STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017: STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:SV-24534r2_rule
V-3439
Oracle system privilege assignment
DO0350-ORACLE11
CAT II
10
Document and justify system privileges assigned to users/roles in the System Security Plan and authorize with the IAO.
Remove unauthorized or unjustified system privileges from user accounts or roles.
From SQL*Plus:
revoke [privilege] from [user or role name];
Replace [privilege] with the named privilege and [user or role name] with the identified user or role.
From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts):
select grantee||': '||PRIVILEGE from dba_sys_privs
where privilege<>'CREATE SESSION'
and grantee not in
('PUBLIC', 'AQ_ADMINISTRATOR_ROLE', 'AQ_USER_ROLE', 'CTXSYS',
'DBA', 'DELETE_CATALOG_ROLE', 'EXECUTE_CATALOG_ROLE',
'EXP_FULL_DATABASE', 'GATHER_SYSTEM_STATISTICS',
'HS_ADMIN_ROLE', 'IMP_FULL_DATABASE',
'LOGSTDBY_ADMINISTRATOR', 'MDSYS', 'ODM', 'OEM_MONITOR',
'OLAPSYS', 'ORDSYS', 'OUTLN', 'MTSSYS',
'RECOVERY_CATALOG_OWNER', 'SELECT_CATALOG_ROLE',
'SNMPAGENT', 'SYSTEM', 'WKSYS', 'WKUSER', 'WMSYS',
'WM_ADMIN_ROLE', 'XDB', 'ANONYMOUS', 'CONNECT', 'DBSNMP',
'JAVADEBUGPRIV', 'ODM_MTR', 'OLAP_DBA', 'ORDPLUGINS',
'RESOURCE', 'RMAN', 'SYS', 'WKPROXY', 'AURORA$JIS$UTILITY$',
'AURORA$ORB$UNAUTHENTICATED', 'OSE$HTTP$ADMIN',
'TIMESERIES_DBA', 'TIMESERIES_DEVELOPER', 'OLAP_USER')
and grantee not in
(select grantee from dba_role_privs where granted_role='DBA')
and grantee not in
(select username from dba_users where upper(account_status) like
'%LOCKED%');
If any records are returned, perform the following instructions for this check to determine the finding status.
Review the list of active non-DBA accounts and roles granted system privileges.
Any accounts listed as authorized for checks DO0340 (Oracle application administration roles enablement) and DG0008 (Oracle object ownership) are not a Finding.
On a production database, confirm that any accounts listed with create user, alter user, drop user belong to authorized application administration roles.
On a development system, ensure that system privileges assigned to developers are justified and authorized by the IAO.
If any unauthorized, unjustified or undocumented application user roles or accounts are listed, this is a Finding.
V-3439
True
DO0350-ORACLE11
From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts):
select grantee||': '||PRIVILEGE from dba_sys_privs
where privilege<>'CREATE SESSION'
and grantee not in
('PUBLIC', 'AQ_ADMINISTRATOR_ROLE', 'AQ_USER_ROLE', 'CTXSYS',
'DBA', 'DELETE_CATALOG_ROLE', 'EXECUTE_CATALOG_ROLE',
'EXP_FULL_DATABASE', 'GATHER_SYSTEM_STATISTICS',
'HS_ADMIN_ROLE', 'IMP_FULL_DATABASE',
'LOGSTDBY_ADMINISTRATOR', 'MDSYS', 'ODM', 'OEM_MONITOR',
'OLAPSYS', 'ORDSYS', 'OUTLN', 'MTSSYS',
'RECOVERY_CATALOG_OWNER', 'SELECT_CATALOG_ROLE',
'SNMPAGENT', 'SYSTEM', 'WKSYS', 'WKUSER', 'WMSYS',
'WM_ADMIN_ROLE', 'XDB', 'ANONYMOUS', 'CONNECT', 'DBSNMP',
'JAVADEBUGPRIV', 'ODM_MTR', 'OLAP_DBA', 'ORDPLUGINS',
'RESOURCE', 'RMAN', 'SYS', 'WKPROXY', 'AURORA$JIS$UTILITY$',
'AURORA$ORB$UNAUTHENTICATED', 'OSE$HTTP$ADMIN',
'TIMESERIES_DBA', 'TIMESERIES_DEVELOPER', 'OLAP_USER')
and grantee not in
(select grantee from dba_role_privs where granted_role='DBA')
and grantee not in
(select username from dba_users where upper(account_status) like
'%LOCKED%');
If any records are returned, perform the following instructions for this check to determine the finding status.
Review the list of active non-DBA accounts and roles granted system privileges.
Any accounts listed as authorized for checks DO0340 (Oracle application administration roles enablement) and DG0008 (Oracle object ownership) are not a Finding.
On a production database, confirm that any accounts listed with create user, alter user, drop user belong to authorized application administration roles.
On a development system, ensure that system privileges assigned to developers are justified and authorized by the IAO.
If any unauthorized, unjustified or undocumented application user roles or accounts are listed, this is a Finding.
M
Information Assurance Officer
1367