Unused database components, database application software and database objects should be removed from the DBMS system.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3728	DG0016-ORACLE10	SV-24358r1_rule	DCFA-1	Low

Description
Unused, unnecessary DBMS components increase the attack vector for the DBMS by introducing additional targets for attack. By minimizing the services and applications installed on the system, the number of potential vulnerabilities is reduced.

STIG	Date
Oracle Database 10g Installation STIG	2014-04-02

Details

Check Text ( C-25878r1_chk )
Use the Oracle Universal Installer or OPATCH utility to display the list of installed products. Review the list of installed products with the DBA and verify any installed products listed below are required and licensed. If any are installed and are not required or not licensed, this is a Finding. From Command Prompt: $ORACLE_HOME/OPatch/opatch lsinventory –detail \| more (UNIX) %ORACLE_HOME%/OPatch/opatch lsinventory –detail \| more (Windows) Requires additional License on Enterprise Edition: Oracle Real Application Clusters Oracle In-Memory Database Cache Oracle Advanced Security Oracle Label Security Oracle Change Management Pack Oracle Configuration Management Pack Oracle Diagnostic Pack Oracle Tuning Pack Oracle Provisioning and Patch Automation Pack Oracle Partitioning Oracle OLAP Oracle Data Mining Oracle Data Quality and Profiling Oracle Data Watch and Repair Connector Oracle Spatial Oracle Content Database Suite Oracle Records DB Requires additional License: Oracle Transparent Gateways Confirm requirements for these products: Database Workspace Manager Enterprise Manager Agent iSQL*Plus LDAP Oracle HTTP Server Oracle interMedia Oracle Internet Directory Oracle Starter Database Oracle Text Oracle Wallet Manager (Requires Advanced Security when using PKI and transparent encryption) Oracle XML Development Sample Schema NOTE: This list does not take into account product dependencies that when selected for de-install, remove required database software. A custom installation without selection of unnecessary components is required to ensure a clean install of only required and licensed products. The list of product dependencies may be subject to change by Oracle and is not addressed here.

Check Text ( C-25878r1_chk )

Use the Oracle Universal Installer or OPATCH utility to display the list of installed products. Review the list of installed products with the DBA and verify any installed products listed below are required and licensed. If any are installed and are not required or not licensed, this is a Finding.

From Command Prompt:
$ORACLE_HOME/OPatch/opatch lsinventory –detail | more (UNIX)
%ORACLE_HOME%/OPatch/opatch lsinventory –detail | more (Windows)

Requires additional License on Enterprise Edition:
Oracle Real Application Clusters
Oracle In-Memory Database Cache
Oracle Advanced Security
Oracle Label Security
Oracle Change Management Pack
Oracle Configuration Management Pack
Oracle Diagnostic Pack
Oracle Tuning Pack
Oracle Provisioning and Patch Automation Pack
Oracle Partitioning
Oracle OLAP
Oracle Data Mining
Oracle Data Quality and Profiling
Oracle Data Watch and Repair Connector
Oracle Spatial
Oracle Content Database Suite
Oracle Records DB

Requires additional License:
Oracle Transparent Gateways

Confirm requirements for these products:
Database Workspace Manager
Enterprise Manager Agent
iSQL*Plus
LDAP
Oracle HTTP Server
Oracle interMedia
Oracle Internet Directory
Oracle Starter Database
Oracle Text
Oracle Wallet Manager (Requires Advanced Security when using PKI and transparent encryption)
Oracle XML Development
Sample Schema

NOTE: This list does not take into account product dependencies that when selected for de-install, remove required database software. A custom installation without selection of unnecessary components is required to ensure a clean install of only required and licensed products. The list of product dependencies may be subject to change by Oracle and is not addressed here.

Fix Text (F-23716r1_fix)
Review the list of installed products available for the DBMS install. If any are required and licensed for operation of applications that will be accessing the DBMS, include them in the application design specification and list them in the System Security Plan. If any are not, but have been installed, uninstall them and remove any database SCHEMA, objects and applications that exclusively support them.

Fix Text (F-23716r1_fix)

Review the list of installed products available for the DBMS install. If any are required and licensed for operation of applications that will be accessing the DBMS, include them in the application design specification and list them in the System Security Plan. If any are not, but have been installed, uninstall them and remove any database SCHEMA, objects and applications that exclusively support them.