Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-3728 | DG0016-ORACLE10 | SV-24358r1_rule | DCFA-1 | Low |
Description |
---|
Unused, unnecessary DBMS components increase the attack vector for the DBMS by introducing additional targets for attack. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced. |
STIG | Date |
---|---|
Oracle 10 Database Installation STIG | 2014-01-14 |
Check Text ( C-25878r1_chk ) |
---|
Use the Oracle Universal Installer or OPATCH utility to display the list of installed products. Review the list of installed products with the DBA and verify any installed products listed below are required and licensed. If any are installed and are not required or not licensed, this is a Finding. From Command Prompt: $ORACLE_HOME/OPatch/opatch lsinventory –detail | more (UNIX) %ORACLE_HOME%/OPatch/opatch lsinventory –detail | more (Windows) Requires additional License on Enterprise Edition: Oracle Real Application Clusters Oracle In-Memory Database Cache Oracle Advanced Security Oracle Label Security Oracle Change Management Pack Oracle Configuration Management Pack Oracle Diagnostic Pack Oracle Tuning Pack Oracle Provisioning and Patch Automation Pack Oracle Partitioning Oracle OLAP Oracle Data Mining Oracle Data Quality and Profiling Oracle Data Watch and Repair Connector Oracle Spatial Oracle Content Database Suite Oracle Records DB Requires additional License: Oracle Transparent Gateways Confirm requirements for these products: Database Workspace Manager Enterprise Manager Agent iSQL*Plus LDAP Oracle HTTP Server Oracle interMedia Oracle Internet Directory Oracle Starter Database Oracle Text Oracle Wallet Manager (Requires Advanced Security when using PKI and transparent encryption) Oracle XML Development Sample Schema NOTE: This list does not take into account product dependencies that when selected for de-install, remove required database software. A custom installation without selection of unnecessary components is required to ensure a clean install of only required and licensed products. The list of product dependencies may be subject to change by Oracle and is not addressed here. |
Fix Text (F-23716r1_fix) |
---|
Review the list of installed products available for the DBMS install. If any are required and licensed for operation of applications that will be accessing the DBMS, include them in the application design specification and list them in the System Security Plan. If any are not, but have been installed, uninstall them and remove any database SCHEMA, objects and applications that exclusively support them. |