STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

Access to DBMS system tables and other configuration or metadata should be restricted to DBAs.

DISA Rule

SV-24772r2_rule

Vulnerability Number

V-15631

Group Title

DBMS Administrative data access

Rule Version

DG0123-ORACLE11

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Revoke unauthorized access to system tables and data.

From SQL*Plus:
revoke [object privilege] on [system object name] from [account name or role];

Check Contents

From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts):

select grantee, privilege, owner, table_name from dba_tab_privs
where (owner='SYS' or table_name like 'DBA_%')
and privilege <> 'EXECUTE'
and grantee not in
('PUBLIC', 'AQ_ADMINISTRATOR_ROLE', 'AQ_USER_ROLE',
'AURORA$JIS$UTILITY$', 'OSE$HTTP$ADMIN', 'TRACESVR',
'CTXSYS', 'DBA', 'DELETE_CATALOG_ROLE',
'EXECUTE_CATALOG_ROLE', 'EXP_FULL_DATABASE',
'GATHER_SYSTEM_STATISTICS', 'HS_ADMIN_ROLE',
'IMP_FULL_DATABASE', 'LOGSTDBY_ADMINISTRATOR', 'MDSYS',
'ODM', 'OEM_MONITOR', 'OLAPSYS', 'ORDSYS', 'OUTLN',
'RECOVERY_CATALOG_OWNER', 'SELECT_CATALOG_ROLE',
'SNMPAGENT', 'SYSTEM', 'WKSYS', 'WKUSER', 'WMSYS',
'WM_ADMIN_ROLE', 'XDB', 'LBACSYS', 'PERFSTAT', 'XDBADMIN')
and grantee not in
(select grantee from dba_role_privs where granted_role='DBA')
order by grantee;

If no accounts or roles are listed, this is not a Finding.

Verify that accounts/roles listed have been authorized by the IAO.

NOTE: Any accounts created and assigned privileges by Oracle product installations do not require authorization by the IAO. The exclusion list provided in this check is subject to changes or additions made by updates to Oracle products. Non-Oracle products should not be assigned access to Oracle system data and tables, however, if required, document requirement in the System Security Plan and ensure authorization by the IAO.

Vulnerability Number

V-15631

Documentable

True

Rule Version

DG0123-ORACLE11

Severity Override Guidance

From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts):

select grantee, privilege, owner, table_name from dba_tab_privs
where (owner='SYS' or table_name like 'DBA_%')
and privilege <> 'EXECUTE'
and grantee not in
('PUBLIC', 'AQ_ADMINISTRATOR_ROLE', 'AQ_USER_ROLE',
'AURORA$JIS$UTILITY$', 'OSE$HTTP$ADMIN', 'TRACESVR',
'CTXSYS', 'DBA', 'DELETE_CATALOG_ROLE',
'EXECUTE_CATALOG_ROLE', 'EXP_FULL_DATABASE',
'GATHER_SYSTEM_STATISTICS', 'HS_ADMIN_ROLE',
'IMP_FULL_DATABASE', 'LOGSTDBY_ADMINISTRATOR', 'MDSYS',
'ODM', 'OEM_MONITOR', 'OLAPSYS', 'ORDSYS', 'OUTLN',
'RECOVERY_CATALOG_OWNER', 'SELECT_CATALOG_ROLE',
'SNMPAGENT', 'SYSTEM', 'WKSYS', 'WKUSER', 'WMSYS',
'WM_ADMIN_ROLE', 'XDB', 'LBACSYS', 'PERFSTAT', 'XDBADMIN')
and grantee not in
(select grantee from dba_role_privs where granted_role='DBA')
order by grantee;

If no accounts or roles are listed, this is not a Finding.

Verify that accounts/roles listed have been authorized by the IAO.

NOTE: Any accounts created and assigned privileges by Oracle product installations do not require authorization by the IAO. The exclusion list provided in this check is subject to changes or additions made by updates to Oracle products. Non-Oracle products should not be assigned access to Oracle system data and tables, however, if required, document requirement in the System Security Plan and ensure authorization by the IAO.

Check Content Reference

M

Responsibility

Database Administrator

Target Key

1367

Comments