STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

Execute permission should be revoked from PUBLIC for restricted Oracle packages.

DISA Rule

SV-24908r2_rule

Vulnerability Number

V-2539

Group Title

Oracle PUBLIC access to restricted packages

Rule Version

DO3475-ORACLE11

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Revoking all default installation privilege assignments from PUBLIC is not required at this time. However, execute permissions to the specified packages is required to be revoked from PUBLIC. Removal of these privileges from PUBLIC may result in invalid packages in version 10.1 and later of Oracle and an inability to execute default Oracle applications and utilities. To correct this problem, grant execute privileges on these packages directly to the SYSMAN, WKSYS, MDSYS and SYSTEM accounts as well as any other default Oracle database and custom application object owner accounts as necessary to support execution of applications/utilities installed with an Oracle Database Server.

At a minimum, revoke the following:

From SQL*Plus:
revoke execute on UTL_FILE from PUBLIC;
revoke execute on UTL_SMTP from PUBLIC;
revoke execute on UTL_TCP from PUBLIC;
revoke execute on UTL_HTTP from PUBLIC;
revoke execute on DBMS_RANDOM from PUBLIC;
revoke execute on DBMS_LOB from PUBLIC;
revoke execute on DBMS_SQL from PUBLIC;
revoke execute on DBMS_SYS_SQL from PUBLIC;
revoke execute on DBMS_JOB from PUBLIC;
revoke execute on DBMS_BACKUP_RESTORE from PUBLIC;
revoke execute on DBMS_OBFUSCATION_TOOLKIT from PUBLIC;

Check Contents

From SQL*Plus:
select table_name from dba_tab_privs
where grantee='PUBLIC'
and privilege ='EXECUTE'
and table_name in
('UTL_FILE', 'UTL_SMTP', 'UTL_TCP', 'UTL_HTTP',
'DBMS_RANDOM', 'DBMS_LOB', 'DBMS_SQL',
'DBMS_SYS_SQL', 'DBMS_JOB',
'DBMS_BACKUP_RESTORE',
'DBMS_OBFUSCATION_TOOLKIT');

If any records are returned, this is a Finding.

Vulnerability Number

V-2539

Documentable

False

Rule Version

DO3475-ORACLE11

Severity Override Guidance

From SQL*Plus:
select table_name from dba_tab_privs
where grantee='PUBLIC'
and privilege ='EXECUTE'
and table_name in
('UTL_FILE', 'UTL_SMTP', 'UTL_TCP', 'UTL_HTTP',
'DBMS_RANDOM', 'DBMS_LOB', 'DBMS_SQL',
'DBMS_SYS_SQL', 'DBMS_JOB',
'DBMS_BACKUP_RESTORE',
'DBMS_OBFUSCATION_TOOLKIT');

If any records are returned, this is a Finding.

Check Content Reference

M

Responsibility

Database Administrator

Target Key

1367

Comments