STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

Application owner accounts should have a dedicated application tablespace.

DISA Rule

SV-24510r3_rule

Vulnerability Number

V-3849

Group Title

Oracle application object owner tablespaces

Rule Version

DO0231-ORACLE11

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Create and assign dedicated tablespaces for the storage of data by each application using the CREATE TABLESPACE command.

Check Contents

From SQL*Plus (Note: The owner list below is but a sample of all possible default Oracle accounts - edit according to local circumstances):

select distinct owner, tablespace_name
from dba_SEGMENTS
where owner not in
('SYS','SYSTEM','OUTLN','OLAPSYS','CTXSYS','WKSYS','ODM',
'ODM_MTR','MDSYS','ORDSYS','WMSYS','RMAN','XDB',
'AUDSYS','DBSNMP','GSMADMIN_INTERNAL')
order by tablespace_name;

Review the list of returned table owners with the tablespace used.

If any of the owners listed are not default Oracle accounts and use the "SYSTEM" or any other tablespace not dedicated for the application’s use, this is a Finding.

Look for multiple applications that may share a tablespace.

If no records were returned, ask the DBA if any applications use this database.

If no applications use the database, this is not a Finding.

If there are applications that do use the database or if the application uses the "SYS" or other default account and "SYSTEM" tablespace to store its objects, this is a Finding.

Vulnerability Number

V-3849

Documentable

True

Rule Version

DO0231-ORACLE11

Severity Override Guidance

From SQL*Plus (Note: The owner list below is but a sample of all possible default Oracle accounts - edit according to local circumstances):

select distinct owner, tablespace_name
from dba_SEGMENTS
where owner not in
('SYS','SYSTEM','OUTLN','OLAPSYS','CTXSYS','WKSYS','ODM',
'ODM_MTR','MDSYS','ORDSYS','WMSYS','RMAN','XDB',
'AUDSYS','DBSNMP','GSMADMIN_INTERNAL')
order by tablespace_name;

Review the list of returned table owners with the tablespace used.

If any of the owners listed are not default Oracle accounts and use the "SYSTEM" or any other tablespace not dedicated for the application’s use, this is a Finding.

Look for multiple applications that may share a tablespace.

If no records were returned, ask the DBA if any applications use this database.

If no applications use the database, this is not a Finding.

If there are applications that do use the database or if the application uses the "SYS" or other default account and "SYSTEM" tablespace to store its objects, this is a Finding.

Check Content Reference

M

Responsibility

Database Administrator

Target Key

1367

Comments