STIGQter STIGQter: STIG Summary: Oracle Database 11.2g Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

System privileges granted using the WITH ADMIN OPTION must not be granted to unauthorized user accounts.

DISA Rule

SV-219706r401224_rule

Vulnerability Number

V-219706

Group Title

SRG-APP-000516-DB-000363

Rule Version

O112-BP-022300

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Revoke assignment of privileges with the WITH ADMIN OPTION from unauthorized users and re-grant them without the option.

From SQL*Plus:

revoke [privilege name] from user [username];

Replace [privilege name] with the named privilege and [username] with the named user.

Restrict use of the WITH ADMIN OPTION to authorized administrators.

Document authorized privilege assignments with the WITH ADMIN OPTION in the System Security Plan.

Check Contents

Run the SQL query:

select grantee, privilege from dba_sys_privs
where grantee not in
(<list of non-applicable accounts>)
and admin_option = 'YES'
and grantee not in
(select grantee from dba_role_privs where granted_role = 'DBA');

(With respect to the list of special accounts that are excluded from this requirement, it is expected that the DBA will maintain the list to suit local circumstances, adding special accounts as necessary and removing any that are not supposed to be in use in the Oracle deployment that is under review.)

If any accounts that are not authorized to have the ADMIN OPTION are listed, this is a Finding.

Vulnerability Number

V-219706

Documentable

False

Rule Version

O112-BP-022300

Severity Override Guidance

Run the SQL query:

select grantee, privilege from dba_sys_privs
where grantee not in
(<list of non-applicable accounts>)
and admin_option = 'YES'
and grantee not in
(select grantee from dba_role_privs where granted_role = 'DBA');

(With respect to the list of special accounts that are excluded from this requirement, it is expected that the DBA will maintain the list to suit local circumstances, adding special accounts as necessary and removing any that are not supposed to be in use in the Oracle deployment that is under review.)

If any accounts that are not authorized to have the ADMIN OPTION are listed, this is a Finding.

Check Content Reference

M

Target Key

4057

Comments