STIGQter: STIG Summary: Oracle Database 12c Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

Application owner accounts must have a dedicated application tablespace.

DISA Rule

SV-219848r401224_rule

Vulnerability Number

V-219848

Group Title

SRG-APP-000516-DB-000363

Rule Version

O121-BP-023700

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Create and assign dedicated tablespaces for the storage of data by each application using the CREATE TABLESPACE command.

Check Contents

Run the SQL query:

select distinct owner, tablespace_name
from dba_SEGMENTS
where owner not in
(<list of non-applicable accounts>)
order by tablespace_name;

(With respect to the list of special accounts that are excluded from this requirement, it is expected that the DBA will maintain the list to suit local circumstances, adding special accounts as necessary and removing any that are not supposed to be in use in the Oracle deployment that is under review.)

Review the list of returned table owners with the tablespace used.

If any of the owners listed are not default Oracle accounts and use the SYSTEM or any other tablespace not dedicated for the application’s use, this is a finding.

Look for multiple applications that may share a tablespace.

If no records were returned, ask the DBA if any applications use this database.

If no applications use the database, this is not a finding.

If there are applications that do use the database or if the application uses the SYS or other default account and SYSTEM tablespace to store its objects, this is a finding.

Vulnerability Number

V-219848

Documentable

False

Rule Version

O121-BP-023700

Severity Override Guidance

Run the SQL query:

select distinct owner, tablespace_name
from dba_SEGMENTS
where owner not in
(<list of non-applicable accounts>)
order by tablespace_name;

(With respect to the list of special accounts that are excluded from this requirement, it is expected that the DBA will maintain the list to suit local circumstances, adding special accounts as necessary and removing any that are not supposed to be in use in the Oracle deployment that is under review.)

Review the list of returned table owners with the tablespace used.

If any of the owners listed are not default Oracle accounts and use the SYSTEM or any other tablespace not dedicated for the application’s use, this is a finding.

Look for multiple applications that may share a tablespace.

If no records were returned, ask the DBA if any applications use this database.

If no applications use the database, this is not a finding.

If there are applications that do use the database or if the application uses the SYS or other default account and SYSTEM tablespace to store its objects, this is a finding.

Check Content Reference

M

Target Key

4059

Comments