STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

System privileges granted using the WITH ADMIN OPTION should not be granted to unauthorized user accounts.

DISA Rule

SV-24925r2_rule

Vulnerability Number

V-2561

Group Title

System privileges granted WITH ADMIN OPTION

Rule Version

DO3609-ORACLE11

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Revoke assignment of privileges with the WITH ADMIN OPTION from unauthorized users and re-grant them without the option.

From SQL*Plus:

revoke [privilege name] from user [username];

Replace [privilege name] with the named privilege and [username] with the named user.

Restrict use of the WITH ADMIN OPTION to authorized administrators.

Document authorized privilege assignments with the WITH ADMIN OPTION in the System Security Plan.

Check Contents

From SQL*Plus:

select grantee, privilege from dba_sys_privs
where grantee not in
('SYS', 'SYSTEM', 'AQ_ADMINISTRATOR_ROLE', 'DBA',
'MDSYS', 'LBACSYS', 'SCHEDULER_ADMIN',
'WMSYS')
and admin_option = 'YES'
and grantee not in
(select grantee from dba_role_privs where granted_role = 'DBA');

If any accounts are listed, this is a Finding.

Vulnerability Number

V-2561

Documentable

False

Rule Version

DO3609-ORACLE11

Severity Override Guidance

From SQL*Plus:

select grantee, privilege from dba_sys_privs
where grantee not in
('SYS', 'SYSTEM', 'AQ_ADMINISTRATOR_ROLE', 'DBA',
'MDSYS', 'LBACSYS', 'SCHEDULER_ADMIN',
'WMSYS')
and admin_option = 'YES'
and grantee not in
(select grantee from dba_role_privs where granted_role = 'DBA');

If any accounts are listed, this is a Finding.

Check Content Reference

M

Responsibility

Database Administrator

Target Key

1367

Comments