STIGQter STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

Database job/batch queues should be reviewed regularly to detect unauthorized database job submissions.

DISA Rule

SV-60353r2_rule

Vulnerability Number

V-3808

Group Title

Database job/batch queue monitoring

Rule Version

DG0051-ORACLE11

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Develop, document and implement procedures to monitor the database job queues for unauthorized job submissions.

Develop, document and implement a formal migration plan to convert jobs using DBMS_JOB to use DBMS_SCHEDULER instead for Oracle versions 10.1 and higher. (This does not apply to DBMS_JOB jobs generated by Oracle itself, such as those for refreshing materialized views.)

Set the value of the job_queue_processes parameter to a low value to restrict concurrent DBMS_JOB executions.

Use auditing to capture use of the DBMS_JOB package in the audit trail. Review the audit trail for unauthorized use of the DBMS_JOB package.

Check Contents

The DBMS_JOB PL/SQL package has been replaced by DBMS_SCHEDULER in Oracle versions 10.1 and higher, though it continues to be supported for backward compatibility.

From SQL*Plus:
select value from v$parameter where name = 'job_queue_processes';

From SQL*Plus:
select value from all_scheduler_global_attribute
where ATTRIBUTE_NAME = 'MAX_JOB_SLAVE_PROCESSES';

To understand the relationship between these settings, review:
http://download.oracle.com/docs/cd/B28359_01/server.111/b28310/appendix_a003.htm

Review documented and implemented procedures for monitoring the Oracle DBMS job/batch queues for unauthorized submissions. If procedures for job queue review are not defined, documented or evidence of implementation does not exist, this is a Finding.

Job queue information is available from the DBA_JOBS view. The following command lists jobs submitted to the queue. DBMS_JOB does not generate a 'history' of previous job executions.

From SQL*Plus:
select job, next_date, next_sec, failures, broken from dba_jobs;

Scheduler queue information is available from the DBA_SCHEDULER_JOBS view. The following command lists jobs submitted to the queue.

From SQL*Plus:
select owner, job_name, state, job_class, job_type, job_action
from dba_scheduler_jobs;

Vulnerability Number

V-3808

Documentable

False

Rule Version

DG0051-ORACLE11

Severity Override Guidance

The DBMS_JOB PL/SQL package has been replaced by DBMS_SCHEDULER in Oracle versions 10.1 and higher, though it continues to be supported for backward compatibility.

From SQL*Plus:
select value from v$parameter where name = 'job_queue_processes';

From SQL*Plus:
select value from all_scheduler_global_attribute
where ATTRIBUTE_NAME = 'MAX_JOB_SLAVE_PROCESSES';

To understand the relationship between these settings, review:
http://download.oracle.com/docs/cd/B28359_01/server.111/b28310/appendix_a003.htm

Review documented and implemented procedures for monitoring the Oracle DBMS job/batch queues for unauthorized submissions. If procedures for job queue review are not defined, documented or evidence of implementation does not exist, this is a Finding.

Job queue information is available from the DBA_JOBS view. The following command lists jobs submitted to the queue. DBMS_JOB does not generate a 'history' of previous job executions.

From SQL*Plus:
select job, next_date, next_sec, failures, broken from dba_jobs;

Scheduler queue information is available from the DBA_SCHEDULER_JOBS view. The following command lists jobs submitted to the queue.

From SQL*Plus:
select owner, job_name, state, job_class, job_type, job_action
from dba_scheduler_jobs;

Check Content Reference

M

Responsibility

Database Administrator

Target Key

1367

Comments