STIGQter STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

The XDB Protocol server should be uninstalled if not required and authorized for use.

DISA Rule

SV-24899r1_rule

Vulnerability Number

V-3865

Group Title

Oracle XML DB

Rule Version

DO0420-ORACLE11

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

If the database is authorized to support web services using XML over HTTP, then include documentation and authorization in the System Security Plan.

If not authorized, uninstall XML DB per Oracle MetaLink Note 742014.1.

Check Contents

From SQL*Plus:

select count(*) from dba_users where username = 'XDB';

select count(*) from v$parameter where name = 'dispatchers'
and value like '%XDB%';

If a value of 0 is returned for either the first or the second SQL statement above, this is not a Finding.

If a value of 1 (or more) is returned for the second SQL statement, review the System Security Plan to verify existence of all XML DB dispatchers is authorized.

If it is not, this is a Finding.

Vulnerability Number

V-3865

Documentable

False

Rule Version

DO0420-ORACLE11

Severity Override Guidance

From SQL*Plus:

select count(*) from dba_users where username = 'XDB';

select count(*) from v$parameter where name = 'dispatchers'
and value like '%XDB%';

If a value of 0 is returned for either the first or the second SQL statement above, this is not a Finding.

If a value of 1 (or more) is returned for the second SQL statement, review the System Security Plan to verify existence of all XML DB dispatchers is authorized.

If it is not, this is a Finding.

Check Content Reference

M

Responsibility

Database Administrator

Target Key

1367

Comments