STIGQter: STIG Summary: Oracle Database 11g Installation STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

Unauthorized access to external database objects should be removed from application user roles.

DISA Rule

SV-24750r1_rule

Vulnerability Number

V-15105

Group Title

DBMS application user access to external objects

Rule Version

DG0120-ORACLE11

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Evaluate the associated risk in allowing access to external objects.

Consider the security context under which the object is accessed or whether the privileges required to access the object are available for assignment based on job function.

Where feasible, modify the application to use only objects stored internally to the database.

Where not feasible, note the risk assessment and acceptance in the System Security Plan for access to external objects.

Check Contents

Review definitions and access restrictions to objects stored outside of DBMS control.

View object application data types defined in the database, but stored outside of the DBMS.

View data objects that include host file and directory references in their definitions.

If any external objects exist that are not referenced and authorized in the System Security Plan, this is a Finding.

Vulnerability Number

V-15105

Documentable

False

Rule Version

DG0120-ORACLE11

Severity Override Guidance

Review definitions and access restrictions to objects stored outside of DBMS control.

View object application data types defined in the database, but stored outside of the DBMS.

View data objects that include host file and directory references in their definitions.

If any external objects exist that are not referenced and authorized in the System Security Plan, this is a Finding.

Check Content Reference

M

Responsibility

Database Administrator

Target Key

1368

Comments