STIGQter: STIG Summary: Oracle Database 12c Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

Administrative privileges must be assigned to database accounts via database roles.

DISA Rule

SV-237709r667159_rule

Vulnerability Number

V-237709

Group Title

SRG-APP-000133-DB-000362

Rule Version

O121-C2-004000

Severity

CAT II

CCI(s)

• CCI-001499 - The organization limits privileges to change software resident within software libraries.

Weight

10

Fix Recommendation

Create roles for administrative function assignments. Assign the necessary privileges for the administrative functions to a role. Do not assign administrative privileges directly to users, except for those that Oracle does not permit to be assigned via roles.

Check Contents

Review accounts for direct assignment of administrative privileges. Connected as SYSDBA, run the query:

SELECT grantee, privilege
FROM dba_sys_privs
WHERE grantee IN
(
SELECT username
FROM dba_users
WHERE username NOT IN
(
'XDB', 'SYSTEM', 'SYS', 'LBACSYS',
'DVSYS', 'DVF', 'SYSMAN_RO',
'SYSMAN_BIPLATFORM', 'SYSMAN_MDS',
'SYSMAN_OPSS', 'SYSMAN_STB', 'DBSNMP',
'SYSMAN', 'APEX_040200', 'WMSYS',
'SYSDG', 'SYSBACKUP', 'SPATIAL_WFS_ADMIN_USR',
'SPATIAL_CSW_ADMIN_US', 'GSMCATUSER',
'OLAPSYS', 'SI_INFORMTN_SCHEMA',
'OUTLN', 'ORDSYS', 'ORDDATA', 'OJVMSYS',
'ORACLE_OCM', 'MDSYS', 'ORDPLUGINS',
'GSMADMIN_INTERNAL', 'MDDATA', 'FLOWS_FILES',
'DIP', 'CTXSYS', 'AUDSYS',
'APPQOSSYS', 'APEX_PUBLIC_USER', 'ANONYMOUS',
'SPATIAL_CSW_ADMIN_USR', 'SYSKM',
'SYSMAN_TYPES', 'MGMT_VIEW',
'EUS_ENGINE_USER', 'EXFSYS', 'SYSMAN_APM'
)
)
AND privilege NOT IN ('UNLIMITED TABLESPACE'
, 'REFERENCES', 'INDEX', 'SYSDBA', 'SYSOPER'
)
ORDER BY 1, 2;

If any administrative privileges have been assigned directly to a database account, this is a finding.

(The list of special accounts that are excluded from this requirement may not be complete. It is expected that the DBA will edit the list to suit local circumstances, adding other special accounts as necessary, and removing any that are not supposed to be in use in the Oracle deployment that is under review.)

Vulnerability Number

V-237709

Documentable

False

Rule Version

O121-C2-004000

Severity Override Guidance

Review accounts for direct assignment of administrative privileges. Connected as SYSDBA, run the query:

SELECT grantee, privilege
FROM dba_sys_privs
WHERE grantee IN
(
SELECT username
FROM dba_users
WHERE username NOT IN
(
'XDB', 'SYSTEM', 'SYS', 'LBACSYS',
'DVSYS', 'DVF', 'SYSMAN_RO',
'SYSMAN_BIPLATFORM', 'SYSMAN_MDS',
'SYSMAN_OPSS', 'SYSMAN_STB', 'DBSNMP',
'SYSMAN', 'APEX_040200', 'WMSYS',
'SYSDG', 'SYSBACKUP', 'SPATIAL_WFS_ADMIN_USR',
'SPATIAL_CSW_ADMIN_US', 'GSMCATUSER',
'OLAPSYS', 'SI_INFORMTN_SCHEMA',
'OUTLN', 'ORDSYS', 'ORDDATA', 'OJVMSYS',
'ORACLE_OCM', 'MDSYS', 'ORDPLUGINS',
'GSMADMIN_INTERNAL', 'MDDATA', 'FLOWS_FILES',
'DIP', 'CTXSYS', 'AUDSYS',
'APPQOSSYS', 'APEX_PUBLIC_USER', 'ANONYMOUS',
'SPATIAL_CSW_ADMIN_USR', 'SYSKM',
'SYSMAN_TYPES', 'MGMT_VIEW',
'EUS_ENGINE_USER', 'EXFSYS', 'SYSMAN_APM'
)
)
AND privilege NOT IN ('UNLIMITED TABLESPACE'
, 'REFERENCES', 'INDEX', 'SYSDBA', 'SYSOPER'
)
ORDER BY 1, 2;

If any administrative privileges have been assigned directly to a database account, this is a finding.

(The list of special accounts that are excluded from this requirement may not be complete. It is expected that the DBA will edit the list to suit local circumstances, adding other special accounts as necessary, and removing any that are not supposed to be in use in the Oracle deployment that is under review.)

Check Content Reference

M

Target Key

4059

Comments