STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

Object permissions granted to PUBLIC should be restricted.

DISA Rule

SV-24573r2_rule

Vulnerability Number

V-2589

Group Title

Oracle object permission assignment to PUBLIC

Rule Version

DO3689-ORACLE11

Severity

CAT II

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

False Positives

This check may return false positives where other Oracle product accounts are not included in the exclusion list.

Fix Recommendation

Revoke any privileges granted to PUBLIC for objects that are not owned by Oracle product accounts.

From SQL*Plus:

revoke [privilege name] from [user name] on [object name];

Assign permissions to custom application user roles based on job functions:

From SQL*Plus:

grant [privilege name] to [user role] on [object name];

Check Contents

From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts):

select owner ||'.'|| table_name ||':'|| privilege from dba_tab_privs
where grantee = 'PUBLIC'
and owner not in
('SYS', 'CTXSYS', 'MDSYS', 'ODM', 'OLAPSYS', 'MTSSYS',
'ORDPLUGINS', 'ORDSYS', 'SYSTEM', 'WKSYS', 'WMSYS',
'XDB', 'LBACSYS', 'PERFSTAT', 'SYSMAN', 'DMSYS',
'EXFSYS');

If any records that are not Oracle product accounts are returned, are not documented and authorized, this is a Finding.

NOTE: This check may return false positives where other Oracle product accounts are not included in the exclusion list.

Object permissions granted to PUBLIC should be restricted.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

False Positives

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Responsibility

Target Key

Comments