DBMS application users should not be granted administrative privileges to the DBMS.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15628	DG0119-ORACLE10	SV-24744r1_rule	ECLP-1	Medium

Description
Excessive privileges can lead to unauthorized actions on data and database objects. Assigning only the privileges required to perform the job function authorized for the user helps protect against exploits against application vulnerabilities such as SQL injection attacks. The recommended method is to grant access only to stored procedures that perform only static actions on the data authorized for the user. Where this is not feasible, consider using data views or other methods to restrict users to only the data suitable for their job function.

Description

Excessive privileges can lead to unauthorized actions on data and database objects. Assigning only the privileges required to perform the job function authorized for the user helps protect against exploits against application vulnerabilities such as SQL injection attacks. The recommended method is to grant access only to stored procedures that perform only static actions on the data authorized for the user. Where this is not feasible, consider using data views or other methods to restrict users to only the data suitable for their job function.

STIG	Date
Oracle 10 Database Instance STIG	2014-01-14

Details

Check Text ( None )
None

Fix Text (F-3787r1_fix)
Revoke ALTER, REFERENCES, and INDEX privileges from application user roles. From SQL*Plus: revoke [privilege] from [application user role]; Replace [privilege] with the identified ALTER, REFERENCES or INDEX privilege and [application user role] with the identified application role.