STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

The DBA role should not be assigned excessive or unauthorized privileges.

DISA Rule

SV-24673r2_rule

Vulnerability Number

V-15615

Group Title

Minimum DBA privilege assignment

Rule Version

DG0085-ORACLE11

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

If a REMOTE_LOGIN_PASSWORDFILE is in use (='EXCLUSIVE'), list database accounts assigned SYSDBA and SYSOPER database privileges and review for appropriate authorization.

Document authorized SYSDBA and SYSOPER users in the System Security Plan.

From SQL*Plus:
select * from v$pwfile_users;

To revoke SYSDBA or SYSOPER from accounts:

From SQL*Plus:
revoke sysdba from [username];
revoke sysoper from [username];

Check Contents

From SQL*Plus:
select username from v$pwfile_users
where username not in
(select grantee from dba_role_privs where granted_role='DBA')
and username<>'INTERNAL'
and (sysdba = 'TRUE' or sysoper='TRUE');

If any accounts are listed and are not authorized by the IAO in the System Security Plan, this is a Finding.

Vulnerability Number

V-15615

Documentable

True

Rule Version

DG0085-ORACLE11

Severity Override Guidance

From SQL*Plus:
select username from v$pwfile_users
where username not in
(select grantee from dba_role_privs where granted_role='DBA')
and username<>'INTERNAL'
and (sysdba = 'TRUE' or sysoper='TRUE');

If any accounts are listed and are not authorized by the IAO in the System Security Plan, this is a Finding.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

1367

Comments