STIGQter: STIG Summary: Oracle Database 11g Installation STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

The Oracle Management Agent should be uninstalled if not required and authorized or is installed on a database accessible from the Internet.

DISA Rule

SV-24546r1_rule

Vulnerability Number

V-3866

Group Title

Oracle management agent use

Rule Version

DO0430-ORACLE11

Severity

CAT III

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Use the ORACLE_HOME/rdbms/admin/catnsnmp.sql script to remove all Oracle SNMP management agent objects in the database.

Delete the executable file ORACLE_HOME/bin/dbsnmp or dbsnmp.exe if it exists from any Oracle Home not authorized for SNMP management.

Uninstall any SNMP management agents installed on Oracle database servers installed in a DMZ that serve applications to Internet users.

Uninstall any SNMP management agents that have not been authorized and documented in the System Security Plan.

Document any authorized use of the SNMP management agent on database servers that do not support Internet applications in a DMZ in the System Security Plan.

NOTE: Removal of SNMP management objects will prevent the ability to generate database statistics within Oracle Enterprise Manager.

Check Contents

Determine if the Oracle Management Agent is installed:

From SQL*Plus:

select account_status from dba_users
where upper(username) = 'DBSNMP';

If no rows are returned, this is not a Finding.

If the DBSNMP account exists and the account_status is OPEN, then verify in the System Security Plan that operation and use of the Oracle Enterprise Manager Management Agent or another SNMP management program is documented and authorized.

If it is not documented in the System Security Plan as being required, this is a Finding.

If the DBSNMP account exists and the account_status is not OPEN, schedule the FIX action below then mark as not a Finding.

Despite any justification or authorization, if a Management Agent is installed on a DBMS server that is in a DMZ and Internet facing, this is a Finding.

Vulnerability Number

V-3866

Documentable

False

Rule Version

DO0430-ORACLE11

Severity Override Guidance

Determine if the Oracle Management Agent is installed:

From SQL*Plus:

select account_status from dba_users
where upper(username) = 'DBSNMP';

If no rows are returned, this is not a Finding.

If the DBSNMP account exists and the account_status is OPEN, then verify in the System Security Plan that operation and use of the Oracle Enterprise Manager Management Agent or another SNMP management program is documented and authorized.

If it is not documented in the System Security Plan as being required, this is a Finding.

If the DBSNMP account exists and the account_status is not OPEN, schedule the FIX action below then mark as not a Finding.

Despite any justification or authorization, if a Management Agent is installed on a DBMS server that is in a DMZ and Internet facing, this is a Finding.

Check Content Reference

M

Responsibility

Database Administrator

Target Key

1368

Comments