STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

The Oracle WITH GRANT OPTION privilege should not be granted to non-DBA or non-Application administrator user accounts.

DISA Rule

SV-24905r3_rule

Vulnerability Number

V-2533

Group Title

WITH GRANT OPTION privileges

Rule Version

DO3451-ORACLE11

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Revoke privileges granted the WITH GRANT OPTION from non-DBA and accounts that do not own application objects.

Re-grant privileges without specifying WITH GRANT OPTION.

Check Contents

Execute the query:

select grantee||': '||owner||'.'||table_name
from dba_tab_privs
where grantable = 'YES'
and grantee not in (select distinct owner from dba_objects)
and grantee not in (select grantee from dba_role_privs where granted_role = 'DBA')
order by grantee;

If any accounts are listed, this is a finding.

Vulnerability Number

V-2533

Documentable

False

Rule Version

DO3451-ORACLE11

Severity Override Guidance

Execute the query:

select grantee||': '||owner||'.'||table_name
from dba_tab_privs
where grantable = 'YES'
and grantee not in (select distinct owner from dba_objects)
and grantee not in (select grantee from dba_role_privs where granted_role = 'DBA')
order by grantee;

If any accounts are listed, this is a finding.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

1367

Comments