STIGQter STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

DBMS application users should not be granted administrative privileges to the DBMS.

DISA Rule

SV-24746r2_rule

Vulnerability Number

V-15628

Group Title

DBMS application user role privileges

Rule Version

DG0119-ORACLE11

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Revoke ALTER, REFERENCES, and INDEX privileges from application user roles.

From SQL*Plus:
revoke [privilege] from [application user role];

Replace [privilege] with the identified ALTER, REFERENCES or INDEX privilege and [application user role] with the identified application role.

Check Contents

From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts):

select grantee, owner, table_name, privilege from dba_tab_privs
where privilege in ('ALTER', 'REFERENCES', 'INDEX')
and grantee not in ('DBA', 'SYS', 'SYSTEM', 'LBACSYS', 'XDBADMIN')
and table_name not in
('SDO_IDX_TAB_SEQUENCE', 'XDB$ACL', 'XDB_ADMIN')
and grantee not in
(select grantee from dba_role_privs where granted_role = 'DBA')
and grantee not in (select distinct owner from dba_objects);

If any records are returned, this is a Finding.

Vulnerability Number

V-15628

Documentable

False

Rule Version

DG0119-ORACLE11

Severity Override Guidance

From SQL*Plus (NOTE: The owner list below is a short list of all possible default Oracle accounts):

select grantee, owner, table_name, privilege from dba_tab_privs
where privilege in ('ALTER', 'REFERENCES', 'INDEX')
and grantee not in ('DBA', 'SYS', 'SYSTEM', 'LBACSYS', 'XDBADMIN')
and table_name not in
('SDO_IDX_TAB_SEQUENCE', 'XDB$ACL', 'XDB_ADMIN')
and grantee not in
(select grantee from dba_role_privs where granted_role = 'DBA')
and grantee not in (select distinct owner from dba_objects);

If any records are returned, this is a Finding.

Check Content Reference

M

Responsibility

Database Administrator

Target Key

1367

Comments