STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

Application users privileges should be restricted to assignment using application user roles.

DISA Rule

SV-24755r2_rule

Vulnerability Number

V-15629

Group Title

DBMS application user privilege assignment

Rule Version

DG0121-ORACLE11

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

False Positives

NOTE: This check may report false positives where other ORACLE products have been installed. Accounts installed with other Oracle products are exempt from this requirement.

Fix Recommendation

Revoke privileges assigned directly to database accounts and assign them to roles based on job functions.

Assign users who are assigned responsibility for the job function to the defined role.

From SQL*Plus:
revoke [privilege] on [object name] from [user name];
grant [privilege] on [object name] to [role name];

Check Contents

From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts):

select grantee||': '||privilege||': '||owner||'.'||table_name
from dba_tab_privs where grantee not in
(select role from dba_roles)
and grantee not in
('APEX_PUBLIC_USER', 'AURORA$JIS$UTILITY$', 'CTXSYS',
'DBSNMP', 'EXFSYS', 'FLOWS_030000', 'FLOWS_FILES',
'LBACSYS', 'MDSYS', 'MGMT_VIEW', 'ODM', 'OLAPSYS',
'ORACLE_OCM', 'ORDPLUGINS', 'ORDSYS',
'OSE$HTTP$ADMIN', 'OUTLN', 'OWBSYS', 'PERFSTAT',
'PUBLIC', 'REPADMIN', 'SYS', 'SYSMAN', 'SYSTEM',
'WKSYS', 'WMSYS', 'XDB')
and table_name<>'DBMS_REPCAT_INTERNAL_PACKAGE'
and table_name not like '%RP'
and grantee not in
(select grantee from dba_tab_privs
where table_name in ('DBMS_DEFER', 'DEFLOB'));

If any records are returned, this is a Finding.

NOTE: This check may report false positives where other ORACLE products have been installed. Accounts installed with other Oracle products are exempt from this requirement.

Vulnerability Number

V-15629

Documentable

True

Rule Version

DG0121-ORACLE11

Severity Override Guidance

From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts):

select grantee||': '||privilege||': '||owner||'.'||table_name
from dba_tab_privs where grantee not in
(select role from dba_roles)
and grantee not in
('APEX_PUBLIC_USER', 'AURORA$JIS$UTILITY$', 'CTXSYS',
'DBSNMP', 'EXFSYS', 'FLOWS_030000', 'FLOWS_FILES',
'LBACSYS', 'MDSYS', 'MGMT_VIEW', 'ODM', 'OLAPSYS',
'ORACLE_OCM', 'ORDPLUGINS', 'ORDSYS',
'OSE$HTTP$ADMIN', 'OUTLN', 'OWBSYS', 'PERFSTAT',
'PUBLIC', 'REPADMIN', 'SYS', 'SYSMAN', 'SYSTEM',
'WKSYS', 'WMSYS', 'XDB')
and table_name<>'DBMS_REPCAT_INTERNAL_PACKAGE'
and table_name not like '%RP'
and grantee not in
(select grantee from dba_tab_privs
where table_name in ('DBMS_DEFER', 'DEFLOB'));

If any records are returned, this is a Finding.

NOTE: This check may report false positives where other ORACLE products have been installed. Accounts installed with other Oracle products are exempt from this requirement.

Check Content Reference

M

Responsibility

Database Administrator

Target Key

1367

Comments