STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

Oracle roles granted using the WITH ADMIN OPTION should not be granted to unauthorized accounts.

DISA Rule

SV-24570r2_rule

Vulnerability Number

V-2574

Group Title

Oracle roles granted WITH ADMIN OPTION

Rule Version

DO3622-ORACLE11

Severity

CAT II

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

Revoke assignment of roles with the WITH ADMIN OPTION from unauthorized grantees and re-grant them without the option if required.

From SQL*Plus:

revoke [role name] from [grantee];
grant [role name] to [grantee];

Restrict use of the WITH ADMIN OPTION to authorized administrators.

Document authorized role assignments with the WITH ADMIN OPTION in the System Security Plan.

Check Contents

From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts):

select grantee||': '||granted_role from dba_role_privs
where grantee not in
('DBA', 'SYS', 'SYSTEM', 'WKSYS', 'LBACSYS',
'WMSYS', 'OWBSYS', 'CTXSYS',
'SPATIAL_CSW_ADMIN_USR',
'SPATIAL_WFS_ADMIN_USR',
'FLOWS_030000')
and admin_option = 'YES'
and grantee not in
(select distinct owner from dba_objects)
and grantee not in
(select grantee from dba_role_privs
where granted_role = 'DBA')
order by grantee;

Review the System Security Plan to confirm any grantees listed are IAO-authorized DBA accounts or application administration roles.

If any grantees listed are not authorized and documented, this is a Finding.

Oracle roles granted using the WITH ADMIN OPTION should not be granted to unauthorized accounts.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Responsibility

Target Key

Comments