STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

Oracle application administration roles should be disabled if not required and authorized.

DISA Rule

SV-24531r2_rule

Vulnerability Number

V-3438

Group Title

Oracle application administration roles enablement

Rule Version

DO0340-ORACLE11

Severity

CAT II

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

For each role assignment returned, issue:

From SQL*Plus:

alter user [username] default role all except [role];

If the user has more than one application administration role assigned, then you will have to remove assigned roles from default assignment and assign individually the appropriate default roles.

Check Contents

From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts):

select grantee, granted_role from dba_role_privs
where default_role='YES'
and granted_role in
(select grantee from dba_sys_privs where upper(privilege) like '%USER%')
and grantee not in
('DBA', 'SYS', 'SYSTEM', 'CTXSYS', 'DBA', 'IMP_FULL_DATABASE',
'MDSYS', 'SYS', 'WKSYS')
and grantee not in (select distinct owner from dba_tables)
and grantee not in
(select distinct username from dba_users where upper(account_status) like
'%LOCKED%');

Review the list of accounts reported for this check and ensures that they are authorized application administration roles.

If any are not authorized application administration roles, this is a Finding.

Oracle application administration roles should be disabled if not required and authorized.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Responsibility

Target Key

Comments