STIGQter STIGQter: STIG Summary: Oracle Database 11.2g Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

Unused database components, DBMS software, and database objects must be removed.

DISA Rule

SV-219769r395853_rule

Vulnerability Number

V-219769

Group Title

SRG-APP-000141-DB-000091

Rule Version

O112-C2-011600

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

If any components are required for operation of applications that will be accessing the DBMS, include them in the system documentation.

You cannot remove components, either via Database Configuration Assistant (DBCA) or manually once the database has been created.

You can, however, use DBCA to create a database and remove components during the creation process, before you create the database.

When using DBCA to create a custom database, select Database Template = Custom/Database Components.
Components that can be selected or de-selected are:

Oracle Text,
Oracle OLAP,
Oracle Spatial,
Oracle Label Security,
Sample Schemas,
Enterprise Manager Repository,
Oracle Warehouse Builder,
Oracle Database Vault

Check Contents

Run this query to produce a list of components and features installed with the database:

SELECT comp_id, comp_name, version, status from dba_registry
where comp_id not in ('CATALOG','CATPROC');

Review the list. If unused components are installed and are not documented and authorized, this is a finding.

Starting with releases 11.1.0.7.x and above all products are installed by default and the option to customize the product/component

selection is no longer possible with the exception of those listed here:

Oracle JVM,
Oracle Text,
Oracle Multimedia,
Oracle OLAP,
Oracle Spatial,
Oracle Label Security,
Oracle Application Express,
Oracle Database Vault

Vulnerability Number

V-219769

Documentable

False

Rule Version

O112-C2-011600

Severity Override Guidance

Run this query to produce a list of components and features installed with the database:

SELECT comp_id, comp_name, version, status from dba_registry
where comp_id not in ('CATALOG','CATPROC');

Review the list. If unused components are installed and are not documented and authorized, this is a finding.

Starting with releases 11.1.0.7.x and above all products are installed by default and the option to customize the product/component

selection is no longer possible with the exception of those listed here:

Oracle JVM,
Oracle Text,
Oracle Multimedia,
Oracle OLAP,
Oracle Spatial,
Oracle Label Security,
Oracle Application Express,
Oracle Database Vault

Check Content Reference

M

Target Key

4057

Comments