databases; For Windows systems, review the list of services beginning with the name OracleService to see the list of databases.

Ask which databases are production databases and which are for development.

If only development or only production databases exist on this host, this check is Not a Finding.

Otherwise, ask the DBA to confirm that policy and procedures are in place for the IAO to review database and operating system privileges on the system to ensure developer accounts do not have access to production DBMS systems.

If none are in place, this is a Finding.

Ask the DBA/SA if developer host accounts have been granted privileges to production database directories, files or resources.

If they have been, this is a Finding.

From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts):
select grantee||': '||privilege from dba_sys_privs
where (privilege like 'CREATE%' or privilege like 'ALTER%'
or privilege like 'DROP%')
and privilege<>'CREATE SESSION'
and grantee not in
('ANONYMOUS','AURORA$JIS$UTILITY$',
'AURORA$ORB$UNAUTHENTICATED','CTXSYS','DBSNMP','DIP',
'DVF','DVSYS','EXFSYS','LBACSYS','MDDATA','MDSYS','MGMT_VIEW',
'ODM','ODM_MTR','OLAPSYS','ORDPLUGINS','ORDSYS',
'OSE$HTTP$ADMIN','OUTLN','PERFSTAT','PUBLIC','REPADMIN',
'RMAN','SI_INFORMTN_SCHEMA','SYS','SYSMAN','SYSTEM',
'TRACESVR','TSMSYSWK_TEST','WKPROXY','WKSYS','WKUSER',
'WMSYS','XDB')
order by grantee;

If any accounts are listed that are not on the list of IAO approved production DBAs, this is a Finding.

NOTE: Though shared production/non-production DBMS installations was allowed under previous database STIG guidance, doing so may place it in violation of OS, Application, Network or Enclave STIG guidance. Ensure that any shared production/non-production DBMS installations meets STIG guidance requirements at all levels or mitigate any conflicts in STIG guidance with your DAA.

Vulnerability Number

V-3820

Documentable

True

Rule Version

DG0077-ORACLE11

Severity Override Guidance

Review the list of instances and databases installed on the host system with the DBA.

Ask which databases are production databases and which are for development.

For UNIX systems, use the ps -ef|grep pmon command to see the list of databases; For Windows systems, review the list of services beginning with the name OracleService to see the list of databases.

Ask which databases are production databases and which are for development.

If only development or only production databases exist on this host, this check is Not a Finding.

Otherwise, ask the DBA to confirm that policy and procedures are in place for the IAO to review database and operating system privileges on the system to ensure developer accounts do not have access to production DBMS systems.

If none are in place, this is a Finding.

Ask the DBA/SA if developer host accounts have been granted privileges to production database directories, files or resources.

If they have been, this is a Finding.

From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts):
select grantee||': '||privilege from dba_sys_privs
where (privilege like 'CREATE%' or privilege like 'ALTER%'
or privilege like 'DROP%')
and privilege<>'CREATE SESSION'
and grantee not in
('ANONYMOUS','AURORA$JIS$UTILITY$',
'AURORA$ORB$UNAUTHENTICATED','CTXSYS','DBSNMP','DIP',
'DVF','DVSYS','EXFSYS','LBACSYS','MDDATA','MDSYS','MGMT_VIEW',
'ODM','ODM_MTR','OLAPSYS','ORDPLUGINS','ORDSYS',
'OSE$HTTP$ADMIN','OUTLN','PERFSTAT','PUBLIC','REPADMIN',
'RMAN','SI_INFORMTN_SCHEMA','SYS','SYSMAN','SYSTEM',
'TRACESVR','TSMSYSWK_TEST','WKPROXY','WKSYS','WKUSER',
'WMSYS','XDB')
order by grantee;

If any accounts are listed that are not on the list of IAO approved production DBAs, this is a Finding.

NOTE: Though shared production/non-production DBMS installations was allowed under previous database STIG guidance, doing so may place it in violation of OS, Application, Network or Enclave STIG guidance. Ensure that any shared production/non-production DBMS installations meets STIG guidance requirements at all levels or mitigate any conflicts in STIG guidance with your DAA.

Check Content Reference

M

Responsibility

Database Administrator

Target Key

1367

Comments